Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rekeying zero secrets leads to error #37

Open
axelkar opened this issue Aug 1, 2024 · 5 comments
Open

Rekeying zero secrets leads to error #37

axelkar opened this issue Aug 1, 2024 · 5 comments

Comments

@axelkar
Copy link

axelkar commented Aug 1, 2024 

$ agenix rekey --force
Collecting information about hosts. This may take a while...
   Realizing 4 store paths
error:
       … while setting up the build environment

       error: getting attributes of path '/tmp/agenix-rekey.1001': No such file or directory

This is because rekeyedSecrets.cacheDir is never mkdir'd if no secrets are rekeyed (no secrets exist or all are skipped).
@Bohreromir
Copy link

I encountered the same error just after setting up a new host and trying to rekey.
Im using storageMode = "derivation"
A mkdir /tmp/agenix-rekey.{uid} fixed this

@oddlama
Copy link
Owner

oddlama commented Oct 14, 2024

I've moved the directory creation to an earlier point in the script now, can you confirm whether this solves your issue?

@Bohreromir
Copy link

I updated agenix-rekey, removed the directory and ran agenix-rekey. It still failed unless I manually recreated the directory.

@axelkar
Copy link
Author

axelkar commented Oct 15, 2024

I've moved the directory creation to an earlier point in the script now, can you confirm whether this solves your issue?

The error comes from Nix itself due to this option:

{ nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey"]; }

The error comes even when I'm doing nothing related to agenix, because on the current boot I haven't yet created the directory.

Btw, could you somehow make the derivation hashes only dependent on the rekey target's system and public key and the encrypted secret, and fabricate it without using extra-sandbox-paths? Like a fetching from a custom store? Is there a way to do it without using trusted-users?

@oddlama
Copy link
Owner

oddlama commented Oct 15, 2024

I've moved the directory creation to an earlier point in the script now, can you confirm whether this solves your issue?

The error comes from Nix itself due to this option:

{ nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey"]; }

The error comes even when I'm doing nothing related to agenix, because on the current boot I haven't yet created the directory.

Ah so I guess the real solution is that you'll have to add a systemd.tmpfiles entry to create this directory on boot.

Btw, could you somehow make the derivation hashes only dependent on the rekey target's system and public key and the encrypted secret, and fabricate it without using extra-sandbox-paths? Like a fetching from a custom store? Is there a way to do it without using trusted-users?

It already is only dependent on the things you write, otherwise you couldn't reproduce the same system from another machine (which you can). But there is no way to do it without sandbox paths, because rekeying is fundamentally impure, and we need a way to allow this impurity in nix. There's a section in the readme detailing this.

The other solution is to use local storage mode, which doesn't have this limitation. I introduced it primarily to get rid of this sandboxing and some other things that don't always play nice with nix. But here we also need to get the rekeyed secrets into nix somehow, so it requires you to store them locally in a subfolder of the flake's git repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oddlama @Bohreromir @axelkar