Open Jappie3 opened 4 months ago
The error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git. rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age
The rekeyed secret path looks wrong, since it should be a relative path beginning with your flake's root directory in the store. This happens when you call toString
on a nix path, which will cause it to be copied into the nix store as a separate entity. This is unfortunately very counter-intuitive.
From what I can see in your config repo, you set the directories like this:
generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";
But "${self}/path/to/dir" will copy said path into the nix store as a separate entity as described above. What you should do to avoid this is to use +
for path concatenation, to avoid calling toString. Unfortunately there is no way agenix-rekey can prevent this from happening, which is why the error messages are misleading too. Try:
generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";
changed
generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";
to
generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";
ran agenix rekey -a
& tried rebuilding, the path is still wrong & I get the same error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/xsc11zszwbrmmbmf88rhhqqd75sjqkp8-Kainas/17b391e87ad07f273bc16e0cccf91f08-einzig_kainas.age
You probably need to change all rekeyFile
properties too like age.secrets.einzig_kainas.rekeyFile
I made sure to replace all the ${self}
s in my secret-related config, removed the entire directory with rekeyed secrets, ran agenix rekey -a
& tried rebuilding: still the same error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/9slsy3fgqhklf5i40mbfn6pragaw4v8s-Kainas/2de2e90cdddfd38d144ad0c55363e767-einzig_kainas.age
could this have something to do with this part of the readme about the nixpkgs version? as far as I understood it, that part is mainly relevant for storageMode = "derivation"
# Expose the necessary information in your flake so agenix-rekey
# knows where it has too look for secrets and paths.
#
# Make sure that the pkgs passed here comes from the same nixpkgs version as
# the pkgs used on your hosts in `nixosConfigurations`, otherwise the rekeyed
# derivations will not be found!
agenix-rekey = agenix-rekey.configure {
userFlake = self;
nodes = self.nixosConfigurations;
# Example for colmena:
# inherit ((colmena.lib.makeHive self.colmena).introspect (x: x)) nodes;
};
Okay so I've cloned your repo now and found that for some reason your hostPubkey
isn't loaded properly when initiating the build, but it does load when rekeying.
Changing the definition to force read the key fixes the problem in my local copy of your repo:
hostPubkey = builtins.readFile (self.outPath + "/hosts/${config.networking.hostName}/secrets/host.pub");
Can you confirm whether this works for you too? I have no idea how this could happen, it basically means that the option is not properly coerced, which - to my knowledge - should not be possible...
The option should automatically call readFile
when the argument is a path (nix path or anything starting with "/"), but for some reason your flake is special? I currently have no idea why or how this can happen, since the value that is actually assigned passes the builtins.isPath
test. So maybe something is inhibiting type coercion? Just dumping ideas here. I can't spot anything wrong with the option definition.
first of all, thanks for your help with this problem. hostPubkey
not being found is very weird, I literally have a host running on Hetzner atm with 2 agenix-rekey secrets deployed, a leftover from my experiments about 3 weeks ago...
age.rekey.hostPubkey = "${self}/hosts/${config.networking.hostName}/secrets/host.pub";
fails with
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/49xqvk0piw7zgn88b0d2yh0g20kdf8cm-Kainas/447186b602d5c05fd2021fb2a05b6e9a-einzig_kainas.age
changing that to
hostPubkey = builtins.readFile "${self}/hosts/${config.networking.hostName}/secrets/host.pub";
works fine... I don't have much time to look into this today, but if there's anything you want me to try/run, lmk & I'll get to it tomorrow or so
I started using agenix-rekey a few weeks ago, but got busy & only got back to further integrating it yesterday. Now I'm trying to deploy a wireguard secret to my main laptop using
age.secrets.einzig_kainas.rekeyFile = "${self}/secrets/wg-cluster/psks/einzig_kainas.age";
After supplying host keys, running
agenix generate
(I provided a generator script usingwg genpsk
, took a page out of your config ;) ) &agenix rekey -a
, I have the following secrets in my rekey dir:The error:
After rekeying again & adding everything to git:
The
einzig_kainas
file is exactly the one from the error I got before...The new error:
If I rekey again, that file (
9a755e82cca785ab054bbbd1f4f67518-einzig_kainas.age
) shows up. Any clues as to what's going wrong? Rekeying & generating secrets works fine, which makes me think that I configured everything correctly...Here is a trace of the error:
trace
``` error: … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1571:24: 1570| let f = attrPath: 1571| zipAttrsWith (n: values: | ^ 1572| let here = attrPath ++ [n]; in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.build.toplevel': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:71:12: 70| # Replace runtime dependencies 71| system = foldr ({ oldDependency, newDependency }: drv: | ^ 72| pkgs.replaceDependency { inherit oldDependency newDependency drv; } … while calling 'foldr' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:68:10: 67| then throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}" 68| else showWarnings config.warnings baseSystem; | ^ 69| … while calling 'showWarnings' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:28: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:33: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … while calling 'foldr' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20: 120| */ 121| foldr = op: nul: list: | ^ 122| let … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8: 127| else op (elemAt list n) (fold' (n + 1)); 128| in fold' 0; | ^ 129| … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47: 926| 927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings; | ^ 928| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34: 126| then nul 127| else op (elemAt list n) (fold' (n + 1)); | ^ 128| in fold' 0; … while calling 'fold'' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15: 123| len = length list; 124| fold' = n: | ^ 125| if n == len … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:48:16: 47| # makes it bootable. See `activatable-system.nix`. 48| baseSystem = pkgs.stdenvNoCC.mkDerivation ({ | ^ 49| name = "nixos-system-${config.system.name}-${config.system.nixos.label}"; … while calling 'mkDerivation' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/pkgs/stdenv/generic/make-derivation.nix:46:5: 45| mkDerivation = 46| fnOrAttrs: | ^ 47| if builtins.isFunction fnOrAttrs … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.systemBuilderArgs': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:846:59: 845| if isDefined then 846| if all (def: type.check def.value) defsFinal then type.merge loc defsFinal | ^ 847| else let allInvalid = filter (def: ! type.check def.value) defsFinal; … while calling 'merge' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:583:20: 582| check = isAttrs; 583| merge = loc: defs: | ^ 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:35: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling 'filterAttrs' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:646:5: 645| pred: 646| set: | ^ 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:29: 646| set: 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); | ^ 648| … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:62: 646| set: 647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set)); | ^ 648| … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:51: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:86: 583| merge = loc: defs: 584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs: | ^ 585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activatable-system.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:133:18: 132| apply = set: set // { 133| script = systemActivationScript set false; | ^ 134| }; … while calling 'systemActivationScript' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:20:33: 19| 20| systemActivationScript = set: onlyDry: let | ^ 21| set' = mapAttrs (_: v: if isString v then (noDepEntry v) // { supportsDryActivation = false; } else v) set; … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:49:9: 48| 49| ${textClosureMap id (withDrySnippets) (attrNames withDrySnippets)} | ^ 50| … while calling 'textClosureMap' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/strings-with-deps.nix:75:35: 74| 75| textClosureMap = f: predefined: names: | ^ 76| concatStringsSep "\n" (map f (textClosureList predefined names)); … while calling 'id' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:36:8: 35| */ 36| id = x: x; | ^ 37| … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `system.activationScripts.agenixInstall.text': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … while calling 'installSecret' at /nix/store/f9v159hskz3yid10g56rnm8wwnjgw1mb-source/modules/age.nix:64:19: 63| 64| installSecret = secretType: '' | ^ 65| ${setTruePath secretType} … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18: 1204| mapAttrs 1205| (name: value: | ^ 1206| if isAttrs value && cond value … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18: 1207| then recurse (path ++ [ name ]) value 1208| else f (path ++ [ name ]) value); | ^ 1209| in … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72: 241| # For definitions that have an associated option 242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options; | ^ 243| … while evaluating the option `age.secrets.einzig_kainas.file': … while calling anonymous lambda at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28: 823| # Process mkMerge and mkIf properties. 824| defs' = concatMap (m: | ^ 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) … while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix': … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137: 824| defs' = concatMap (m: 825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value)) | ^ 826| ) defs; … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:902:11: 901| if def.condition then 902| dischargeProperties def.content | ^ 903| else … while calling 'dischargeProperties' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25: 895| */ 896| dischargeProperties = def: | ^ 897| if def._type or "" == "merge" then … from call site at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:298:18: 297| then "${rekeyedSecrets}/${submod.config.name}.age" 298| else rekeyedLocalSecret config.age.secrets.${submod.config.id} | ^ 299| ); … while calling 'rekeyedLocalSecret' at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:50:24: 49| 50| rekeyedLocalSecret = secret: let | ^ 51| pubkeyHash = builtins.hashString "sha256" config.age.rekey.hostPubkey; … from call site at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:71:12: 70| ''; 71| assert assertMsg (builtins.pathExists rekeyedPath) '' | ^ 72| host ${config.networking.hostName}: Rekeyed secret for age.secrets.${secret.id} not found, please run `agenix rekey -a` again and make sure to add the results to git. … while calling 'assertMsg' at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/asserts.nix:41:5: 40| pred: 41| msg: | ^ 42| pred || builtins.throw msg; error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git. rekeyed secret path: /nix/store/k1chsnnlr7fhg8w780hymzi5ak7flyxq-Kainas/fd8108dd174e2966ad32808d16767245-einzig_kainas.age ```