Setting `symlink = false;` for a secret with default `path` breaks all secrets
Opened this issue · 0 comments
tmarkov commented
So, I set up a secret like:
age.secrets.secret = {
file = ./secrets/secret.age;
symlink = false;
};
Now, this is a misconfiguration in the sense that it makes no sense to set this, as secrets in the default path - /run/agenix/secret
are not symlinks anyway. But this wasn't clear to me from the docs of the symlink
option, so I ended up setting it.
However, this actually prevents agenix from setting up the other secrets:
Oct 02 01:31:10 server stage-2-init: [agenix] creating new generation in /run/agenix.d/1
Oct 02 01:31:10 server stage-2-init: [agenix] decrypting secrets...
Oct 02 01:31:10 server stage-2-init: decrypting '/nix/store/hash-secret.age' to '/run/agenix/secret'...
Oct 02 01:31:10 server stage-2-init: decrypting '/nix/store/hash-other-secret.age' to '/run/agenix.d/0/other-secret'...
Oct 02 01:31:10 server stage-2-init: [agenix] symlinking new secrets to /run/agenix (generation 1)...
Oct 02 01:31:10 server stage-2-init: ln: /run/agenix: cannot overwrite directory
Oct 02 01:31:10 server stage-2-init: Activation script snippet 'agenixInstall' failed (1)