oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

CI: No rekeyed secrets were found, please run `nix run .#rekey` again. #5

Closed bbigras closed 1 year ago

bbigras commented 1 year ago

I'm able to use agenix-rekey locally, but when I try to build my config on github actions, I get No rekeyed secrets were found.

Do I need to run nix run .#rekey on the CI? If so, is there a non-interactive version?

oddlama commented 1 year ago

That's to be expected since the rekeyed secrets are only stored in local derivations (one for each host). Technically nothing about nix run .#rekey is inherently interactive, but rage usually prompts for the password. If there's a plausible use case for non-interactive use we can of course easily add that.

Do I need to run nix run .#rekey on the CI? If so, is there a non-interactive version?

That would be one possibility, but be aware that this requires your master key to be accessible in the CI. I haven't thought a lot about CI use yet, but an alternative would be to make your rekeyed derivations accessible to the CI via a substituter (cachix, or host your own), where you push the resulting derivations to after running .#rekey locally.

If you can tell me more about your use case, maybe we can find a good solution that makes this easy to use.

bbigras commented 1 year ago

My use case with CI is basically to only build what is not already built and cached using nix-build-uncached.

I never deploy from CI, so I don't need to handle secrets there. For secret config, I actually use a private gitsubmodule (which is not fetched in CI), and include the nix files if they exist. https://github.com/bbigras/nix-config/blob/4f8685cf92c0ee908f99bcc1e629586946223089/hosts/desktop/default.nix#L51-L52

Maybe it could be nice if the build in CI would just generate dummy secrets (since my master key is absent) and I would push the real secret from my desktop later.

an alternative would be to make your rekeyed derivations accessible to the CI via a substituter (cachix, or host your own), where you push the resulting derivations to after running .#rekey locally.

That seems to work. I tested it last night.

oddlama commented 1 year ago

Maybe it could be nice if the build in CI would just generate dummy secrets (since my master key is absent) and I would push the real secret from my desktop later.

Yeah that's a good idea, I've now implemented a --dummy flag to do that. Let me know in case there's anything else that turns out to be an issue in CI :)

bbigras commented 1 year ago

It works! Thank you very much.

bbigras commented 1 year ago

Could --dummy cause problems if the result is pushed to a cache?

I'm having dummy secrets on my desktop and I only ran --dummy on github actions.

In other words, if I use --dummy in CI and it's pushed to cachix, will agenix-rekey ask me to run rekey again on my desktop when I actually want to deploy?

I ran rekey on my desktop and it didn't seem to change anything.

oddlama commented 1 year ago

Yes, you should exclude this from being pulled from the cache, or from putting it there - whatever makes more sense. Since the rekeying inherently depends on having predictable output derivations, it will always look the same to nix, whether the contents are dummy values or the real values. So naturally your substituter would try to substitute the known result, which is not what you want for secrets.

I'm not sure whether there's a flag that I could set on the derivation to exclude it by default.