Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: What goes wrong if you use a different package set in a generator? #19

Open
plaidfinch opened this issue May 6, 2024 · 1 comment
Open

Docs: What goes wrong if you use a different package set in a generator? #19

plaidfinch opened this issue May 6, 2024 · 1 comment

Comments

@plaidfinch
Copy link

plaidfinch commented May 6, 2024
edited

The documentation states, regarding the pkgs argument to a generator script:

The package set for the host that is running the generation script. Don't use any other packgage set in the script!

I'm still a little unclear about why this is so important. Is this just because you shouldn't use a package set for a host on a different architecture, or does it need to be the exact same package set that is passed through here, for some reason I don't understand?

My concrete problem is that I'm developing on a flake that has some locally defined packages not present in nixpkgs, and I'd like to use them in a generator script. Should I expect anything to go wrong if I use them directly, so long as I am using references to packages that are the same system as the rekeying host?

It would be helpful to add some more commentary about the "why" of this directive. It's expressed very strongly, so I figure you have good reason for stating it, but even after looking through the source code of agenix-rekey I'm still scratching my head.
@oddlama
Copy link
Owner

oddlama commented May 6, 2024
edited

The pkgs passed to the generator functions is always guaranteed to be for the system that is running the rekeying operations. When writing a generator definition in a host configuration, most people would just reuse the pkgs set that they got from the nixos module if they needed one. I wanted to be very clear that this would be an error. If you have an x86_64-linux host but are rekeying on a aarch64-linux, then the script would try to execute a binary for a different architecture.

Maybe the "Don't use any other ..." is too strongly worded, it should maybe read "Don't use any other package set in the script, except if you know what you are doing".

Regarding your issue: If you want to use a specific package set from your flake, then you can just pass it in via the pkgs argument of agenix-rekey.configure. Each generator script will be called using the corresponding package set.
See here for the definition. Alternatively you can of course just use whatever package set you want in your scripts, there are no hidden implications. But if you want to rekey on multiple machines with different architectures you must make sure to pick the right one in your script.

agenix-rekey.configure {
  # If you already have a package set in your flake, you can just pass it through.
  # here `pkgs.x86_64-linux` must be a package set for x86_64-linux. You only need to define those that are acutally needed.
  pkgs = self.pkgs;
  # ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@plaidfinch @oddlama