oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

[Documentation] Specify that flake and user's app must follow the same nixpkgs #8

Closed matthew-salerno closed 1 year ago

matthew-salerno commented 1 year ago

I just ran into some unexpected behavior by not specifying inputs.nixpkgs.follows in agenix-rekey and using nixos-23.05 for my packages. When trying to deploy to an aarch64-linux machine from an x86_64-linux machine I ended up with different derivations. The tricky bit was I was convinced I was just using forceRekeyOnSystem wrong. Turns out all I needed to do was make the app use pkgs-unstable:

apps."x86_64-linux" = agenix-rekey.defineApps self (import nixpkgs-unstable { system = "x86_64-linux"; }) self.nixosConfigurations;

This seems like an easy mistake to make. It should probably be specified in the docs that the flakes input packages need to match the app's input nixpkgs.

oddlama commented 1 year ago

Thanks for pointing this out. If the nixpkgs don't match the "used" and "saved" rekey derivation may differ, which will of course cause problems. I'll add this to the docs right now.