oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

`/run/agenix/` not populated on nix-darwin #32

Closed LoganBarnett closed 3 months ago

LoganBarnett commented 4 months ago

There is no /run/agenix directory after performing a nix-darwin switch or equivalent when using both nix-darwin and agenix-rekey. I do see a /run/agenix.d which contains a 1 directory which is empty. I assume this is the first and only generation.

This might be an XY problem so I'll try to give some context here. My ultimate goal is to have some shared secret in which I can configure remote builders in my network. I use a special, generated key pair on the host using remote builders, and the remote builder hosts take the public key and add it to their known_hosts file.

I assume I am experiencing this issue in large part due to nix-darwin being a separate entity from NixOS. To their credit, many of the common configurations I could do on a Linux host are expressed exactly the same in nix-darwin, but I do appreciate that they are entirely different. I expect this might require contribution from a macOS user (such as myself). I've tried pouring through the agenix-rekey code for where /run/agenix gets populated, but either I've missed something or there's some implicit operation going on. I was expecting to find some mention of /run/agenix or perhaps an activationScript somewhere, but no joy.

I'm not even sure where nix-darwin support for agenix-rekey should live, but I'm happy to put in the cycles on getting something working. I just need some hints on where to look or some better understanding. Apologies if I've missed some obviously documented / codified thing about this somewhere! Thanks again for your work on agenix-rekey!

oddlama commented 4 months ago

I think you just might be searching in the wrong repository :D

agenix-rekey is just an extension to agenix, and doesn't do anything at system runtime itself. This is all done by the actual agenix implementation, so there you will find activation scripts and anything related to /run/agenix. agenix-rekey only makes sure that your secrets are automatically rekeyed for the hosts that you are using, the rest is done by agenix so it doesn't even know about /run/agenix

LoganBarnett commented 3 months ago

🤦‍♂️ I somehow was thinking this was standalone from agenix, and forgot the setup involved. Ugh. Once again you've been really helpful and patient! Thank you!! Let's close this, since this isn't agenix-rekey involved.