error: Rekeyed secret for age.secrets.<name> not found, please run `agenix rekey -a` again and make sure to add the results to git.
Opened this issue · 6 comments
Jappie3 commented
I started using agenix-rekey a few weeks ago, but got busy & only got back to further integrating it yesterday. Now I'm trying to deploy a wireguard secret to my main laptop using age.secrets.einzig_kainas.rekeyFile = "${self}/secrets/wg-cluster/psks/einzig_kainas.age";
After supplying host keys, running agenix generate (I provided a generator script using wg genpsk, took a page out of your config ;) ) & agenix rekey -a, I have the following secrets in my rekey dir:
l secrets/_rekeyed/Kainas/
total 8.0K
drwxr-xr-x 1 jasper users 186 Jun 15 15:30 .
drwxr-xr-x 1 jasper users 46 Jun 15 13:20 ..
-rw-r--r-- 1 jasper users 314 Jun 15 15:30 21f433d6e444eb220f75e18df2a2b926-kainas.age
-rw-r--r-- 1 jasper users 390 Jun 15 15:30 7f41d92750f74ef6ee5a38782517174b-einzig_kainas.age
The error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age
After rekeying again & adding everything to git:
l secrets/_rekeyed/Kainas/
total 8.0K
drwxr-xr-x 1 jasper users 186 Jun 15 19:46 .
drwxr-xr-x 1 jasper users 46 Jun 15 13:20 ..
-rw-r--r-- 1 jasper users 351 Jun 15 19:46 7e4b20fb343fea9d2020fd70a5268edd-kainas.age
-rw-r--r-- 1 jasper users 353 Jun 15 19:46 b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age
The einzig_kainas file is exactly the one from the error I got before...
The new error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/9a755e82cca785ab054bbbd1f4f67518-einzig_kainas.age
If I rekey again, that file (9a755e82cca785ab054bbbd1f4f67518-einzig_kainas.age) shows up. Any clues as to what's going wrong? Rekeying & generating secrets works fine, which makes me think that I configured everything correctly...
Here is a trace of the error:
trace
error:
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1571:24:
1570| let f = attrPath:
1571| zipAttrsWith (n: values:
| ^
1572| let here = attrPath ++ [n]; in
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18:
1204| mapAttrs
1205| (name: value:
| ^
1206| if isAttrs value && cond value
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18:
1207| then recurse (path ++ [ name ]) value
1208| else f (path ++ [ name ]) value);
| ^
1209| in
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72:
241| # For definitions that have an associated option
242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
| ^
243|
… while evaluating the option `system.build.toplevel':
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28:
823| # Process mkMerge and mkIf properties.
824| defs' = concatMap (m:
| ^
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
… while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix':
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137:
824| defs' = concatMap (m:
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
| ^
826| ) defs;
… while calling 'dischargeProperties'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25:
895| */
896| dischargeProperties = def:
| ^
897| if def._type or "" == "merge" then
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:71:12:
70| # Replace runtime dependencies
71| system = foldr ({ oldDependency, newDependency }: drv:
| ^
72| pkgs.replaceDependency { inherit oldDependency newDependency drv; }
… while calling 'foldr'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20:
120| */
121| foldr = op: nul: list:
| ^
122| let
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8:
127| else op (elemAt list n) (fold' (n + 1));
128| in fold' 0;
| ^
129|
… while calling 'fold''
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15:
123| len = length list;
124| fold' = n:
| ^
125| if n == len
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:68:10:
67| then throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"
68| else showWarnings config.warnings baseSystem;
| ^
69|
… while calling 'showWarnings'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:28:
926|
927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
| ^
928|
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:33:
926|
927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
| ^
928|
… while calling 'foldr'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:121:20:
120| */
121| foldr = op: nul: list:
| ^
122| let
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:128:8:
127| else op (elemAt list n) (fold' (n + 1));
128| in fold' 0;
| ^
129|
… while calling 'fold''
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15:
123| len = length list;
124| fold' = n:
| ^
125| if n == len
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14:
126| then nul
127| else op (elemAt list n) (fold' (n + 1));
| ^
128| in fold' 0;
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47:
926|
927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
| ^
928|
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34:
126| then nul
127| else op (elemAt list n) (fold' (n + 1));
| ^
128| in fold' 0;
… while calling 'fold''
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15:
123| len = length list;
124| fold' = n:
| ^
125| if n == len
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:14:
126| then nul
127| else op (elemAt list n) (fold' (n + 1));
| ^
128| in fold' 0;
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:927:47:
926|
927| showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;
| ^
928|
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:127:34:
126| then nul
127| else op (elemAt list n) (fold' (n + 1));
| ^
128| in fold' 0;
… while calling 'fold''
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/lists.nix:124:15:
123| len = length list;
124| fold' = n:
| ^
125| if n == len
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/top-level.nix:48:16:
47| # makes it bootable. See `activatable-system.nix`.
48| baseSystem = pkgs.stdenvNoCC.mkDerivation ({
| ^
49| name = "nixos-system-${config.system.name}-${config.system.nixos.label}";
… while calling 'mkDerivation'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/pkgs/stdenv/generic/make-derivation.nix:46:5:
45| mkDerivation =
46| fnOrAttrs:
| ^
47| if builtins.isFunction fnOrAttrs
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18:
1204| mapAttrs
1205| (name: value:
| ^
1206| if isAttrs value && cond value
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18:
1207| then recurse (path ++ [ name ]) value
1208| else f (path ++ [ name ]) value);
| ^
1209| in
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72:
241| # For definitions that have an associated option
242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
| ^
243|
… while evaluating the option `system.systemBuilderArgs':
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:846:59:
845| if isDefined then
846| if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
| ^
847| else let allInvalid = filter (def: ! type.check def.value) defsFinal;
… while calling 'merge'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:583:20:
582| check = isAttrs;
583| merge = loc: defs:
| ^
584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs:
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:35:
583| merge = loc: defs:
584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs:
| ^
585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue
… while calling 'filterAttrs'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:646:5:
645| pred:
646| set:
| ^
647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:29:
646| set:
647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
| ^
648|
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:647:62:
646| set:
647| listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
| ^
648|
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:51:
583| merge = loc: defs:
584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs:
| ^
585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/types.nix:584:86:
583| merge = loc: defs:
584| mapAttrs (n: v: v.value) (filterAttrs (n: v: v ? value) (zipAttrsWith (name: defs:
| ^
585| (mergeDefinitions (loc ++ [name]) elemType defs).optionalValue
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28:
823| # Process mkMerge and mkIf properties.
824| defs' = concatMap (m:
| ^
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
… while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activatable-system.nix':
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137:
824| defs' = concatMap (m:
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
| ^
826| ) defs;
… while calling 'dischargeProperties'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25:
895| */
896| dischargeProperties = def:
| ^
897| if def._type or "" == "merge" then
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:133:18:
132| apply = set: set // {
133| script = systemActivationScript set false;
| ^
134| };
… while calling 'systemActivationScript'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:20:33:
19|
20| systemActivationScript = set: onlyDry: let
| ^
21| set' = mapAttrs (_: v: if isString v then (noDepEntry v) // { supportsDryActivation = false; } else v) set;
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/nixos/modules/system/activation/activation-script.nix:49:9:
48|
49| ${textClosureMap id (withDrySnippets) (attrNames withDrySnippets)}
| ^
50|
… while calling 'textClosureMap'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/strings-with-deps.nix:75:35:
74|
75| textClosureMap = f: predefined: names:
| ^
76| concatStringsSep "\n" (map f (textClosureList predefined names));
… while calling 'id'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/trivial.nix:36:8:
35| */
36| id = x: x;
| ^
37|
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18:
1204| mapAttrs
1205| (name: value:
| ^
1206| if isAttrs value && cond value
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18:
1207| then recurse (path ++ [ name ]) value
1208| else f (path ++ [ name ]) value);
| ^
1209| in
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72:
241| # For definitions that have an associated option
242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
| ^
243|
… while evaluating the option `system.activationScripts.agenixInstall.text':
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28:
823| # Process mkMerge and mkIf properties.
824| defs' = concatMap (m:
| ^
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
… while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix':
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137:
824| defs' = concatMap (m:
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
| ^
826| ) defs;
… while calling 'dischargeProperties'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25:
895| */
896| dischargeProperties = def:
| ^
897| if def._type or "" == "merge" then
… while calling 'installSecret'
at /nix/store/f9v159hskz3yid10g56rnm8wwnjgw1mb-source/modules/age.nix:64:19:
63|
64| installSecret = secretType: ''
| ^
65| ${setTruePath secretType}
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1205:18:
1204| mapAttrs
1205| (name: value:
| ^
1206| if isAttrs value && cond value
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/attrsets.nix:1208:18:
1207| then recurse (path ++ [ name ]) value
1208| else f (path ++ [ name ]) value);
| ^
1209| in
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:242:72:
241| # For definitions that have an associated option
242| declaredConfig = mapAttrsRecursiveCond (v: ! isOption v) (_: v: v.value) options;
| ^
243|
… while evaluating the option `age.secrets.einzig_kainas.file':
… while calling anonymous lambda
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:824:28:
823| # Process mkMerge and mkIf properties.
824| defs' = concatMap (m:
| ^
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
… while evaluating definitions from `/nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/flake.nix':
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:825:137:
824| defs' = concatMap (m:
825| map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
| ^
826| ) defs;
… while calling 'dischargeProperties'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25:
895| */
896| dischargeProperties = def:
| ^
897| if def._type or "" == "merge" then
… from call site
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:902:11:
901| if def.condition then
902| dischargeProperties def.content
| ^
903| else
… while calling 'dischargeProperties'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/modules.nix:896:25:
895| */
896| dischargeProperties = def:
| ^
897| if def._type or "" == "merge" then
… from call site
at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:298:18:
297| then "${rekeyedSecrets}/${submod.config.name}.age"
298| else rekeyedLocalSecret config.age.secrets.${submod.config.id}
| ^
299| );
… while calling 'rekeyedLocalSecret'
at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:50:24:
49|
50| rekeyedLocalSecret = secret: let
| ^
51| pubkeyHash = builtins.hashString "sha256" config.age.rekey.hostPubkey;
… from call site
at /nix/store/3qp24xra2mrh3a78pl4r8wpcqvaayl0n-source/modules/agenix-rekey.nix:71:12:
70| '';
71| assert assertMsg (builtins.pathExists rekeyedPath) ''
| ^
72| host ${config.networking.hostName}: Rekeyed secret for age.secrets.${secret.id} not found, please run `agenix rekey -a` again and make sure to add the results to git.
… while calling 'assertMsg'
at /nix/store/qqwr649pc0qprc9lw2fmdsi1km6p7q2h-source/lib/asserts.nix:41:5:
40| pred:
41| msg:
| ^
42| pred || builtins.throw msg;
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/k1chsnnlr7fhg8w780hymzi5ak7flyxq-Kainas/fd8108dd174e2966ad32808d16767245-einzig_kainas.age
oddlama commented
The error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git. rekeyed secret path: /nix/store/dpakzi6xjk8g18xwl1z4c97fks6yfmy4-Kainas/b4a9f4d18110bd7259d4b754e2406377-einzig_kainas.age
The rekeyed secret path looks wrong, since it should be a relative path beginning with your flake's root directory in the store. This happens when you call toString on a nix path, which will cause it to be copied into the nix store as a separate entity. This is unfortunately very counter-intuitive.
From what I can see in your config repo, you set the directories like this:
generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";
But "${self}/path/to/dir" will copy said path into the nix store as a separate entity as described above. What you should do to avoid this is to use + for path concatenation, to avoid calling toString. Unfortunately there is no way agenix-rekey can prevent this from happening, which is why the error messages are misleading too. Try:
generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";
Jappie3 commented
changed
generatedSecretsDir = "${self}/secrets/_generated/${config.networking.hostName}";
localStorageDir = "${self}/secrets/_rekeyed/${config.networking.hostName}";
to
generatedSecretsDir = self.outPath + "/secrets/_generated/${config.networking.hostName}";
localStorageDir = self.outPath + "/secrets/_rekeyed/${config.networking.hostName}";
ran agenix rekey -a & tried rebuilding, the path is still wrong & I get the same error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/xsc11zszwbrmmbmf88rhhqqd75sjqkp8-Kainas/17b391e87ad07f273bc16e0cccf91f08-einzig_kainas.age
oddlama commented
You probably need to change all rekeyFile properties too like age.secrets.einzig_kainas.rekeyFile
Jappie3 commented
I made sure to replace all the ${self}s in my secret-related config, removed the entire directory with rekeyed secrets, ran agenix rekey -a & tried rebuilding: still the same error:
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/9slsy3fgqhklf5i40mbfn6pragaw4v8s-Kainas/2de2e90cdddfd38d144ad0c55363e767-einzig_kainas.age
could this have something to do with this part of the readme about the nixpkgs version? as far as I understood it, that part is mainly relevant for storageMode = "derivation"
# Expose the necessary information in your flake so agenix-rekey
# knows where it has too look for secrets and paths.
#
# Make sure that the pkgs passed here comes from the same nixpkgs version as
# the pkgs used on your hosts in `nixosConfigurations`, otherwise the rekeyed
# derivations will not be found!
agenix-rekey = agenix-rekey.configure {
userFlake = self;
nodes = self.nixosConfigurations;
# Example for colmena:
# inherit ((colmena.lib.makeHive self.colmena).introspect (x: x)) nodes;
};
oddlama commented
Okay so I've cloned your repo now and found that for some reason your hostPubkey isn't loaded properly when initiating the build, but it does load when rekeying.
Changing the definition to force read the key fixes the problem in my local copy of your repo:
hostPubkey = builtins.readFile (self.outPath + "/hosts/${config.networking.hostName}/secrets/host.pub");Can you confirm whether this works for you too? I have no idea how this could happen, it basically means that the option is not properly coerced, which - to my knowledge - should not be possible...
The option should automatically call readFile when the argument is a path (nix path or anything starting with "/"), but for some reason your flake is special? I currently have no idea why or how this can happen, since the value that is actually assigned passes the builtins.isPath test. So maybe something is inhibiting type coercion? Just dumping ideas here. I can't spot anything wrong with the option definition.
Jappie3 commented
first of all, thanks for your help with this problem. hostPubkey not being found is very weird, I literally have a host running on Hetzner atm with 2 agenix-rekey secrets deployed, a leftover from my experiments about 3 weeks ago...
age.rekey.hostPubkey = "${self}/hosts/${config.networking.hostName}/secrets/host.pub";fails with
error: host Kainas: Rekeyed secret for age.secrets.einzig_kainas not found, please run `agenix rekey -a` again and make sure to add the results to git.
rekeyed secret path: /nix/store/49xqvk0piw7zgn88b0d2yh0g20kdf8cm-Kainas/447186b602d5c05fd2021fb2a05b6e9a-einzig_kainas.age
changing that to
hostPubkey = builtins.readFile "${self}/hosts/${config.networking.hostName}/secrets/host.pub";works fine... I don't have much time to look into this today, but if there's anything you want me to try/run, lmk & I'll get to it tomorrow or so