search

Mic92 / sops-nix

Atomic secret provisioning for NixOS based on sops
MIT License
1.36k stars 133 forks source link

Symlink functionality does not seem to work #571

Open noggynoggy opened 1 month ago

noggynoggy commented 1 month ago

I am just starting to use sops-nix (awesome project btw!), this might be my fault:

The symlink functionality does not seem to work for me:

The following snippet contains my config for Syncthing. The Syncthing module thankfully has an option to set the path to the cert and key, so I was able to fix my issue by using the code below. But with the path not commented out (and the other two lines in the syncthing block), it didn't work, because no symlinks to the specified directory were made.

  sops.secrets = {
    "syncthing/${host}-cert.pem" = {
      owner = user;
      # path = "/home/${user}/.config/syncthing/cert.pem";
    };
    "syncthing/${host}-key.pem" = {
      owner = user;
      # path = "/home/${user}/.config/syncthing/key.pem";
    };
  };

  services.syncthing = (builtins.trace config.sops.secrets."syncthing/${host}-cert.pem".path) {
    enable = true;
    user = "${user}";
    # key = "/home/${user}/.config/syncthing/key.pem";
    # cert = "/home/${user}/.config/syncthing/cert.pem";
    key = config.sops.secrets."syncthing/${host}-key.pem".path;
    cert = config.sops.secrets."syncthing/${host}-cert.pem".path;
    # ...

The secrets were to be found in the /run/secrets/syncthing directory, in ~/.config/syncthing there is no file that could "block" the links, the trace shows the right path, and the build does not crash or show any errors, but the symlink is not created.

This simple example below does work and the symlink is created in my home directory after rebuild. 

  secrets.example = {
   path = "/home/${user}/test";
  };

It doesn't seem to matter who the owner of the file is or what mode it has. I read through the code but I am no Go wizard so I couldn't figure out why it behaves like this.

Is this maybe Syncthing specific?

k6av commented 1 month ago

I've done some testing on my own configuration, and the issue seems to arise when using nested secrets (with a / in the secret name) together with the path option. Definitely seems like some sort of bug to me. The issue is probably not specific to Syncthing.

k6av commented 1 month ago

Nevermind, nested secrets work fine for me. Back to square 1.

k6av commented 1 month ago

I've (roughly, see below) copy-pasted the snippet you provided into my own NixOS configuration and I can't reproduce the issue you're having; the files get symlinked fine in my configuration. Not sure what the issue could be... I'd look closer at the rest of your NixOS configuration as the snippet you provided should work fine on its own.

syncthing-test.nix

```nix { config, ... }: let user = "someuser"; host = "somehost"; in { sops.secrets = { "syncthing/${host}-cert.pem" = { owner = user; path = "/home/${user}/.config/syncthing/cert.pem"; }; "syncthing/${host}-key.pem" = { owner = user; path = "/home/${user}/.config/syncthing/key.pem"; }; }; services.syncthing = (builtins.trace config.sops.secrets."syncthing/${host}-cert.pem".path) { enable = true; user = "${user}"; key = "/home/${user}/.config/syncthing/key.pem"; cert = "/home/${user}/.config/syncthing/cert.pem"; }; } ```