Closed giorgiga closed 9 months ago
I just got this when running nixos-rebuild switch
(but it's not a systematic error: repeating the command it worked):
[agenix] creating new generation in /run/agenix.d/3
[agenix] decrypting secrets...
decrypting '/nix/store/hqxg8xcpl9i9bvvs4s6wkark6clr27iv-sendgrid-api-key.txt' to '/run/agenix.d/3/sendgrid-api-key.txt'...
[agenix] symlinking new secrets to /run/agenix (generation 3)...
[agenix] removing old secrets (generation 2)...
[agenix] chowning...
chown: invalid user: ‘alertmanager:alertmanager’
Activation script snippet 'agenixChown' failed (1)
Could it be that it's because I have users.mutableUsers = false;
?
Files created via config.environment.etc
seem to also "forget" their owner on reboot: I guess it's not an agenix issue after all.
Seeing the same issue but it's not reboot related. I don't really get what @giorgiga did to fix this..?
I'm deploy my system(s) via deploy-rs. I haven't changed users.mutableUsers
so it should be true by default.
@cryptix In my case it was actually due to the specific systemd service the secret was intended for (prometheus alertmanager) being set up with DynamicUser=yes
. With that, the user does not actually exist until the systemd service is started and, specifically, it doesn't exist when agenix decrypts its secrets at boot. If that's the case for you too... there really are no fixes, only workarounds :) see https://github.com/NixOS/nixpkgs/issues/259435
I have a secret configured like this:
After
nixos-rebuild switch
the file in/run/agenix
gets the correct owner/group, but when the host is rebooted the owner becomesroot:root
(it turns back toalertmanager:alertmanager
if I runnixos-rebuild switch
again, without changing any configuration).