agenix icon indicating copy to clipboard operation
agenix copied to clipboard
verified publisher icon ryantm

Agenix Secret Path isn't correctly setting NixOS module password.

Open SmolPatches opened this issue 1 year ago • 4 comments

Currently running nixos-unstable and I'm having some issues with agenix that I can't seem to wrap my head around. I have a nixos config below that builds fine but when trying to login to the user with the password set in watashi_pass.age it doesn't seem to work. I am able to see the secret when I try agenix -e watashi_pass while in the secrets directory and I can see the output in the plaintext path. I don't know if it matters but I am using flakes to install agenix and I updated my flake inputs today.

  age = {
    secrets = {
      test = {
       file = ./secrets/secret1.age;
       path = "/home/watashi/test.txt";
       owner = "watashi";
      };
      watashi_pass = {
        file = ./secrets/watashi_pass.age;
        owner = "watashi";
      };
    };
  };
  users = {
    mutableUsers = false;
   users.amade = {
    isNormalUser = true;
    passwordFile = config.age.secrets.watashi_pass.path;
   };
  };

SmolPatches avatar Jan 30 '24 04:01 SmolPatches

I'm having the same issues aswell! I suddenly found myself after rebooting my computer locked out of it

NovaViper avatar Jun 25 '24 00:06 NovaViper

I actually do have the same issue, after sytem rebuild I can see the secret decrypted at the correct location, but the password isn't set. Maybe this has to do something with the time that agenix decrypts the secret?

JustScreaMy avatar Jan 02 '25 15:01 JustScreaMy

I actually do have the same issue, after sytem rebuild I can see the secret decrypted at the correct location, but the password isn't set. Maybe this has to do something with the time that agenix decrypts the secret?

I haven't checked this in a while but I think I found a work around. I might've moved to sops but I can't remember. Not at my PC atm but I'll check when I get back.

SmolPatches avatar Jan 03 '25 02:01 SmolPatches

@JustScreaMy @NovaViper So the way I ended up doing this was I encrypted a whole nix file as a secret. And in the nix file, I set a hashedPassword. nix-code.age(decrypted): 

    users.users.watashi = {
        hashedPassword = "";
    };

configuration.nix


  age.secrets = {
    nix-code = {
      file = ./nix-code.age; # encrypted nix-code (must be nix path type)
      owner = "watashi";
      mode = "600";
    };
  };
  imports =
    [
      /run/agenix/nix-code # decrypted nix code(see agenix ^)
    ];

This workaround allows me to encrypt nix code in general which is pretty useful. The downside is, this prevents pure evaluation because the rebuild is dependent on a path outside of the flake/repo.

SmolPatches avatar Jan 03 '25 02:01 SmolPatches