oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

error: Rekeyed secret for age.secrets.<name> not found, please run `agenix rekey -a` again and make sure to add the results to git. #31

Open Jappie3 opened 4 months ago

Jappie3 commented 4 months ago

I started using agenix-rekey a few weeks ago, but got busy & only got back to further integrating it yesterday. Now I'm trying to deploy a wireguard secret to my main laptop using age.secrets.einzig_kainas.rekeyFile = "${self}/secrets/wg-cluster/psks/einzig_kainas.age";

After supplying host keys, running agenix generate (I provided a generator script using wg genpsk, took a page out of your config ;) ) & agenix rekey -a, I have the following secrets in my rekey dir:

 l secrets/_rekeyed/Kainas/
total 8.0K
drwxr-xr-x 1 jasper users 186 Jun 15 15:30 .
drwxr-xr-x 1 jasper users  46 Jun 15 13:20 ..
-rw-r--r-- 1 jasper users 314 Jun 15 15:30 21f433d6e444eb220f75e18df2a2b926-kainas.age
-rw-r--r-- 1 jasper users 390 Jun 15 15:30 7f41d92750f74ef6ee5a38782517174b-einzig_kainas.age

The error:

error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age

After rekeying again & adding everything to git:

 l secrets/_rekeyed/Kainas/
total 8.0K
drwxr-xr-x 1 jasper users 186 Jun 15 19:46 .
drwxr-xr-x 1 jasper users  46 Jun 15 13:20 ..
-rw-r--r-- 1 jasper users 351 Jun 15 19:46 7e4b20fb343fea9d2020fd70a5268edd-kainas.age
-rw-r--r-- 1 jasper users 353 Jun 15 19:46 b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age

The einzig_kainas file is exactly the one from the error I got before...

The new error:

error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/9a755e82cca785ab054bbbd1f4f67518-einzig_kainas.age

If I rekey again, that file (9a755e82cca785ab054bbbd1f4f67518-einzig_kainas.age) shows up. Any clues as to what's going wrong? Rekeying & generating secrets works fine, which makes me think that I configured everything correctly...

Here is a trace of the error:

trace ``` error: … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1571:24: 1570| let f = attrPath: 1571| zipAttrsWith (n: values: | ^ 1572| let here = attrPath ++ [n]; in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.build.toplevel': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:71:12: 70| # Replace runtime dependencies 71| system = foldr ({ oldDependency, newDependency }: drv: | ^ 72| pkgs.replaceDependency { inherit oldDependency newDependency drv; } … while calling 'foldr' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:68:10: 67| then throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}" 68| else showWarnings config.warnings baseSystem; | ^ 69| … while calling 'showWarnings' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:28: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:33: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … while calling 'foldr' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:48:16: 47| # makes it bootable. See `activatable-system.nix`. 48| baseSystem = pkgs.stdenvNoCC.mkDerivation ({ | ^ 49| name = "nixos-system-${config.system.name}-${config.system.nixos.label}"; … while calling 'mkDerivation' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/pkgs/stdenv/generic/make-derivation.nix:46:5: 45| mkDerivation = 46| fnOrAttrs: | ^ 47| if builtins.isFunction fnOrAttrs … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.systemBuilderArgs': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:846:59: 845| if isDefined then 846| if all (def: type.check def.value) defsFinal then type.merge loc defsFinal | ^ 847| else let allInvalid = filter (def: ! type.check def.value) defsFinal; … while calling 'merge' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:583:20: 582| check = isAttrs; 583| merge = loc: defs: | ^ 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:35: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling 'filterAttrs' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:646:5: 645| pred: 646| set: | ^ 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:29: 646| set: 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); | ^ 648| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:62: 646| set: 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); | ^ 648| … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:51: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:86: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activatable-system.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:133:18: 132| apply = set: set // { 133| script = systemActivationScript set false; | ^ 134| }; … while calling 'systemActivationScript' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:20:33: 19| 20| systemActivationScript = set: onlyDry: let | ^ 21| set' = mapAttrs (_: v: if isString v then (noDepEntry v) // { supportsDryActivation = false; } else v) set; … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:49:9: 48| 49| ${textClosureMap id (withDrySnippets) (attrNames withDrySnippets)} | ^ 50| … while calling 'textClosureMap' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/strings-with-deps.nix:75:35: 74| 75| textClosureMap = f: predefined: names: | ^ 76| concatStringsSep "\n" (map f (textClosureList predefined names)); … while calling 'id' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:36:8: 35| */ 36| id = x: x; | ^ 37| … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.activationScripts.agenixInstall.text': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … while calling 'installSecret' at /nix/store/f9v159hskz3yid10g56rnm8wwnjgw1mb-source/modules/age.nix:64:19: 63| 64| installSecret = secretType: '' | ^ 65| ${setTruePath secretType} … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `age.secrets.einzig_kainas.file': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:902:11: 901| if def.condition then 902| dischargeProperties def.content | ^ 903| else … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:298:18: 297| then "${rekeyedSecrets}/${submod.config.name}.age" 298| else rekeyedLocalSecret config.age.secrets.${submod.config.id} | ^ 299| ); … while calling 'rekeyedLocalSecret' at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:50:24: 49| 50| rekeyedLocalSecret = secret: let | ^ 51| pubkeyHash = builtins.hashString "sha256" config.age.rekey.hostPubkey; … from call site at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:71:12: 70| ''; 71| assert assertMsg (builtins.pathExists rekeyedPath) '' | ^ 72| host ${config.networking.hostName}: Rekeyed secret for age.secrets.${secret.id} not found, please run `agenix rekey -a` again and make sure to add the results to git. … while calling 'assertMsg' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/asserts.nix:41:5: 40| pred: 41| msg: | ^ 42| pred || builtins.throw msg; error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git. rekeyed secret path: /nix/store/k1chsnnlr7fhg8w780hymzi5ak7flyxq-Kainas/fd8108dd174e2966ad32808d16767245-einzig_kainas.age ```
oddlama commented 4 months ago

The error:

error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age

The rekeyed secret path looks wrong, since it should be a relative path beginning with your flake's root directory in the store. This happens when you call toString on a nix path, which will cause it to be copied into the nix store as a separate entity. This is unfortunately very counter-intuitive.

From what I can see in your config repo, you set the directories like this:

    generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
    localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";

But "${self}/path/to/dir" will copy said path into the nix store as a separate entity as described above. What you should do to avoid this is to use + for path concatenation, to avoid calling toString. Unfortunately there is no way agenix-rekey can prevent this from happening, which is why the error messages are misleading too. Try:

    generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
    localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";
Jappie3 commented 4 months ago

changed

    generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
    localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";

to

    generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
    localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";

ran agenix rekey -a & tried rebuilding, the path is still wrong & I get the same error:

error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/xsc11zszwbrmmbmf88rhhqqd75sjqkp8-Kainas/17b391e87ad07f273bc16e0cccf91f08-einzig_kainas.age
oddlama commented 4 months ago

You probably need to change all rekeyFile properties too like age.secrets.einzig_kainas.rekeyFile

Jappie3 commented 4 months ago

I made sure to replace all the ${self}s in my secret-related config, removed the entire directory with rekeyed secrets, ran agenix rekey -a & tried rebuilding: still the same error:

       error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
         rekeyed secret path: /nix/store/9slsy3fgqhklf5i40mbfn6pragaw4v8s-Kainas/2de2e90cdddfd38d144ad0c55363e767-einzig_kainas.age

could this have something to do with this part of the readme about the nixpkgs version? as far as I understood it, that part is mainly relevant for storageMode = "derivation"

    # Expose the necessary information in your flake so agenix-rekey
    # knows where it has too look for secrets and paths.
    #
    # Make sure that the pkgs passed here comes from the same nixpkgs version as
    # the pkgs used on your hosts in `nixosConfigurations`, otherwise the rekeyed
    # derivations will not be found!
    agenix-rekey = agenix-rekey.configure {
      userFlake = self;
      nodes = self.nixosConfigurations;
      # Example for colmena:
      # inherit ((colmena.lib.makeHive self.colmena).introspect (x: x)) nodes;
    };
oddlama commented 4 months ago

Okay so I've cloned your repo now and found that for some reason your hostPubkey isn't loaded properly when initiating the build, but it does load when rekeying.

Changing the definition to force read the key fixes the problem in my local copy of your repo:

    hostPubkey = builtins.readFile (self.outPath + "/hosts/${config.networking.hostName}/secrets/host.pub");

Can you confirm whether this works for you too? I have no idea how this could happen, it basically means that the option is not properly coerced, which - to my knowledge - should not be possible...

The option should automatically call readFile when the argument is a path (nix path or anything starting with "/"), but for some reason your flake is special? I currently have no idea why or how this can happen, since the value that is actually assigned passes the builtins.isPath test. So maybe something is inhibiting type coercion? Just dumping ideas here. I can't spot anything wrong with the option definition.

Jappie3 commented 4 months ago

first of all, thanks for your help with this problem. hostPubkey not being found is very weird, I literally have a host running on Hetzner atm with 2 agenix-rekey secrets deployed, a leftover from my experiments about 3 weeks ago...

age.rekey.hostPubkey = "${self}/hosts/${config.networking.hostName}/secrets/host.pub";

fails with

error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/49xqvk0piw7zgn88b0d2yh0g20kdf8cm-Kainas/447186b602d5c05fd2021fb2a05b6e9a-einzig_kainas.age

changing that to

hostPubkey = builtins.readFile "${self}/hosts/${config.networking.hostName}/secrets/host.pub";

works fine... I don't have much time to look into this today, but if there's anything you want me to try/run, lmk & I'll get to it tomorrow or so