Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

age-plugin-yubikey support is currently broken for Home-Manager #146

Open
NovaViper opened this issue Jun 10, 2024 · 2 comments
Open

age-plugin-yubikey support is currently broken for Home-Manager #146

NovaViper opened this issue Jun 10, 2024 · 2 comments

Comments

@NovaViper
Copy link

Hey, I've been trying to setup both agenix and ragenix; but I keep on getting this mysterious cannot start plugin error.

activating the configuration...
[agenix] creating new generation in /run/agenix.d/10
[agenix] decrypting secrets...
decrypting '/nix/store/k8mya20ny4l3hkgg969bb886046m4d8i-pass.age' to '/run/agenix.d/10/pass'...
age: error: yubikey plugin: couldn't start plugin: age-plugin-yubikey resolves to executable in current directory (./age-plugin-yubikey)
age: report unexpected or unhelpful errors at https://filippo.io/age/report
chmod: cannot access '/run/agenix.d/10/pass.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/10/pass.tmp': No such file or directory
[agenix] symlinking new secrets to /run/agenix (generation 10)...
[agenix] removing old secrets (generation 9)...
Activation script snippet 'agenixInstall' failed (1)
warning: password file ‘/run/agenix/pass’ does not exist
[agenix] chowning...
chown: cannot access '/run/agenix.d/10/pass': No such file or directory
Activation script snippet 'agenixChown' failed (1)

I've been seriously stumped by this as it looks like im doing everything correctly but just can't figure out why it keeps throwing this error at me.

age.nix under /host/common/credentials

{
  config,
  lib,
  pkgs,
  inputs,
  ...
}: let
  agePath = path: ../../../secrets/${path};
in {
  imports = [inputs.ragenix.nixosModules.age];
  environment.systemPackages = with pkgs; [age-plugin-yubikey ragenix];

  age = {
    secrets.pass.file = agePath "novaviper.test.age";

    identityPaths = [
      (agePath "identities/age-yubikey-identity-Secret-usba.txt")
    ];
  };
}

secrets.nix

let
  yubikey1 = "age1yubikeySECRET";
  keys = [yubikey1];
in {
  "novaviper.test.age".publicKeys = keys;
}

my user profile

{
  config,
  lib,
  pkgs,
  ...
}: let
  ifTheyExist = groups:
    builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
  # Special Variables
  variables.username = "novaviper";

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.novaviper = {
    isNormalUser = true;
    shell = pkgs.zsh;
    description = "novaviper";
    extraGroups =
      ["networkmanager" "wheel"]
      ++ ifTheyExist [
        "video"
        "audio"
        "libvirtd"
        "scanner"
        "i2c"
        "git"
        "gamemode"
      ];
    hashedPasswordFile = config.age.secrets.pass.path;
    packages = with pkgs; [home-manager];
  };

  # Import Home-Manager config for host
  home-manager.users.novaviper =
    import ../../../../home/novaviper/${config.networking.hostName}.nix;

  time.hardwareClockInLocalTime = lib.mkDefault true;
  # Setup automatic timezone detection
  services.automatic-timezoned.enable = true;
  location.provider = "geoclue2";

  # Set your time zone.
  #time.timeZone = lib.mkDefault "America/Chicago";
}

overlay.nix containing override for ragenix and ragenix overlay

# This file defines overlays
{
  outputs,
  inputs,
  ...
}: let
  addPatches = pkg: patches:
    pkg.overrideAttrs
    (oldAttrs: {patches = (oldAttrs.patches or []) ++ patches;});
in {
  # Third party overlays
  nur = inputs.nur.overlay;
  ragenix = inputs.ragenix.overlays.default;

  # For every flake input, aliases 'pkgs.inputs.${flake}' to
  # 'inputs.${flake}.packages.${pkgs.system}' or
  # 'inputs.${flake}.legacyPackages.${pkgs.system}'
  flake-inputs = final: _: {
    inputs = builtins.mapAttrs (_: flake: let
      legacyPackages = (flake.legacyPackages or {}).${final.system} or {};
      packages = (flake.packages or {}).${final.system} or {};
    in
      if legacyPackages != {}
      then legacyPackages
      else packages)
    inputs;
  };

  # Adds pkgs.stable == inputs.nixpkgs-stable.legacyPackages.${pkgs.system}
  stable = final: _: {
    stable = inputs.nixpkgs-stable.legacyPackages.${final.system};
  };

  # This one brings our custom packages from the 'pkgs' directory
  additions = final: prev:
    import ../pkgs {pkgs = final;}
    // {
      #formats = (prev.formats or {}) // import ../pkgs/formats {pkgs = final;};
      tmuxPlugins = (prev.tmuxPlugins or {}) // import ../pkgs/tmux-plugins {pkgs = final;};
    };

  # This one contains whatever you want to overlay
  # You can change versions, add patches, set compilation flags, anything really.
  # https://nixos.wiki/wiki/Overlays
  modifications = final: prev: {
    # example = prev.example.overrideAttrs (oldAttrs: rec {
    # ...
    # });
.... removed stuff for simplicity
    ragenix = prev.ragenix.override {plugins = [final.age-plugin-yubikey];};
  };
}

file structure

├──  hosts/
│  ├──  common/
│  │  ├──  boot/
│  │  │  ├──  efi.nix
│  │  │  └──  quietboot.nix*
│  │  ├──  credentials/
│  │  │  ├──  age.nix
│  │  │  ├──  gpg.nix*
│  │  │  ├──  hardware-key.nix
│  │  │  └──  ssh.nix
│  │  ├──  graphical/
│  │  │  ├──  common/
│  │  │  │  ├──  audio.nix
│  │  │  │  ├──  default.nix
│  │  │  │  └──  xdg.nix
│  │  │  ├──  displayManager/
│  │  │  │  ├──  wayland.nix
│  │  │  │  └──  x11.nix*
│  │  │  ├──  kde/
│  │  │  │  ├──  common.nix
│  │  │  │  ├──  plasma5.nix
│  │  │  │  └──  plasma6.nix
│  │  │  └──  xfce.nix*
│  │  ├──  hardware/
│  │  │  ├──  bluetooth.nix
│  │  │  ├──  howdy.nix*
│  │  │  ├──  qmk.nix
│  │  │  └──  rgb.nix*
│  │  ├──  programs/
│  │  │  ├──  appimage.nix
│  │  │  ├──  gaming.nix*
│  │  │  ├──  libvirt.nix*
│  │  │  ├──  localsend.nix
│  │  │  ├──  stylix.nix
│  │  │  ├──  sunshine.nix
│  │  │  └──  waydroid.nix
│  │  ├──  services/
│  │  │  ├──  flatpak.nix*
│  │  │  ├──  printing.nix
│  │  │  ├──  sunshine.nix
│  │  │  ├──  syncthing.nix*
│  │  │  └──  tailscale.nix*
│  │  ├──  users/
│  │  │  ├──  nixos/
│  │  │  │  └──  default.nix
│  │  │  └──  novaviper/
│  │  │     ├──  default.nix*
│  │  │     └──  theme.nix
│  │  ├──  base.nix*
│  │  ├──  filesystem.nix*
│  │  ├──  fonts.nix
│  │  ├──  locale.nix*
│  │  ├──  networking.nix
│  │  ├──  nix.nix*
│  │  ├──  packages.nix
│  │  ├──  security.nix*
│  │  ├──  shell.nix*
│  ├──  ryzennova/
│  │  ├──  hardware/
│  │  │  ├──  default.nix
│  │  │  ├──  disks.nix
│  │  │  └──  hardware-configuration.nix
│  │  └──  default.nix
│  └──  yoganova/
│     ├──  hardware/
│     │  ├──  default.nix
│     │  ├──  disks.nix*
│     │  └──  hardware-configuration.nix*
│     └──  default.nix*
├──  overlays/
│  └──  default.nix*
├──  secrets/
│  ├──  identities/
│  │  └──  age-yubikey-identity-*****-usba.txt
│  └── 󰦝 novaviper.test.age
├──  flake.lock
├──  flake.nix
├──  README.org
├──  secrets.nix
├──  shell.nix
@NovaViper
Copy link
Author

I figured out how to fix it! Apparently the age plugin isn't on the PATH for the age binary. I had to add this line to make it work properly: https://github.com/danielphan2003/flk/blob/198bf56b8dde0c075f89f58952bedfa85e0b3cf7/cells/nixos/nixosProfiles/programs/yubikey.nix#L10

into age.ageBin, there probably needs to be an internal override in ragenix to force the primary age binary correctly reference the plugin

@NovaViper
Copy link
Author

However I just noticed that the Yubikey support is broken for the Home-Manager module, specifically for age keys that require a PIN:

Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688431]: [agenix] creating new generation in /run/user/1000/agenix.d/1
Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688431]: [agenix] decrypting secrets...
Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688431]: decrypting '/nix/store/ypj2j4fwakbm5fcpmd0ahmh4lbsffizd-secrets/novaviper/borg.age' to '/run/user/1000/agenix.d/1/borg'...
Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688443]: age: warning: could not read value for age-plugin-yubikey: standard input is not a terminal, and /dev/tty is not available: open /dev/tty: no such device or address
Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688443]: age: error: yubikey plugin: A PIN is required for YubiKey with serial 18215780
Jun 12 21:08:16 ryzennova agenix-home-manager-mount-secrets[1688443]: age: report unexpected or unhelpful errors at https://filippo.io/age/report
Jun 12 21:08:16 ryzennova systemd[2947]: agenix.service: Main process exited, code=exited, status=1/FAILURE

@NovaViper NovaViper changed the title age-plugin-yubikey support is currently broken on activation age-plugin-yubikey support is currently broken for Home-Manager Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NovaViper