sops-nix icon indicating copy to clipboard operation
sops-nix copied to clipboard
verified publisher icon Mic92

Cannot read ssh key '/etc/ssh/ssh_host_rsa_key'?

Open sheeeng opened this issue 2 months ago • 3 comments

I have ED25519 host key only.

$ tree -fi /etc/ssh | grep ssh_host_
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub

I'm using the following configuration.

    age = {
      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      keyFile = "/etc/sops/age/keys.txt";
    };

But, I have Cannot read ssh key '/etc/ssh/ssh_host_rsa_key' line during darwin-rebuild switch.

Setting up secrets...
Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

How can I suppress or workaround it?

sheeeng avatar Nov 12 '25 21:11 sheeeng

off the top of my head -- it may be this

https://github.com/Mic92/sops-nix/blob/b80c966e70fa0615352c9596315678df1de75801/modules/nix-darwin/default.nix#L149-L153

if you inspected sshKeyPaths in the repl you'd see that you are adding /etc/ssh/ssh_host_ed25519_key" to the existing list not overwriting it.

so you want to use lib.mkDefault or lib.mkForce like:

sshKeyPaths = lib.mkForce [ "/etc/ssh/ssh_host_ed25519_key" ];

to overwrite the default with only that value instead of the nix default of merging items in lists.

sedlund avatar Nov 13 '25 15:11 sedlund

off the top of my head -- it may be this

sops-nix/modules/nix-darwin/default.nix

Lines 149 to 153 in b80c966

darwinSSHKeys = [ { type = "rsa"; path = "/etc/ssh/ssh_host_rsa_key"; } if you inspected sshKeyPaths in the repl you'd see that you are adding /etc/ssh/ssh_host_ed25519_key" to the existing list not overwriting it.

so you want to use lib.mkDefault or lib.mkForce like:

sshKeyPaths = lib.mkForce [ "/etc/ssh/ssh_host_ed25519_key" ];

to overwrite the default with only that value instead of the nix default of merging items in lists.

Thanks, @sedlund! I was debugging until the same code block too.

I tried the suggested workaround, but to no avail.

-      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      sshKeyPaths = lib.mkForce [ "/etc/ssh/ssh_host_ed25519_key" ];

Still having Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory message.

sheeeng avatar Nov 14 '25 09:11 sheeeng

+1

phonkd avatar Nov 19 '25 19:11 phonkd