Failure to Write Decrypted Secret to nix-store
Opened this issue · 0 comments
I have a Nix flake with a configuration.nix using agenix.
The repo is setup like so
flake.nix
configuration.nix
secrets/nix-code.age
secrets/secrets.nix
In the git repo at the path: ./secrets/nix-code.age
is encrypted nix code that I don't want visible in git.
I am trying to decrypt and place it in the derivation output path, that way I can purely import the code in my configuration.nix. Essentially, I want to decrypt the nix-code to a relative path.
Thus allowing the system to import it, without needing to have the same file structure on my disk, just cloning the repo should be enough.
Here is what I have so far.
age.secrets = {
nix-code = {
file = ./secrets/nix-code.age; # encrypted nix-code (must be nix path type)
owner = "watashi";
path = "${inputs.self}/nix-code.nix"; # agenix cant write to nix-store cuz of permissions?
mode = "600";
};
};
The importing section
imports =
[
./secrets/nix-code # run code from agenix that is encrypted
];
When run
nixos-rebuild switch --flake . --use-remote-sudo
I get the following error(note I took out the non-agenix related info)
activating the configuration...
[agenix] creating new generation in /run/agenix.d/28
[agenix] decrypting secrets...
decrypting '/nix/store/y2igxk1simbj34xz68aw41hi1yz4650j-nix-code.age' to '/run/agenix.d/28/nix-code'...
ln: failed to create symbolic link '/nix/store/qzp4vzqisqz1jk8y6s37r7yig76cfcla-source/nix-code': Read-only file system
[agenix] symlinking new secrets to /run/agenix (generation 28)...
[agenix] removing old secrets (generation 27)...
Activation script snippet 'agenixInstall' failed (1)
[agenix] chowning...
I tried experimenting and I see that decryption succeeds with other paths and it seems to succeed here but it won't let me write the decrypted file to the store. Is there anyway to fix this?