You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Then, when first activating the new VM conf, setupSecretsForUsers fails because it tries to read /etc/ssh/ssh_host_rsa_key which doesn't exist.
### Copying extra files ###
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
sending incremental file list
./
etc/
etc/ssh/
etc/ssh/ssh_host_ed25519_key
etc/ssh/ssh_host_ed25519_key.pub
sent 763 bytes received 69 bytes 554.67 bytes/sec
total size is 507 speedup is 0.61
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
### Installing NixOS ###
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
installing the boot loader...
setting up secrets for users...
/nix/store/909bd2m8bxl57s2xiqyrxq08yasnbk1v-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
Activation script snippet 'setupSecretsForUsers' failed (1)
warning: password file ‘/run/secrets-for-users/password-paulg’ does not exist
warning: password file ‘/run/secrets-for-users/password-root’ does not exist
setting up /etc...
setting up secrets...
/nix/store/909bd2m8bxl57s2xiqyrxq08yasnbk1v-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
Activation script snippet 'setupSecrets' failed (1)
/etc/ssh/ssh_host_rsa_key doesn't exist because the VM hasn't booted yet and so sshd didn't create it.
I don't see why it prevents sops from decrypting the secrets with the age key derived from /etc/ssh/ssh_host_ed25519_key.
Worked for me as well. Also found out that disabling the openssh service allowed user passwords to be installed correctly. Not interesting in a lot of cases, but maybe relevant for the problem.
I'm trying to provision a VM with
nixos-everywhere
.The root password is set with
sops-nix
:and the sops key is derived from
/etc/ssh/ssh_host_ed25519_key
as an age key.I know this setup works well because I already use this code on many machines.
To setup this new VM, I created a new
/etc/ssh/ssh_host_ed25519_key
for the VM and added the corresponding age key to my.sops.yaml
as usual.Then I launched
nixos-everywhere
with this command:nix run github:numtide/nixos-anywhere -- --flake .#nixos-testvm --extra-files /tmp/tmp.Ese7hBI2bl root@vm
The extrafiles:
Then, when first activating the new VM conf,
setupSecretsForUsers
fails because it tries to read/etc/ssh/ssh_host_rsa_key
which doesn't exist./etc/ssh/ssh_host_rsa_key
doesn't exist because the VM hasn't booted yet and sosshd
didn't create it.I don't see why it prevents sops from decrypting the secrets with the age key derived from
/etc/ssh/ssh_host_ed25519_key
.I am not sure I have the correct understanding of the situation though because I'm basically following this guide https://github.com/nix-community/nixos-anywhere/blob/main/docs/howtos/secrets.md and so I suppose it should be working in this use case.
The text was updated successfully, but these errors were encountered: