mic92 / sops-nix Goto Github PK

The owner I marked for a given secret is not applied to the symlink:

{
 sops.secrets."cachix.dhall" = {
      owner = "cole";
      path = "/home/cole/.config/cachix/cachix.dhall";
      format = "binary";
      sopsFile = ./cachix.dhall.sops;
    };
}

> ls -al ~/.config/cachix/cachix.dhall
lrwxrwxrwx 1 root root 25 Aug  7 01:40 /home/cole/.config/cachix/cachix.dhall -> /run/secrets/cachix.dhall

My current shellHook is

  shellHook = ''
    export NIX_PATH=nixpkgs=${src.nixpkgs}
    nix build -f deployments.nix one-runner -o deploy-one-runner
    nix build -f deployments.nix canary-runner -o deploy-canary-runner
  '';

which is quite useful. I did not understand at first why the SOPS_PGP_FP env var was not automatically set. May I suggest that we concatenate the current shellHook with the pgpHook? I'll try to write a PR for this.

As discussed on IRC, it would be nice to have the permissions on /run/secrets be 0751 instead of 0750. This would avoid the need to add users or services to the keys group.

The ssh-to-pgp program and sops-pgp-hook nix-shell hook are essential to follow the documented Usage example. Neither is automatically accessible from importing the NixOS module under modules/sops. For example, #29 and #43 are both related to the accessibility of ssh-to-pgp.

Under the "Create a sops file" section, the example shell.nix uses <sops-nix>, which implies that sops-nix (the expression defined in this repo's default.nix) is in the Nix search path. Simply importing the NixOS module, which is the only documented installation step, leaves users like myself with an error that sops-nix was not found in the Nix search path.

What is the recommended approach to make these utilities accessible on the machine used for setup?

For reference, here are the relevant parts of my config:

{ config, pkgs, ... }:
let
  rev = "b0d764fccdd35588ebda2907911099198f73c89a";
  sops-nix = builtins.fetchTarball {
    url = "https://github.com/Mic92/sops-nix/archive/${rev}.tar.gz";
    sha256 = "0ny2pr3qjmw9jdbr0n2sy3w76f0pxfpjc8qr7x9zmwzlwck5xpc1";
  };
in
{
  imports =
    [
      ./configuration.nix (
      ./hardware-configuration.nix
      "${sops-nix}/modules/sops"
    ];
}

It would be nice to have ssh-to-gpg exposed easily from shell.nix.

But then again, maybe the goal is to delete it once age is merged into sops and you or someone else adds sshpubkey support to sops?

I might be fundamentally misunderstanding how to use this tool so please bear with. I have worked through the examples, I'm using a flake based setup and in my configuration.nix have set sops.secrets.mysecret = {}; and can see that at /run/secrets/mysecret exists with the correct value. Later in my configuration, I'm trying to read the contents of the secret file with builtins.readFile "${config.sops.secrets.mysecret.path}" but I get the error access to path /run/secrets/myexample is forbidden in restricted mode. I'm trying to read the file because I want to use it's contents in some string interpolation but maybe that's not the correct usage of sops-nix? I also tried neededForUsers with the same result. Is sops-nix limited to just passing the value of secret paths into path options/configs strings rather than decrypting exposing the secrets during build time?

If you attempt to do something like this:

{
  sops.secrets.root-password.sopsFile = ./root-password.yaml;
  users.users.root.passwordFile = config.sops.secrets.root-password.path;
}

Where root-password.yaml looks like this:

root-password: $6$rounds=65536$00000000000000$00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 

You end up with no password on boot for the user, looking at /etc/shadow shows root:!:1::::::. If you force reactivation to occur manually after booting by running sudo /run/current-system/bin/switch-to-configuration switch then /etc/shadow is updated and contains the correct password hash.

My guess is this is due to some annoying precedence issue, is there anyway around it?

Sops recently got age support. Is it possible to use age with sops-nix?

SOPS_PGP_FP is not very flexible especially with multiple hosts.
The recommend solution is to use .sops.yaml which allows to specify different keys per sops file or directory.
That's I want to deprecate sops-pgp-hook with sops-import-gpg-hook, which only import keys and do not set SOPS_PGP_FP.

I know the point of this library is to keep secrets out of the nix store, but would it make sense to provide the option to embed the value directly in nix if you want?

type secret struct {
	Name            string     `json:"name"`
	Key             string     `json:"key"`
	Path            string     `json:"path"`
	Owner           string     `json:"owner"`
	Group           string     `json:"group"`
	SopsFile        string     `json:"sopsFile"`
	Format          FormatType `json:"format"`
	Mode            string     `json:"mode"`
	RestartServices []string   `json:"restartServices"`
	ReloadServices  []string   `json:"reloadServices"`
	value           []byte
	mode            os.FileMode
	owner           int
	group           int
}

it seems that the value is available as a byte array

My use case: I'd like to pass a sops encrypted .yaml configuration file to my app after decryption as is, instead of picking a single key from the file. So, sops-nix is a little too clever for my use case and it should focus only on decrypting the file, not parsing it.

In other words, I use this file ./secrets/my-config.yaml in my flake:

my-secret1: ENC[AES256_GCM,data:tkyQPQODC3g=,iv:yHliT2FJ74EtnLIeeQtGbOoqVZnF0q5HiXYMJxYx6HE=,tag:EW5LV4kG4lcENaN2HIFiow==,type:str]
my-secret2: ENC[AES256_GCM,data:tkyQPQODC3g=,iv:yHliT2FJ74EtnLIeeQtGbOoqVZnF0q5HiXYMJxYx6HE=,tag:EW5LV4kG4lcENaN2HIFiow==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
...

It should be mounted as /run/secrets/my-config.yaml:

my-secret1: hello
my-secret2: hello

Then I could pass the /run/secrets/my-config.yaml to my app to read any secrets from.

I could do this using a format=binary file, but then I have to remember to use format=binary everywhere, including when invoking sops. Alternatively, I could use a different file extension, but then I'd lose syntax highlight. Yet another alternative would be to use a literal multi line yaml string, but then again I'd lose highlight.

I wonder if this is already supported, because the README.md mentions home-assistant-secrets.yaml, which is similar to what I'm looking for? But I think that was defined as something like this:

home-assistant-secrets.yaml: |
    my-secret1: hello
    my-secret2: hello

(Notice how the renderer fails to highlight the yaml keys my-secret1 and my-secret2).

Does this make any sense to you?

I have a whole bunch of secrets stored in the /run/secrets/scripts directory. I want to put the directory /run/secrets/scripts into a non-root user's $PATH, but since that user doesn't have permission to read the directory, it doesn't work.

This can be worked around by manually symlinking to the secrets, but it would be great to have this as a normal feature.

I'm currently using a ssh key for my sops configuration and I'm wondering if it is possible to use a yubikey instead. Does anyone have a example configuration? Will it work? One thing I'm not sure is that whether the yubikey will be usable during boot.

Hello,
I’d like to know if there is a way to use a nix sops secret as a value of a nixos option ? Some module don’t have things like « passwordFile » options but only « password ». In these kind of cases I never know what to do.

Hey there. I'm trying to install sops-secrets. I'm following the niv install version (using master HEAD).

This is the error I'm getting:

error: anonymous function at /nix/store/a6xf442xypwmxcvg8glawp8qsjgyp617-82b54d490663b6d87b7b34b9cfc0985df8b49c7d.tar.gz/pkgs/development/go-modules/generic/default.nix:3:1 called without required argument 'modSha256', at /nix/store/rxa8b97sr75xfknlp670wg9kxkp9qz54-source/pkgs/sops-install-secrets/default.nix:2:1

this is what my nix/source.json file looks like:

{
    "niv": {
        "branch": "master",
        "description": "Easy dependency management for Nix projects",
        "homepage": "https://github.com/nmattia/niv",
        "owner": "nmattia",
        "repo":   ##"niv",
        "rev": "f2e2502412a661bc371c7390d86de278c4b9ef97",
        "sha256": "01z6dsc2dlm7nf3x35hcq6d3qhh75786c36am3y9x98a3xn1q4jm",
        "type": "tarball",
        "url": "https://github.com/nmattia/niv/archive/f2e2502412a661bc371c7390d86de278c4b9ef97.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
        "branch": "nixos-unstable",
        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
        "homepage": "https://github.com/NixOS/nixpkgs",
        "owner": "NixOS",
        "repo": "nixpkgs-channels",
        "rev": "82b54d490663b6d87b7b34b9cfc0985df8b49c7d",
        "sha256": "12gpsif48g5b4ys45x36g4vdf0srgal4c96351m7gd2jsgvdllyf",
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs-channels/archive/82b54d490663b6d87b7b34b9cfc0985df8b49c7d.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "sops-nix": {
        "branch": "master",
        "description": "Atomic secret provisioning for NixOS based on sops",
        "homepage": "",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "b67ae45dc7459e10f390b2c5d24822599b564974",
        "sha256": "02y1590s905zdhw68qqsls1ah6ysj1hyfhcqg0fanv0029lk4agz",
        "type": "tarball",
        "url": "https://github.com/Mic92/sops-nix/archive/b67ae45dc7459e10f390b2c5d24822599b564974.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    }
}

I'm using nixops and I've added the following to my configuration.nix

{ config, lib, pkgs, ... }:

{

  imports =
    [ # include the results of the hardware scan.
      ./hardware-configuration.nix
      "${(import ../../nix/sources.nix).sops-nix}/modules/sops"
    ];

I should probably note the nixops database has nixpkgs pinned as such:

## Updates the pinned nixpkgs in the nixops database
pin-nixpkgs:
	@nixops modify -d server1 deployment/server1.nix -I nixpkgs=https://github.com/nixos/nixpkgs/archive/`cat nix/sources.json | jq -r '.["nixpkgs"]["rev"]'`.tar.gz
	@nixops modify -d server2 deployment/server2.nix -I nixpkgs=https://github.com/nixos/nixpkgs/archive/`cat nix/sources.json | jq -r '.["nixpkgs"]["rev"]'`.tar.gz

I've never built golang with nix so I'm really not sure what the cause might be. Appreciate any guidance.

After setupSecrets, the directory /run/secrets.d/users disappears.

To test, I tried adding two ls command in setupSecrets.

diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index aecf795..e2649de 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -294,7 +294,9 @@ in {
 
       setupSecrets = mkIf (regularSecrets != {}) (stringAfter ([ "specialfs" "users" "groups" ] ++ optional cfg.age.generateKey "generate-age-key") ''
         [ -e /run/current-system ] || echo setting up secrets...
+        ls -al /run/secrets.d
         ${withEnvironment "${sops-install-secrets}/bin/sops-install-secrets ${manifest}"}
+        ls -al /run/secrets.d
       '' // lib.optionalAttrs (config.system ? dryActivationScript) {
         supportsDryActivation = true;
       });

Add found logs like this:

Nov 13 17:41:15 t460p stage-2-init: setting up secrets...
Nov 13 17:41:15 t460p stage-2-init: total 0
Nov 13 17:41:15 t460p stage-2-init: drwxr-x--x  3 root root  60 Nov 13 17:41 .
Nov 13 17:41:15 t460p stage-2-init: drwxr-xr-x 11 root root 240 Nov 13 17:41 ..
Nov 13 17:41:15 t460p stage-2-init: drwxr-x--x  3 root root   0 Nov 13 17:41 users
Nov 13 17:41:15 t460p stage-2-init: total 4
Nov 13 17:41:15 t460p stage-2-init: drwxr-x--x  3 root keys   0 Nov 13 17:41 .
Nov 13 17:41:15 t460p stage-2-init: drwxr-xr-x 11 root root 260 Nov 13 17:41 ..
Nov 13 17:41:15 t460p stage-2-init: drwxr-x--x  7 root keys   0 Nov 13 17:41 1
Nov 13 17:41:15 t460p stage-2-init: -rw-------  1 root root 128 Nov 13 17:41 age-keys.txt

After a manual configuration switch, the users directory will be created again and works fine.

Seems that this is caused by the mountSecretFs function? The function mounts /run/secrets.d when it is not a ramfs, ignoring existing files in this directory.

I messed um my .asc files and they couldn't be decrypted by sops which is silently ignored and you cannot edit your secrets file. It should throw an error or at least log such thing.

I'm trying to use sops-nix on a macOS machine, and it's running into problems running tests:

running tests
82ddc034d5ded2524f701114d96f6e894818c7a5
gpg: directory '/private/var/folders/08/j4g_jn953lngpvgmyg8dygk00000gn/T/nix-build-ssh-to-pgp-0.0.1.drv-0/.gnupg' created
gpg: keybox '/private/var/folders/08/j4g_jn953lngpvgmyg8dygk00000gn/T/nix-build-ssh-to-pgp-0.0.1.drv-0/.gnupg/pubring.kbx' created
pub   rsa3072 1970-01-01 [SCE]
      82DD C034 D5DE D252 4F70  1114 D96F 6E89 4818 C7A5
uid                      root (Imported from SSH) <root@localhost>

82ddc034d5ded2524f701114d96f6e894818c7a5
pub   rsa3072 1970-01-01 [SCE]
      82DD C034 D5DE D252 4F70  1114 D96F 6E89 4818 C7A5
uid                      root (Imported from SSH) <root@localhost>

82ddc034d5ded2524f701114d96f6e894818c7a5
gpg: can't connect to the agent: File name too long
sec#  rsa3072 1970-01-01 [SCE]
      82DD C034 D5DE D252 4F70  1114 D96F 6E89 4818 C7A5
uid                      root (Imported from SSH) <root@localhost>

main_test.go:44: unexpected error: exit status 2

--- FAIL: TestCli (6.49s)
FAIL
FAIL    github.com/Mic92/sops-nix/pkgs/ssh-to-pgp       6.588s
FAIL
builder for '/nix/store/zdqrb4z9zndm852zqvj472c4jc4l93y4-ssh-to-pgp-0.0.1.drv' failed with exit code 1
error: build of '/nix/store/zdqrb4z9zndm852zqvj472c4jc4l93y4-ssh-to-pgp-0.0.1.drv' failed

I suspect that's because the temporary folder is already a fairly long directory name, and adding a longer name to that makes gpg-agent unhappy to the extreme. There's a related issue on the debian BTS, where they suggest making a socket in a directory that's different from the "GNUPGHOME" one.

I did setup sops for two machines whose file's I can access and edit with sops machine1/secret.yml
Today I added to further machines, and for some peculiar reason if I run
sops laptop1/secret.yml or nix-shell -p sops --run "sops laptop1/secret.yml"
I keep getting config file not found and no keys provided through command line options

The machine's public keys have been exported and the proposed shell.nix is present.

Any ideas?

I just followed the tutorial and tried setting up wifi for my nixos install using nix-sops and it seems to work just fine when I make a nixos-rebuild switch.

However, when I reboot, for some reason, the /run/secrets directory isn't created. Doing another nixos-rebuild switch (without any changes at all), fixes it again until I reboot.

DanielFabian/.dotfiles@230b4ec

Any idea what I might be doing wrong? Or is it perhaps a bug that it's not setting up the secrets during the boot.

I created a directory: /var/lib/gnupg

drwxr-xr-x 4 root root 4096 Feb 11 16:42 gnupg

sudo GNUPGHOME=/var/lib/gnupg gpg --list-keys works

my config includes:

  sops.gnupg.home = "/var/lib/gnupg";
  sops.gnupg.sshKeyPaths = [];
  sops.defaultSopsFile = ../../secrets/example.yaml;
  sops.secrets.secret = {};

and yet when running nixos-rebuild switch it errors out:

Failed to decrypt '/nix/store/kyygj6xkax7qziizh8lhlh00s69jhgbf-example.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setupSecrets' failed (1)

Any ideas?

While testing things in a local repository, I discovered with direnv that enabling the strict_env option, which executes the hook with set -euo pipefail, would fail to evaluate the hook and exit.

I didn't have the variable below exposed so the script would exit with $VARIABLE_NAME: unbound variable

Changing the logic to "${VARIABLE_NAME-}" would prevent errors and only assign the empty string if the variable is undefined.

Thought I'd document this, I don't expect a fix or anything.

The generated file when using sops on a .env file is not a JSON file, but a valid environment file.
sops-install-secrets then fails reading the manifest "Cannot parse json of /nix/store/....: invalid character blah blah"

KEY_1=ENC[...]
KEY_2=ENC[...]
KEY_3=ENC[...]
sops_pgp__list_1__map_created_at=2021-02-19T23:31:12Z
sops_pgp__list_2__map_fp=public-key-id
sops_pgp__list_0__map_created_at=2021-02-19T23:31:12Z
sops_unencrypted_suffix=_unencrypted
sops_version=3.6.1
sops_mac=ENC[....]
sops_pgp__list_1__map_fp=public-key-id
sops_lastmodified=2021-02-20T00:17:45Z
sops_pgp__list_2__map_created_at=2021-02-19T23:31:12Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\n
\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_fp=public-key-id
sops_pgp__list_2__map_enc=-----BEGIN PGP MESSAGE-----\n\n
\n-----END PGP MESSAGE-----\n
sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\n
\n-----END PGP MESSAGE-----\n

The fix is simple for the user: recreate the file as a .txt file.

I recently helped a friend to debug why their sops hook was not working. It turned out they used sopsPGPKeyDirs = [ ./keys ] instead of sopsPGPKeyDirs = [ "./keys" ]. It would be nice if this would be a hard error instead of silently failing.

Currently, the readme suggests doing something like:

ssh youruser@server01 "sudo cat /etc/ssh/ssh_host_rsa_key" | ssh-to-pgp -o server01.asc

Which means reading the secret material from the server.

Is it possible to produce the same PGP public key from the SSH public key string, i.e. the string ssh-rsa [some base64] user@host?

This feels safer, and might be easier for users to understand (I was certainly confused by this process...)

I tried importing a gpg key that lives on my yubikey, which looks like this:

$ gpg --list-keys FC88E425C10ECF1A5E433FFA65601C50F5081157
pub   rsa4096/3A9D5EAC405E4511 2017-11-26 [SC]
      Key fingerprint = CB4B 55B7 8759 274A 5AA7  3C4E 3A9D 5EAC 405E 4511
uid                 [ultimate] Andreas Fuchs (backup) <[email protected]>
sub   rsa4096/1A84E17CABE4374E 2017-11-26 [A]
sub   rsa4096/65601C50F5081157 2017-11-26 [E]

and has the following raw fpr output:

$ gpg --fingerprint --with-colons FC88E425C10ECF1A5E433FFA65601C50F5081157
tru::1:1595424541:0:3:1:5
pub:u:4096:1:3A9D5EAC405E4511:1511662807:::u:::scESCA::::::23::0:
fpr:::::::::CB4B55B78759274A5AA73C4E3A9D5EAC405E4511:
uid:u::::1511662807::9311483F59DB5EBC15D55766FD7872E63E6EC3E2::Andreas Fuchs (backup) <[email protected]>::::::::::0:
sub:u:4096:1:1A84E17CABE4374E:1511662807::::::a::::::23:
fpr:::::::::972208FDF991C3B906F714691A84E17CABE4374E:
sub:u:4096:1:65601C50F5081157:1511662807::::::e::::::23:
fpr:::::::::FC88E425C10ECF1A5E433FFA65601C50F5081157:

As you can tell, it has multiple public subkeys, which all get their own fingerprint. The sops-pgp-hook seems to expect only one fingerprint (removed my other keys, so that it appears more clearly):

$ echo $SOPS_PGP_FP
CB4B55B78759274A5AA73C4E3A9D5EAC405E4511 972208FDF991C3B906F714691A84E17CABE4374E FC88E425C10ECF1A5E433FFA65601C50F5081157
$ sops secret.yaml
Error encrypting the data key with one or more master keys: [failed to encrypt new data key with master key "CB4B55B78759274A5AA73C4E3A9D5EAC405E4511\n972208FDF991C3B906F714691A84E17CABE4374E\nFC88E425C10ECF1A5E433FFA65601C50F5081157": could not encrypt data key with PGP key: golang.org/x/crypto/openpgp error: key with fingerprint CB4B55B78759274A5AA73C4E3A9D5EAC405E4511
972208FDF991C3B906F714691A84E17CABE4374E
FC88E425C10ECF1A5E433FFA65601C50F5081157 is not available in keyring and could not be retrieved from keyserver; GPG binary error: exit status 2]

I suspect the awk in https://github.com/Mic92/sops-nix/blob/master/pkgs/sops-pgp-hook/sops-pgp-hook.bash#L5 needs adjusting so that the output of awk is considered to maybe contain multiple fingerprints.

SOPS_PGP_FP does not allow to encrypt files with different keys.
For that reason it should be also removed from sops-pgp-hook.bash
and .sops.yaml mentioned in the readme instead.

Hello,

I'm using home-manager, flakes and sops and I've integrated sops into my configuration file like so:

{ nixosConfig, ...}:
{
  programs.awscli2 = {
    enable = true;
    config = nixosConfig.sops.secrets.awscli2-config.path;
    credentials = nixosConfig.sops.secrets.awscli2-credentials.path;
  };
}

however, this results in:

error: access to absolute path '/run/secrets/awscli2-config' is forbidden in pure eval mode (use '--impure' to override

This does not occur when using sops secrets outside of home-manager, in my case inside configuration.nix.

Is this unavoidable when using flakes or am I doing something wrong?

I am still progress on this, but for an ideal Azure setup I'm going to need to set AZURE_AUTH_MODE for the context that sops is executed in. For me, I'll only need to set that env var. Others may want to set AZURE_{TENANT_ID,CLIENT_ID,CLIENT_SECRET} for example.

Or maybe we should just document how to set arbitrary variables for sops's context?

(For the full story, I want to set AZURE_AUTH_MODE="msi" so that sops will use the short-lived authentication tokens provided by the VM-local web service to authenticate to Azure KeyVault instead of some other high-value cred that the user would need to manage.)

Scenario:

• I want to boot a SBC via netboot
• I want encrypted secrets at rest (and on the netboot server)
• There is a Yubikey plugged into the SBC with a configured OpenPGP app with certs/keys

So I'd like to have sops-nix (or something) auto-import the gpg key that corresponds to that computer (and corresponds to the key material on the yubikey).

When I do nixos-rebuild switch, I get the following error:

...
setting up secrets...
/nix/store/4s57247wv7h4p77kn4isi9idgzwhsb7w-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/swrk0ywakisy6wqys1ahh80zmymwb37x-secrets.yaml': Error getting data key: 0 successful groups required, got 0
Activation script snippet 'setup-secrets' failed (1)
reloading user units for yoctocell...
setting up tmpfiles
warning: error(s) occurred while switching to the new configuration

I have the following in my nixos config:

{
  sops.gnupgHome = "/home/yoctocell/.gnupg";

  sops.secrets.example-key = {
    owner = "yoctocell";
    group = "yoctocell";
    sopsFile = ./secrets/secrets.yaml;
  };
}

Where the contents of secrets/secrets.yaml is:

example-key: example-value
another-key: another-value

If I run sops secrets/secrets.yaml from the terminal, it decrypts the file and opens it in my $EDITOR. Is there something I am missing from the documentation?

I'm trying this out for the first time, deploying just a single secret to a single host with deploy-rs, but I'm getting the following error:

⭐ ❓ [activate] [DEBUG] Running activation script
updating GRUB 2 menu...
activating the configuration...
setting up /etc...
setting up secrets...
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key with fingerprint e2083f651825666614144c58e6d961dca7ddf0c4
Activation script snippet 'setup-secrets' failed (1)
/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/iv09rddx0hfs6bk6262vacwly3g28cw8-secrets.yaml': Error getting data key: 0 successful groups required, got 0
reloading user units for root...
reloading user units for dhess...
setting up tmpfiles
⭐ ⚠️ [activate] [WARN] De-activating due to error

The machine GPG key was imported from its SSH host RSA key as explained in the README. The other key I'm using to encrypt this particular secret is my own personal GPG key. I can edit (decrypt) and encrypt the secrets.yaml file on my local machine fine.

On the server, when I try to run the sops-install-secrets command on the manifest, I get the same error as above:

/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets /nix/store/mzs4sqzkawwp995jv8svf247rwzpz3iy-checked-manifest.json
sops-install-secrets: Imported /etc/ssh/ssh_host_rsa_key with fingerprint e2083f651825666614144c58e6d961dca7ddf0c4
/nix/store/n6b7y2hj7ymd11xnigkhpyysx3zk83jn-sops-install-secrets-0.0.1/bin/sops-install-secrets: Failed to decrypt '/nix/store/iv09rddx0hfs6bk6262vacwly3g28cw8-secrets.yaml': Error getting data key: 0 successful groups required, got 0

Here are the secrets.yaml file and the manifest:

https://gist.github.com/dhess/74ec4eaa364369420e4121fa8ecbdd92
https://gist.github.com/dhess/a792710fbc263f899f75b2b3879e3e71

I was playing around with sops to get the hang of it and unfortunately I keep getting an unmarshalling error whenever my yaml includes lists. Like in the default provided when running:

> nix-shell --run "sops blubb.yml"
<file_content>
hello: Welcome to SOPS! Edit this file as you please!
example_key: example_value
example_array:
- example_value1
- example_value2
example_number: 1234.5679
example_booleans:
- true
- false
</file_content>

Yields:

hostymchostface> /nix/store/5mr1s98rsxrxiywkhfrn8zir4isf0rqg-sops-install-secrets-0.0.1/bin/sops-install-secrets: Cannot parse yaml of '/nix/store/rcncfxywky46lx9d30ycr896rgmkhykf-bla.yml': yaml: unmarshal errors:
hostymchostface>   line 4: cannot unmarshal !!seq into string
…
hostymchostface>   line 8: cannot unmarshal !!seq into string

Hello,
I am trying to use sops-nix and after reading through the guide and the issues I still can't get it to work because I can't manage to install the needed utilities.
Similar to what is stated in issue #50 I suggest that the installation process for the needed utilities is not only documented but also very much simplified.
I suggest to create an overlay that can be added so that users can then just add ssh-to-pgp and sops-pgp-hook to the list of packages to be installed.
Unfortunately I don't know nix well enough yet, otherwise I would create a PR.

I was wondering if it was possible to design a workaround that allows to have age keys be passphrase protected at rest?
It seems that sops does not support this out of the box (see getsops/sops#933 or at least i could not find anything).

Maybe it would be possible to passphrase encrypt the age key on disk and then have a nix shell derivation as part of the flake that prompts the user for the passphrase and makes the key temporarily availble to sops in an unprotected fashion. Perhaps it would be possible to do this by using sops own exec-env or exec-file?

Rather than deploying this to an already running NixOS system, I was hoping to be able to build this into a pre-baked image that I could then deploy and boot.

Unfortunately, this doesn't seem to work, since this runs right at the beginning of stage2. At this point, SSH has never run, so there's no host key, the network is not even available to be able to reach Azure KeyVault, etc.

What do you think of having another version of this module that accepts similar config and instead creates a systemd service that can then be sequenced as part of the boot?

99] stage-1-init: resize2fs 1.45.5 (07-Jan-2020)
[  232.432835] stage-1-init: Resizing the filesystem on /dev/disk/by-label/nixos to 134152187 (4k) blocks.
[  232.432994] stage-1-init: The filesystem on /dev/disk/by-label/nixos is now 134152187 (4k) blocks long.
[  232.433343] stage-1-init: mounting /dev/disk/by-label/nixos on /...
[  232.491454] EXT4-fs (sda2): mounted filesystem with ordered data mode. Opts: (null)
[  233.555253] EXT4-fs (sda2): re-mounted. Opts: (null)
[  233.555685] booting system configuration /nix/store/jy2c5crwl63miv0k106fffldb90sccpv-nixos-system-unnamed-20.09.20200720.dirty
[  234.045090] stage-2-init: running activation script...
[  235.601159] stage-2-init: setting up /etc...
[  235.883966] stage-2-init: setting up secrets...
[  237.981769] stage-2-init: /nix/store/14lb4jzdf2j3k9a57niqzv2wi6z49yr9-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: Cannot read ssh key '/etc/ssh/ssh_host_rsa_key': open /etc/ssh/ssh_host_rsa_key: no such file or directory
[  237.981874] stage-2-init: Activation script snippet 'setup-secrets' failed (1)
[  239.726445] systemd[1]: Inserted module 'autofs4'
[  239.872676] NET: Registered protocol family 10
[  239.873489] Segment Routing with IPv6
[  240.072141] systemd[1]: systemd 245 running in system mode. (+PAM +AUDIT -SELINUX +IMA +

During the build:

...
github.com/Mic92/sops-nix/pkgs/sshkeys
github.com/Mic92/sops-nix/pkgs/ssh-to-pgp
running tests
main_test.go:53: unexpected error: error reading github.com/Mic92/sops-nix/pkgs/ssh-to-pgp/test-assets/id_rsa: open github.com/Mic92/sops-nix/pkgs/ssh-to-pgp/test-assets/id_rsa: no such file or directory

--- FAIL: TestCli (0.00s)
FAIL
FAIL    github.com/Mic92/sops-nix/pkgs/ssh-to-pgp       0.002s
FAIL
builder for '/nix/store/vnbay3ri2nlf3qharnymn5fbcy39i9qh-ssh-to-pgp-0.0.1.drv' failed with exit code 1

This is on nixos-unstable-small

I'm cross-compiling from x86_64-linux to armv6l-unknown-linux-gnueabihf:

builder for '/nix/store/16ac42gw5z54wz966pcr11a4cschc0y7-checked-manifest.json.drv' failed with exit code 126; last 1 log lines:
  /build/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 1: /nix/store/vaqv96g948bsj153vfxv03snlmpxj4f5-sops-install-secrets-0.0.1-armv6l-unknown-linux-gnueabihf/bin/sops-install-secrets: cannot execute binary file: Exec format error

When using ssh with a passphrase, doing nixos-rebuild switch results in an error:

setting up secrets...
/nix/store/6smf5qa87ggmcd85d7ixhw76kx13b018-sops-install-secrets-0.0.1/bin/sops-install-secrets: Error setting up gpg keyring: failed to parse private ssh key: ssh: this private key is passphrase protected
Activation script snippet 'setup-secrets' failed (1)
reloading user units for yoctocell...
setting up tmpfiles
warning: error(s) occurred while switching to the new configuration

This happens even when ssh-agent caches the passphrase, meaning that doing a git push wouldn't ask me for the passphrase. Is there a workaround for this, or do I have to remove the passphrase?

Seems the cgo linker is being unhappy, and that causes ssh-to-pgp to fail to test - breaking any shell.nix trying to use it:

error: --- Error --- nix-daemon
builder for '/nix/store/fqphylg3w68pmjb606p6xxg6dgwxpsy3-ssh-to-pgp-0.0.1.drv' failed with exit code 2; last 10 log lines:
  golang.org/x/crypto/ssh
  github.com/Mic92/sops-nix/pkgs/sshkeys
  github.com/Mic92/sops-nix/pkgs/ssh-to-pgp
  running tests
  # runtime/cgo
  ld: warning: passed two min versions (10.12.0, 10.12) for platform macOS. Using 10.12.
  ld: file not found: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
  clang-7: error: linker command failed with exit code 1 (use -v to see invocation)
  FAIL       github.com/Mic92/sops-nix/pkgs/ssh-to-pgp [build failed]
  FAIL

I can go get the ssh-to-pgp binary just fine, but I suppose it would be good to be able to use it from a nix-shell too...

Would there be a way to encrypt a file that gets decrypted during nix evaluation? The idea would be to store semi-secrets that change the nix configuration like the contents of /etc/hosts - I'd like to keep that out of git but it's fine in the nix store.

Updating go dependencies results in:

pkgs/sops-install-secrets/sshkeys/convert.go:10:2: SA1019: package golang.org/x/crypto/openpgp is deprecated: this package is unmaintained except for security fixes. New applications should consider a more focused, modern alternative to OpenPGP for their specific task. If you are required to interoperate with OpenPGP systems and need a maintained package, consider a community fork. See https://golang.org/issue/44226. (staticcheck)
        "golang.org/x/crypto/openpgp"
        ^
pkgs/sops-install-secrets/sshkeys/convert.go:11:2: SA1019: package golang.org/x/crypto/openpgp/packet is deprecated: this package is unmaintained except for security fixes. New applications should consider a more focused, modern alternative to OpenPGP for their specific task. If you are required to interoperate with OpenPGP systems and need a maintained package, consider a community fork. See https://golang.org/issue/44226. (staticcheck)
        "golang.org/x/crypto/openpgp/packet"
        ^

The shell I have looks more or less like this

pkgs.mkShell {
  sopsPGPKeyDirs = [
    "./keys/host"
    "./keys/users"
  ];
  inputsFrom = [ projectEnv ];
  nativeBuildInputs = [
    (sops-nix { inherit pkgs; }).sops-pgp-hook
    spago2nix'
  ];
}

but I also have an .envrc which calls use flake at the end. Long story short, I have the correct .asc files in the above mentioned folders, but the hook doesn't seem to run since the environment variable doesn't exist.

Even if I direnv block, followed by sops secrets.yaml I get

config file not found and no keys provided through command line options

Also not sure what to make of this

$ nix-shell -p sops --run "sops secrets.yaml"
/nix/store/npdq5pilrfsklvhx0ws44lykc1rl1i66-stdenv-linux/setup: line 81: sopsPGPHook: command not found
config file not found and no keys provided through command line options

$ sops secrets.yaml
config file not found and no keys provided through command line options

Hi. I'm trying to use ssh-to-pgp and following the instruction here: https://github.com/Mic92/sops-nix#3-get-a-pgp-public-key-for-your-machine

I assume I have to clone this repo and run nix-shell -p ssh-to-pgp in the root of the repo next to shell.nix. However when I do that I get the following error:

error: undefined variable 'ssh-to-pgp' at (string):1:94

It's unclear from the documentation how to get ssh-to-pgp installed on the machine I'm provisioning.
What do I need to add to configuration.nix to get it installed on the remote machines?

I'm doing something like

{
  sops.secrets.foo.sopsFile = "${secretsPath}/foo"; # where secretsPath = "/nix/store/..."
}

but this fails because of this check:

I could use secretsPath + "/foo" instead, but I feel like I shouldn't have to. Is there a better way to check whether a path is in the Nix store?

{
sops.gnupgHome = "/home/cole/.gnupg";
}

But it fails to decrypt during activate. I can can confirm that running sops -d is using PGP and decrypting successfully: Is there something I have to do to make my user's gnupghome available to it during activation?

sops --input-type binary --output-type binary --verbose --output ../unencrypted/wg-server.key -d wg-server.key
[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=...

Hi again, I'm getting so close to being able to use sops-nix to keep secrets on my host (Thanks for the fixing those last two issues so quickly)! - unfortunately, my luck has run out as I'm pulling sops-nix in with niv, and I don't understand how importing a sub-module of a niv-managed package should work. Using imports = [ <sops-nix/modules/sops> ]; in my nix files fails with error: file 'sops-nix/modules/sops' was not found in the Nix search path (add it using $NIX_PATH or -I), at /Users/asf/Mess/current/sops-sobs/configuration.nix:3:15.

I tried getting at the submodule in various other ways, but none of them work; the sops attribute remains inaccessible.

I asked the same question on the niv bug tracker as it seems like a documentation problem on their end also, but maybe you know of a quick solution?

If it is currently supported, please offer documentation about how to set it up.

If it is currently not supported, please consider supporting it.