Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.symlink = false fails to generate decrypted secrets #214

Open
supermarin opened this issue Oct 17, 2023 · 2 comments
Open

.symlink = false fails to generate decrypted secrets #214

supermarin opened this issue Oct 17, 2023 · 2 comments

Comments

@supermarin
Copy link

supermarin commented Oct 17, 2023
edited

Having an existing age.secrets.secret1.file = ./foo, and adding age.secrets.secret1.symlink = false; in your configuration.nix causes the following error when running nixos-rebuild switch:

updating GRUB 2 menu...
activating the configuration...
[agenix] creating new generation in /run/agenix.d/9
[agenix] decrypting secrets...
decrypting '/nix/store/rfz17gds7i7lcbqla5s9giivlygg7vdj-nix.conf.age' to '/run/agenix/nixConf'...
[agenix] symlinking new secrets to /run/agenix (generation 9)...
[agenix] removing old secrets (generation 8)...
[agenix] chowning...
chown: cannot access '/run/agenix/nixConf': No such file or directory
Activation script snippet 'agenixChown' failed (1)
@supermarin
Copy link
Author

supermarin commented Oct 17, 2023
edited

Tried rebuilding without any references to age.secrets.secret1 and rebuilding with symlink = false; afterwards, got the same error.

I'm on nixos-unstable btw and using flakes. Tried with and without inputs.agenix.inputs.nixpkgs.follows = "nixpkgs"; in flake.nix so it seems broken both with my nixpkgs and the ones referenced in github:ryantm/agenix.

supermarin added a commit to supermarin/dotfiles that referenced this issue Oct 17, 2023
@supermarin
[secrets] Remove nixConf for now
46e6d49 
There are a few problems:
  1. agenix decrypts at activation time, so /run/agenix/nixConf isn't
     there when nix evaluates configuration.nix and checks contents of
     nix.conf which references /run/agenix/nixConf.

  2. agenix's homeManagerModules module collides with it's nixosModules.
     This makes it impossible to load both at the same time and use
     home-manager to put the secret in the user's nix.conf
     [gh issue](ryantm/agenix#215)

  3. symlinking is broken ATM
     [gh issue](ryantm/agenix#214)
supermarin added a commit to supermarin/dotfiles that referenced this issue Oct 17, 2023
@supermarin
[secrets] Remove nixConf for now
402e63a 
There are a few problems:
  1. agenix decrypts at activation time, so /run/agenix/nixConf isn't
     there when nix evaluates configuration.nix and checks contents of
     nix.conf which references /run/agenix/nixConf.

  2. agenix's homeManagerModules module collides with it's nixosModules.
     This makes it impossible to load both at the same time and use
     home-manager to put the secret in the user's nix.conf
     [gh issue](ryantm/agenix#215)

  3. symlinking is broken ATM
     [gh issue](ryantm/agenix#214)
@nessdoor
Copy link

I am encountering the same error.

I was previously setting a custom decryption path for my non-symlinked secret through age.secrets.<name>.path, and everything worked fine. Then, I decided to keep the secret under the default agenix directory (still not symlinked, as I need direct access to the decrypted file), so I removed the path specification. After doing that, I encountered the same error that you did.

Looking at how agenix manages to keep stable references to changing generations, it seems like it is mandatory to specify a path outside of secretsDir for non-symlinked secrets (${secretsDir} is symlinked to ${secretsMountPoint}/<#generation>).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@supermarin @nessdoor