Hi! First wanna say thanks for happy years using agenix ^^

I just upgraded a NixOS host to 22.11 and in so doing updated the agenix flake input from rev. 7e5e58 (committed May 16). The result is unexpected: secrets are properly decrypted to the secrets mount point (i.e., to /run/agenix.d/<agenix generation>/<name>), but they are not properly symlinked to the secrets directory (/run/agenix) or to a custom path when specified. Instead, only a single symlink to the generation directory containing all the decrypted secrets (/run/agenix.d/<agenix generation>) is created in the secrets directory.

For example, with the following configuration (unchanged for several NixOS releases):

age.secrets."passwordFile".file = ./. + "/../../secrets/passwordFile.age";

users.users.me = {
  isNormalUser = true;
  passwordFile = config.age.secrets.passwordFile.path;
};

a rebuild generates the following output:

[agenix] creating new generation in /run/agenix.d/1
[agenix] decrypting secrets...
decrypting '/nix/store/<hash redacted>-passwordFile.age' to '/run/agenix.d/1/passwordFile'...
[agenix] symlinking new secrets to /run/agenix (generation 1)...
warning: password file ‘/run/agenix/passwordFile’ does not exist
[agenix] chowning...

and a listing of the resulting secrets directory is as follows:

$ ll /run/agenix
lrwxrwxrwx root root  1 -> /run/agenix.d/1

Since I haven't updated this host in a while, maybe there's a setting I missed? Thanks!

ryantm: thanks for your reply!

• I have one activation script in the configuration that ensures some directories exist, but nothing related to secrets.

• /run/agenix.d/1 contains the decrypted secrets. E.g.:

  drwxr-x--x root keys .
  drwxr-x--x root keys ..
  -r-------- root root passwordFile
  

• I'm using the default value of config.age.secretsDir.

I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:

age.secrets."userSecret" = {
  file = ./. + "/../../secrets/userSecret.age";
  path = "${config.age.secretsDir}/.user-secrets/userSecret";
  mode = "0600";
  owner = "1000";
  group = "100";
};

Here is the home-manager configuration for symlinking the agenix-decrypted secret:

# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];

Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation>. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of ${age.secretsDir}, everything now seems to work as expected.

In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?

I think I found the cause. This host is also using Impermanence with an ephemeral root, and there is one secret that was being decrypted by agenix and symlinked to a user-owned directory by Impermanence in the user's home-manager service. The configuration for that secret was as follows:

age.secrets."userSecret" = {
  file = ./. + "/../../secrets/userSecret.age";
  path = "${config.age.secretsDir}/.user-secrets/userSecret";
  mode = "0600";
  owner = "1000";
  group = "100";
};

Here is the home-manager configuration for symlinking the agenix-decrypted secret:

# Paths are relative to user's home directory
home.persistence."${nixosConfig.age.secretsDir}".files = [ ".user-secrets/userSecret" ];

Removing these blocks from the configuration and rebuilding (and rebooting) resulted in the creation of /run/agenix not as a directory but as a symlink itself to /run/agenix/<agenix generation>. This behavior in agenix is new to me and clearly incompatible with the above configuration. By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected.

In lieu of an agenix home-manager module, is there a best (or better) practice for linking decrypted secrets into user-owned directories?

By selecting a custom path for the user secret outside of age.secretsDir, everything now seems to work as expected.

...except that now the secret with the custom path exists both in /run/agenix (because it's just a symlink to /run/agenix.d/1) as well as at the custom path. It isn't a problem but potentially misleading.

hi, i can't seem to provision keys to a new system. getting this while switching to a new generation:

cp: cannot stat '/run/agenix/ssh_lb1_initrd_ed25519': No such file or directory
failed to create initrd secrets: No such file or directory

/run/agenix is empty as the generation hasn't been switched to, but it's needed to create the initrd secrets (if i understand correctly). is this a known issue? can't find it being discussed in the issues of the repo

sudo mkdir -p /run/agenix && sudo touch /run/agenix/ssh_lb1_initrd_ed25519 && switch_generation
# /run/agenix/1 and /run/agenix.d/1/ssh_lb1_initrd_ed25519 gets created
# but /run/agenix/ssh_lb1_initrd_ed25519 is still my empty file and i get the same error if switching generation after deleting it

note that i have no idea what i'm doing at this point 🙃