You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’ve found a case which I don’t understand. I’ve got sops-nix setup and working with a minimal NixOS configuration. I do a nixos-rebuild switch, and the secrets are visible in /run/secrets/ as expected.
However, I then add some oci-containers to my configuration, using podman. Another nixos-rebuild switch, I get podman errors due to the containers not starting, which I fully expect as they’re not fully configured yet. I try a nixos-rebuild boot instead, it finishes without error.
But the weird part is, when the containers fail to start, there are no secrets visible in /run/secrets. It’s almost like sops-nix only gets activated on nixos-rebuild switch and not nixos-rebuild boot, and the container failure is cutting the rebuild short before it gets around to letting sops-nix run.
But, given that some of the containers specify environmentFiles values that reference sops-nix secrets, I would expect the secrets to already be processed and available before the containers try to start…
What is going on here? When does sops-nix actually get activated? Why would a container failure cause sops-nix to not run?
The text was updated successfully, but these errors were encountered:
I’ve found a case which I don’t understand. I’ve got sops-nix setup and working with a minimal NixOS configuration. I do a
nixos-rebuild switch
, and the secrets are visible in/run/secrets/
as expected.However, I then add some oci-containers to my configuration, using podman. Another
nixos-rebuild switch
, I get podman errors due to the containers not starting, which I fully expect as they’re not fully configured yet. I try anixos-rebuild boot
instead, it finishes without error.But the weird part is, when the containers fail to start, there are no secrets visible in
/run/secrets
. It’s almost like sops-nix only gets activated onnixos-rebuild switch
and notnixos-rebuild boot
, and the container failure is cutting the rebuild short before it gets around to letting sops-nix run.But, given that some of the containers specify
environmentFiles
values that reference sops-nix secrets, I would expect the secrets to already be processed and available before the containers try to start…What is going on here? When does sops-nix actually get activated? Why would a container failure cause sops-nix to not run?
The text was updated successfully, but these errors were encountered: