SOPS and fresh installation

[archer-65]

Hello! I really like your repo structure, I'm constantly visiting it.

I decided to try sops-nix to manage sensible stuff, and I'm curious: how do you handle the first installation? Keys need to be deployed to allow decryption at activation time.

[anthr76]

Hi @archer-65 I'm +1 to the question. Did you ever find an answer?

[archer-65]

Hi @archer-65 I'm +1 to the question. Did you ever find an answer?

I think that generating keys before installation and update the desired secrets' keys through sops updatekeys is the way to go.

[lutzgo]

I am struggeling with the same problem. I have a

.sops.yaml

keys:
  # Users
  - &users:
    - &user gpg-fingerprint
  # Hosts
  - &hosts:
    - &host1 age-key1
    - &host2 age-key2

creation_rules:
  - path_regex: hosts/common/secrets.ya?ml$
    key_groups:
    - age:
      - *host1
      - *host2
      pgp:
      - *user

With this I am able to generate/encrypt

hosts/common/secrets.yaml

user-password: plaintext-pw

In my user.nix file I refer to it with

{ pkgs, config, ... }:
{

...

users.mutableUsers = false;
  users.users.user1 = {
    isNormalUser = true;
...
    passwordFile = config.sops.secrets.user1-password.path;
  };
...
  sops.secrets.user1-password = {
    sopsFile = ../../secrets.yaml;
    neededForUsers = true;
  };
...
}

The gpg-fingerprint used to encrypt/decrypt derives from my pgp-key stored on my yubikey.
The age-keys are generated from the /etc/ssh/ssh_host_ed25519_key.pub with nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'.

To bootstrap an new machine I generate a ssh_host-keypair and try to inject it during the installation. But here I fail. My attempt is to copy it over with nixos-anywhere:

nix run github:numtide/nixos-anywhere -- \
  -i ~/.ssh/<temporary-target-ssh-key> \
  --disk-encryption-keys /tmp/secret.key /tmp/secret.key \
  --disk-encryption-keys /etc/ssh/ssh_host_ed25519_key /tmp/ssh_host_ed25519_key \
  --disk-encryption-keys /etc/ssh/ssh_host_ed25519_key.pub /tmp/ssh_host_ed25519_key.pub \
  --disk-encryption-keys /etc/ssh/ssh_host_rsa_key /tmp/ssh_host_rsa_key \
  --disk-encryption-keys /etc/ssh/ssh_host_rsa_key.pub /tmp/ssh_host_rsa_key.pub \
  --no-reboot \
  root@<host1-ip-address> \
  --flake .#host1

The Installation works fine and I can boot up my machine with encrypted (ephermal?) zfs. It even logs into the graphical environment. But I cannot sudo -i and the ssh_host-keys are not on my machine.

I will be finitely glad for any help.

For reference: Here is my scrap-repo.

[NovaViper]

Is it necessary to have a key for each machine? I want to use one single key for each user I want to install with instead of having keys for each machine

[lutzgo]

@NovaViper I don not think, that it is necessary to have a key for each machine, but I think it is good practice.

BTW: There is something wrong with my configuration. I added a hashed password to my secrets.yaml but on rebuild I got an error that needs further inverstigation (hints are much appreciated):

sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1x05l0zsnwly2f54jv4h5rudmknarfmw8wz3jd63vdqc0yyquuukshget77
/nix/store/8l1xy5671asbp6lpacw3hqyb6snsk79f-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/ikzqmazqagm6qd3lkwkdky2pi3mx6jix-secrets.yaml': Error getting data key: 0 successful groups required, got 0

Seemingly the age-key is not able to decrypt my secrets.yaml although it is in the .sops.yaml.

[NovaViper]

Ah.. So I can't use age-keys to decrypt the secrets.yaml? I originally was going with using my Yubikey's GPG keys since I already have a couple of services already setup with it but the main issue I've been having was getting the root level sops to import my gpg key from my yubikey. I have the yubikey setup where it's like a smartcard, so it works perfectly when user level, but as soon as i go into root level, it just completely breaks. gpg doesn't seem to recognize my device at all and I'm really unsure of how to fix it

[mannp]

@NovaViper I don not think, that it is necessary to have a key for each machine, but I think it is good practice.

BTW: There is something wrong with my configuration. I added a hashed password to my secrets.yaml but on rebuild I got an error that needs further inverstigation (hints are much appreciated):

sops-install-secrets: Imported /persist/etc/ssh/ssh_host_ed25519_key as age key with fingerprint age1x05l0zsnwly2f54jv4h5rudmknarfmw8wz3jd63vdqc0yyquuukshget77
/nix/store/8l1xy5671asbp6lpacw3hqyb6snsk79f-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/ikzqmazqagm6qd3lkwkdky2pi3mx6jix-secrets.yaml': Error getting data key: 0 successful groups required, got 0

Seemingly the age-key is not able to decrypt my secrets.yaml although it is in the .sops.yaml.

Hi there @lutzgo , did you find a solution at all?

Having the same issue, and can't seem to get past it at the moment.

[Tommixe]

@mannp I think the issue there is that you need to have in the remote host the same host key that you use to generate the age key and then encrypt the secrets.yaml file.
For the first installation I use nixos-anywhere copying ssh host private key using extra-files option:
nix run github:numtide/nixos-anywhere -- --extra-files "$temp" --flake .\#$host root@$toip

This method is described here:
https://github.com/nix-community/nixos-anywhere/blob/main/docs/howtos/secrets.md#example-decrypting-an-openssh-host-key-with-pass

I'm not using pass to store the host private key but instead I'm keeping them in Bitwarden Secret Manger.

[mannp]

Hi @Tommixe thanks for your help. For the first installation on my yoga laptop I cheated and bypassed the sops stuff as it failed, but after the initial install the ssh private keys are correctly added to /persist/etc/ssh/ssh_host_ed25519_key, but oddly they are not the correct keys :-( ??

I thought initially they were being taken from my host machine, but they are different again, so I am unclear where the ssh keys are coming from at the moment.....

I am assuming once I find that out and change them, all will be fine.

I'm not using pass to store the host private key

Is this the ssh_host_ed25519_key being stored, or a password to unlock somehow....it confused me a little?

I have sops working great on my k3s cluster, but on nix not at all.

Edit: My rookie error, as I had created the ssh_host_ed25519_key for the user and not for root, so the keys did not match. Once I updated the host keys to match those create on the target, the secrets were decrypted :)

[Misterio77]

Hey all,

I usually copy the booted ISO's generated SSH keys into /persist when installing, and use that public key to encrypt the secrets for the newly-added machine. It's not super convenient, but I'm not a fan of the alternative (copying private keys).

I haven't tried nixos-anywhere just yet, but I think it should be possible to somehow replicate that with it. Maybe a possible way to it would be:

• Install, activation will fail, but the system should(tm) boot
• SSH Into it (hopefully your internet access does not rely on secrets to work lol)
• Note down the newly-generated host public key
• Re-encrypt your secrets
• Deploy your config (via SSH)

[Misterio77]

but as soon as i go into root level, it just completely breaks. gpg doesn't seem to recognize my device at all and I'm really unsure of how to fix it

I think GPG will never work that nicely in root level. Using the SSH Host keys to age-encrypt is the way to go, while GPG is better for your "personal key to edit the secrets manually".

[NovaViper]

@Misterio77 I'm actually switching to use the host ssh keys aswell as my yubikey-based gpg key, how do you handle the host's private ssh keys for cases where a machine needs to be reinstalled?