search

oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
197 stars 16 forks source link

agenix rekey --help fails if all hosts are not configured #16

Closed LoganBarnett closed 5 months ago

LoganBarnett commented 5 months ago

Hi! Thanks again for the work on agenix-rekey!

If I run agenix rekey --help, and I have yet to configure everything that gets populated into the nodes attribute for the root agenix-rekey configuration, agenix rekey --help fails with this error:

$ agenix rekey --help
Collecting information about hosts. This may take a while...
warning: Git tree '/Users/logan/dev/dotfiles' is dirty
error:
       … while calling the 'derivationStrict' builtin

         at /builtin/derivation.nix:9:12: (source not available)

       … while evaluating derivation 'agenix-rekey'
         whose name attribute is located at /nix/store/scwn9kf1iq0fq3k7jc8pwaq0ry8za124-source/pkgs/stdenv/generic/make-derivation.nix:353:7

       … while evaluating attribute 'text' of derivation 'agenix-rekey'

         at /nix/store/scwn9kf1iq0fq3k7jc8pwaq0ry8za124-source/pkgs/build-support/trivial-builders/default.nix:162:16:

          161|       ({
          162|         inherit text executable checkPhase allowSubstitutes preferLocalBuild;
             |                ^
          163|         passAsFile = [ "text" ]

       error: attribute 'age' missing

       at /nix/store/5rhp2fj4jrxr4cjd2j81v1fkqj7xcp0i-source/apps/rekey.nix:41:43:

           40|
           41|   nodesWithDerivationStorage = filter (x: x.config.age.rekey.storageMode == "derivation") (attrValues nodes);
             |                                           ^
           42|

This is my configuration at the root of my flake.nix, for reference:

      agenix-rekey = agenix-rekey.configure {
        userFlake = self;
        nodes = self.nixosConfigurations // self.darwinConfigurations;
      };

If I make sure all of them have something like this in their modules list:

    {
      imports = [
       flake-inputs.agenix-rekey.nixosModules.default
      ];
      age.rekey.hostPubkey = "";
    }

Then I move on from that error. I do get another error, which suspiciously looks like #15:

         at /nix/store/5rhp2fj4jrxr4cjd2j81v1fkqj7xcp0i-source/modules/agenix-rekey.nix:70:12:

           69|     '';
           70|     assert assertMsg (builtins.pathExists rekeyedPath) ''
             |            ^
           71|       host ${config.networking.hostName}: Rekeyed secret for age.secrets.${secret.name} not found, please run `agenix rekey -a` again and make sure to add the results to git.

       … while calling 'assertMsg'

         at /nix/store/2z8cnf34pyhlyjngmkxxvhi9kpmrnw4k-source/lib/asserts.nix:41:5:

           40|     pred:
           41|     msg:
             |     ^
           42|     pred || builtins.throw msg;

       error: attribute 'name' missing

       at /nix/store/5rhp2fj4jrxr4cjd2j81v1fkqj7xcp0i-source/modules/agenix-rekey.nix:65:95:

           64|     # then the path would change on each subsequent build because the flake path changes.
           65|     rekeyedPath = builtins.path {path = config.age.rekey.localStorageDir;} + "/${identHash}-${secret.name}.age";
             |                                                                                               ^
           66|   in

But at this point I only have a single secret, and that secret is pointing at a real file (per the workaround stated in #15). So I'm a bit of a loss there as well. I'm happy to create a new ticket if these are completely different issues, but I wanted to err on including too much context than not enough.

In total honesty I haven't done a minimal reproduction of this issue but I did want to create a ticket because I believe minimally there is an opportunity to enhance error handling/reporting. This is my sprawling Nix configuration if it is helpful to see for additional context, but I do not expect any kind of spelunking into it.

Thanks again!

oddlama commented 5 months ago

(wrong post oops) :P

oddlama commented 5 months ago

I would presume that this issue is a direct cause of #15. It's of course unfortunate that the help message can't be printed if you have severe evaluation errors, but since the script must include text specific to your configuration there's no way around it. If the nix evaluation fails we cannot execute anything because the whole script will be missing.

LoganBarnett commented 5 months ago

I agree - it sounds like a bug of a bug. The initial problem being that I didn't have the agenix NixOS module included in my configuration. Thanks for the help! I'll close this out, since I don't think there's anything additional to do here over #15 .