Secret onwership reset to root:root on reboot

[giorgiga]

I have a secret configured like this:

age.secrets."sendgrid-api-key.txt" = {
    file    = ../../secrets/sendgrid-api-key.txt;
    owner = "alertmanager";
    group = "alertmanager";
  };

After nixos-rebuild switch the file in /run/agenix gets the correct owner/group, but when the host is rebooted the owner becomes root:root (it turns back to alertmanager:alertmanager if I run nixos-rebuild switch again, without changing any configuration).

[giorgiga]

I just got this when running nixos-rebuild switch (but it's not a systematic error: repeating the command it worked):

[agenix] creating new generation in /run/agenix.d/3
[agenix] decrypting secrets...
decrypting '/nix/store/hqxg8xcpl9i9bvvs4s6wkark6clr27iv-sendgrid-api-key.txt' to '/run/agenix.d/3/sendgrid-api-key.txt'...
[agenix] symlinking new secrets to /run/agenix (generation 3)...
[agenix] removing old secrets (generation 2)...
[agenix] chowning...
chown: invalid user: ‘alertmanager:alertmanager’
Activation script snippet 'agenixChown' failed (1)

Could it be that it's because I have users.mutableUsers = false;?

[giorgiga]

Files created via config.environment.etc seem to also "forget" their owner on reboot: I guess it's not an agenix issue after all.

[cryptix]

Seeing the same issue but it's not reboot related. I don't really get what @giorgiga did to fix this..?

I'm deploy my system(s) via deploy-rs. I haven't changed users.mutableUsers so it should be true by default.

[giorgiga]

@cryptix In my case it was actually due to the specific systemd service the secret was intended for (prometheus alertmanager) being set up with DynamicUser=yes. With that, the user does not actually exist until the systemd service is started and, specifically, it doesn't exist when agenix decrypts its secrets at boot. If that's the case for you too... there really are no fixes, only workarounds :) see https://github.com/NixOS/nixpkgs/issues/259435