Default cacheDir causing some minor problems when rekeying

[Freakmiko]

Something that tripped me up for a bit after updating my flake was the new cacheDir. This new cacheDir is currently defined as default = "/tmp/agenix-rekey.\"$UID\"";.

This creates new directories for each user running rekey (as far as I understand). However, if you don't add the users explicitly to trusted-users and simply follow the readme and add nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey"]; to the configuration, rekeying will always fail.

My suggestion would be to change the default cacheDir to default = "/tmp/agenix-rekey/\"$UID\"";. This would create the uid-directories under the agenix-rekey cacheDir and make setting the extra-sandbox-paths easier.

[oddlama]

Thanks for bringing this up, that's a very good point.. The issue is that the parent directory needs to have the sticky bit set (chmod 1777) so that only the owner of a directory may delete it. That is the case for /tmp but not for /tmp/agenix-rekey which would be created by the first user running rekey. Missing the sticky bit would then compromise integrity for other users running rekey since that first user might just replace rekeyed secrets by simply deleting the uid folder for another user and replacing the content with something else.

The only possible solutions I can see are:

• Manually adding nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey-<UID>"]; for each user that needs to be able to rekey
• Be less strict in the sandbox and add nix.settings.extra-sandbox-paths = ["/tmp"]; (not very elegant)
• Add a different persistent cache folder for agenix-rekey somewhere else (/var/cache/agenix-rekey, with mode 1777), then set cacheDir = "/var/cache/agenix-rekey/\"$UID\"" and add nix.settings.extra-sandbox-paths = ["/var/cache/agenix-rekey"];.

The third solution is basically what you are proposing and what I've done in my own config, but it requires creating a directory with 1777. So the downside is that you have to manually do that or write an activation script that does it. Alternatively, if you are using impermanence you can do the following:

age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
environment.persistence."/state".directories = [
  { directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
];

I've corrected the example in the readme and linked here for future readers. If you have any other suggestions on making this more accessible let me know!

[Freakmiko]

Thank you for the answer, I was fully expecting this just to be a stupid mistake of mine somewhere in my config (due to my inexperience with nix and linux as a whole). Something that I've just tried and currently works on my machine:tm: is the following: Setting nix.settings.extra-sandbox-paths = [ "/var/tmp/agenix-rekey" ] age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";

systemd.tmpfiles.rules = [
  "d /var/tmp/agenix-rekey 1777 root root"
];

So that might be another solution depending on the setup :)

[plaidfinch]

@Freakmiko I can confirm that your solution does the trick for me as well! Thank you!