search

ryantm / agenix

age-encrypted secrets for NixOS and Home manager
https://matrix.to/#/#agenix:nixos.org
Creative Commons Zero v1.0 Universal
1.51k stars 117 forks source link

fix: add --strict nix-instantiate to support builtins.readFile #202

Closed WillPower3309 closed 1 year ago

WillPower3309 commented 1 year ago

If a user has a secrets.nix that uses builtins.readFile to set the value of a key, as such:

let
  system = builtins.readFile ../hosts/server/ssh_host_ed25519_key.pub;

in
{
  "rootPassword.age".publicKeys = [ system ];
}

an error occurs:

❯ nix-instantiate --eval --json secrets.nix
error:
       … message for the trace

         at /home/will/Projects/nixos-config/secrets/secrets.nix:10:3:

            9| {
           10|   "rootPassword.age".publicKeys = system;
             |   ^
           11| }

       error: cannot convert a thunk to JSON

       at /home/will/Projects/nixos-config/secrets/secrets.nix:10:3:

            9| {
           10|   "rootPassword.age".publicKeys = system;
             |   ^
           11| }

adding --strict fixes this

NobbZ commented 1 year ago

This would probably happen for any kind of doing "computation" in the bindings, not only for builtins.readFile.