search

ryantm / agenix

age-encrypted secrets for NixOS and Home manager
https://matrix.to/#/#agenix:nixos.org
Creative Commons Zero v1.0 Universal
1.47k stars 117 forks source link

agenix: command not found #275

Open papanito opened 1 month ago

papanito commented 1 month ago

I am successfully using agenix since I setup my machine. Today I wanted to add a new secret but I get

agenix: command not found

This is my config in my flake.nix 

{
  inputs = {
    agenix.url = "github:ryantm/agenix";
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    disko.url = "github:nix-community/disko";
    pentesting = {
      url = "/home/papanito/Workspaces/papanito/nix-pentesting";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, disko, pentesting, ... }@inputs:
    let
      # System types to support.
      supportedSystems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];

      # Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;

      # Nixpkgs instantiated for supported system types.
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; overlays = [ self.overlay ]; });

      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
    in
    {
    pkgs = forAllSystems (system:
      let pkgs = nixpkgs.legacyPackages.${system};
      in { inherit pkgs; }
    );

    nixosConfigurations = {
      clawfinger = nixpkgs.lib.nixosSystem {
        specialArgs = { inherit inputs; };
        inherit system;
        modules = [
          ./configuration.nix
          ./hosts/clawfinger # Include the results of the hardware scan.
          ./users.nix
          inputs.agenix.nixosModules.default
          inputs.pentesting.nixosModules.default
        ];
      };
...
n8henrie commented 1 month ago

Did you forget to put agenix in your systemPackages? It looks like you added the nix module, but you still have to ask nix to include the binary in your system path (or run it as nix run github:ryantm/agenix -- --help).

papanito commented 1 month ago

Good hint, thanks. I added 

 environment.systemPackages = [ agenix.packages.${system}.default ];

Did nix flake update and sudo nixos-rebuild --flake '.#' switch but still the same error

n8henrie commented 1 month ago

Did the nixos-rebuild succeed, and then you got the error when trying to run e.g. agenix --help? Did I understand that correctly?

papanito commented 1 month ago

Did the nixos-rebuild succeed,

yes

...
activating the configuration...
[agenix] creating new generation in /run/agenix.d/4
[agenix] decrypting secrets...
decrypting '/nix/store/1q8m20ammy8lympxfn67i0xyyhmmg1d6-restic_b2_credentials.age' to '/run/agenix.d/4/restic_b2_credentials'...
decrypting '/nix/store/s5wkwzb1h5lh6qyg6fas1fx0mg2253bv-restic_password.age' to '/run/agenix.d/4/restic_password'...
[agenix] symlinking new secrets to /run/agenix (generation 4)...
[agenix] removing old secrets (generation 3)...
[agenix] chowning...
setting up /etc...
reloading user units for papanito...
restarting sysinit-reactivation.target
the following new units were started: libvirtd.service

and then you got the error when trying to run e.g. agenix --help? Did I understand that correctly?

Yes

n8henrie commented 1 month ago

That's odd. I've historically used the overlay, which has worked to pull agenix into pkgs, but I just switched to your method above and it works fine.

If I comment out agenix.packages.${system}.default, I have no agenix binary. If I uncomment it, the binary appears as expected.

n8henrie commented 1 month ago

Can you re-post your full config, including the systemPackages bit?

papanito commented 1 month ago

My full config can be found here: https://github.com/papanito/nixos-configuration

n8henrie commented 1 month ago

Sorry, I'm unable to replicate.

The reference to agenix only appears in your hetzner-cloud configuration. After removing the pentesting input (since I don't have access to this) and commenting out nerdfonts (currently broken), I'm able to build your configuration, and agenix appears as expected and seems to work.

$ nix build .#nixosConfigurations.hetzner-cloud.config.system.build.toplevel
warning: input 'pentesting' has an override for a non-existent input 'nixpkgs'
$ ls result/sw/bin/agenix
result/sw/bin/agenix
$ result/sw/bin/agenix --version
agenix - edit and rekey age secret files

agenix -e FILE [-i PRIVATE_KEY]
agenix -r [-i PRIVATE_KEY]

options:
-h, --help                show help
-e, --edit FILE           edits FILE using $EDITOR
-r, --rekey               re-encrypts all secrets with specified recipients
-d, --decrypt FILE        decrypts FILE to STDOUT
-i, --identity            identity to use when decrypting
-v, --verbose             verbose output

FILE an age-encrypted file

PRIVATE_KEY a path to a private SSH key used to decrypt file

EDITOR environment variable of editor to use when editing FILE

If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"

RULES environment variable with path to Nix file specifying recipient public keys.
Defaults to './secrets.nix'

agenix version: 0.15.0
age binary path: /nix/store/xh816kyaib2qva6mfcrlpx9q96lfn8yi-age-1.1.1/bin/age
age version: 1.1.1