Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

agenix doesn't work properly when using impermanence #219

Open
jankaifer opened this issue Oct 30, 2023 · 5 comments · May be fixed by #225
Open

agenix doesn't work properly when using impermanence #219

jankaifer opened this issue Oct 30, 2023 · 5 comments · May be fixed by #225

Comments

@jankaifer
Copy link

I have the ssh key on in my home directory and it is mounted by impermanence on startup. Not sure what changes, but agenix started failing recently and it was caused by the fact that agenix started running before impermanence, which causeg agenix to not find the ssh key and fail to bootstrap the secrets.

I just solved it by not relying on impermanence mounts and specify directly the location of the ssk key on persistent drive like this.

Opening this issue mostly for others if someone faces a similar issue.
@nbraud
Copy link

nbraud commented Nov 15, 2023

@jankaifer Are you using age-home.nix and impermanence in some home-manager config, bind-mounting the whole .ssh directory?

I don't have direct experience with either, but the issue is agenix and impermanence both using systemd user services (in that configuration) and have no ordering constraints between them.

The possible solutions would either be breaking the dependency as you did, or constraining the order in which they can run; for instance, this ought to do the trick:

systemd.user.services.agenix.Unit.After = [
  "basic.target"  # Ensures “basic boot-up” runs prior to agenix, including impermanence's bind-mounts
];

nbraud added a commit to nbraud/agenix that referenced this issue Nov 15, 2023
@nbraud
age-home: Order agenix.service after basic.target
e5d4435 
Closes ryantm#219
@jankaifer
Copy link
Author

@nbraud thanks for the tip with systemd services, I didn't realize that.

I run with / mounted as tmpfs and mount everything persistent with impermanence.

@nbraud nbraud linked a pull request Nov 15, 2023 that will close this issue
Open
@nbraud
Copy link

nbraud commented Nov 15, 2023

I run with / mounted as tmpfs and mount everything persistent with impermanence.

I have a similar configuration but no impermanence: I used to have it imported until I realised it wasn't used, as I was doing everything with ZFS datasets anyways =^.^'=

FYI, when using agenix in the system config (as opposed to an hm one) the situation is different: it runs as an activationScript, whereas impermanence's NixOS module still uses services, so there's no easy way to order agenix after impermanence.
I just ran into a variant of that, as my laptop's SSH host key is held on a filesystem that is mounted by systemd, and isn't yet available when agenix runs.

@Infinidoge
Copy link

I ran into this issue a while back in my btrfs-backed impermanence setup. What I ended up doing was manually mounting /etc/ssh's subvolume in my NixOS filesystems block, then letting impermanence handle the rest from my /persist directory.

Relevant block in my configuration

@eyJhb
Copy link

eyJhb commented Aug 21, 2024

I'm surprised this isn't mentioned here, but it's possible to just specify the direct location for the SSH hostkeys, and not having impermanence "manage" it as such. This is a simple snippet that I'm currently using, which works quite nicely. Seems like the most elegant solution to the problem.

{ config, ... }:

let
  statePath = config.environment.persistence.root.persistentStoragePath + "/etc/ssh";
in {
  services.openssh.hostKeys = [
    { path = statePath + "/ssh_host_rsa_key"; type = "rsa"; bits = 4096; }
    { path = statePath + "/ssh_host_ed25519_key"; type = "ed25519"; }
  ];
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

age-home: Order agenix.service after basic.target nbraud/agenix
4 participants
@nbraud @jankaifer @Infinidoge @eyJhb