/run/agenix/...: No such file or directory

[ersinakinci]

Hi there! Thank you so much for your work on this library, I'm stubbornly wedded to the idea of using it.

Unfortunately, I've been struggling to get it working on my NixOS machine. Here are the issues I've run into:

1. When running agenix rekey, rage gets stuck on the Please insert YubiKey with serial prompt. If I insert my YubiKey, it doesn't recognize it. Whether I press "y" or "n", doesn't matter, it just repeats the same prompt over and over again. The same problem doesn't happen with age for some reason, so I got around this issue by forking your repo and replacing references to rage with age. Kinda dumb but it works enough to get me to the next error...
2. When running agenix rekey, for the longest time I kept bashing my head against the At least one rekeyed secret is missing, please run agenix rekey again error. In the end, I noticed that it kept printing a path: rekeyed secret: /tmp/agenix-rekey.1000/.... Hmm, the 1000 looks suspiciously like a user uid. The problem was that I was prefixing with sudo, as in sudo agenix rekey. The error went away when I stopped running the command with elevated privileges (after adding my user to allowed_users in my nix config).

Which leads me to my final problem that I can't get around:

3. When running agenix rekey, I keep seeing this error: getting status of '/run/agenix/piknikHybridConfig': No such file or directory. piknikHybridConfig is a secret that I've set up in my NixOS modules, which I'm trying to reference within Home Manager using home.file.".config/piknik/piknik.toml".source = osConfig.age.secrets.piknikHybridConfig.path.

The relevant NixOS module looks like:

{
  age.rekey = {
    hostPubkey = "/etc/ssh/ssh_host_ed25519_key.pub";
    masterIdentities = [
      "${my-secrets}/identities/yubikey-primary-agenix-rekey-identity.pub"
      #"${my-secrets}/identities/yubikey-backup-agenix-rekey-identity.pub"
    ];
  };

  age.secrets = {
    piknikHybridConfig.rekeyFile = "${my-secrets}/secrets/piknik.hybrid.toml.age";
  };
}

The full reference to my secret looks like this:

{ pkgs, osConfig, ... }:
{
  home.packages = with pkgs; [
    piknik
  ];

  home.file.".config/piknik/piknik.toml".source = osConfig.age.secrets.piknikHybridConfig.path;

  systemd.user.services.piknik = {
    Unit = {
      Description = "Piknik";
    };
    Service = {
      ExecStart = "${pkgs.piknik}/bin/piknik -server -config $XDG_CONFIG_HOME";
      ExecStop = "pkill piknik";
      Restart = "on-failure";
    };
  };
}

Any ideas what might be going wrong?

[oddlama]

1. When running `agenix rekey`, `rage` gets stuck on the `Please insert YubiKey with serial` prompt. If I insert my YubiKey, it doesn't recognize it.

Unfortunately I have no idea what's going on there. That definitely sounds like a problem related to rage in some way, especially if age works. Do you have the pcsc-lite daemon running? Does it work outside of agenix-rekey? Maybe I can add an option in the future to choose between the two.

2. When running `agenix rekey`, for the longest time I kept bashing my head against the `At least one rekeyed secret is missing, please run agenix rekey again` error. In the end, I noticed that it kept printing a path: `rekeyed secret: /tmp/agenix-rekey.1000/...`. Hmm, the `1000` looks suspiciously like a user uid. The problem was that I was prefixing with `sudo`, as in `sudo agenix rekey`. The error went away when I stopped running the command with elevated privileges (after adding my user to `allowed_users` in my nix config).

Yes you should always rekey as yourself, sorry if that wasn't clear. Maybe a future change will remove the need for that. I chose to split the rekeyed secrets by UID to prevent other users from being able to hijack rekeyed secrets between rekey- and build-time.

Which leads me to my final problem that I can't get around:

3. When running `agenix rekey`, I keep seeing this error: `getting status of '/run/agenix/piknikHybridConfig': No such file or directory`. `piknikHybridConfig` is a secret that I've set up in my NixOS modules, which I'm trying to reference within Home Manager using `home.file.".config/piknik/piknik.toml".source = osConfig.age.secrets.piknikHybridConfig.path`.

This looks like a general issue with how you are using agenix. home.file.<something>.source requires a path to a file that is available on your current system at build time. But agenix is decrypting files on your computer at activation time. So the path will only be available after you have added age.secrets.<something> rebuilt your system once and activated it.

So you are trying to use the decrypted result of a secret at build time, which creates a chicken-egg problem. The secret is only created after building and switching, but building is only possible if the file is already in /run/agenix. Usually you would use agenix with options that are called passwordFile or similar, which only access the given path at runtime.

A simple fix for this should be to create link to the decrypted file instead of referencing it directly:

home.file.".config/piknik/piknik.toml".source = config.lib.file.mkOutOfStoreSymlink age.secrets.piknikHybridConfig.path;

[ersinakinci]

@oddlama thank you so much for all of your help!

Unfortunately I have no idea what's going on there. That definitely sounds like a problem related to rage in some way, especially if age works. Do you have the pcsc-lite daemon running? Does it work outside of agenix-rekey? Maybe I can add an option in the future to choose between the two.

pcsc-lite daemon is running and I'm able to interact with age-plugin-yubikey on the command line, pcsc_scan shows my YubiKey just fine. rage doesn't work outside of agenix-rekey, it seems to be a rage problem on my system. No idea why.

Adding an option to switch to age would be much appreciated!

Yes you should always rekey as yourself, sorry if that wasn't clear.

A quick note in the docs would be appreciated for n00bies like me 😄

I chose to split the rekeyed secrets by UID to prevent other users from being able to hijack rekeyed secrets between rekey- and build-time.

How does agenix-rekey determine the UID? I'm a little confused here because I was running everything as sudo or in a sudo -i shell, I assumed that my UID was 0 for root. And in fact, secrets were being generated in--or copied to? I'm actually not sure what's going on at this stage of the process--/tmp/agenix-rekey.0/.... It seems that agenix-rekey is OK generating the secrets as root but expects them in a user dir.

This looks like a general issue with how you are using agenix. home.file.<something>.source requires a path to a file that is available on your current system at build time. But agenix is decrypting files on your computer at activation time. So the path will only be available after you have added age.secrets.<something> rebuilt your system once and activated it.

So you are trying to use the decrypted result of a secret at build time, which creates a chicken-egg problem. The secret is only created after building and switching, but building is only possible if the file is already in /run/agenix. Usually you would use agenix with options that are called passwordFile or similar, which only access the given path at runtime.

So here's the weird thing. I got so carried away with the possibility of using your library that I never actually tried setting up vanilla agenix the "normal" way with SSH keys and so on, I went straight into using agenix-rekey.

Last night, after opening this issue, I decided to try a standard agenix setup. As I was looking through their repo, I noticed that home-manager (HM) integration is far from a stable thing, even though--as the first comment points out--merely passing agenix paths to HM modules shouldn't require any special integration. I also used --show-trace on my nixos-rebuild switch command and noticed deep in the stack that the home.file call was somehow involved.

On a hunch, I tried generating the file in /etc using enviornment.etc."piknik.toml" instead of generating the file in my home directory using HM's home.file and everything just worked!

The question is, why? When I use the environment.etc method, the symlinks are as follows /etc/piknik.toml -> /etc/static/piknik.toml -> /run/agenix/piknikHybridConfig. So I guess environment.etc uses symlinking already and home.file doesn't? This makes sense since one of HM's roles is to manage a user's personal dotfiles, which you often want to remain user-editable as opposed to being in the Nix store. Therefore, HM attempts to copy the files at build time as you suggested instead of symlinking to them in the store.

A simple fix for this should be to create link to the decrypted file instead of referencing it directly:

home.file.".config/piknik/piknik.toml".source = config.lib.file.mkOutOfStoreSymlink age.secrets.piknikHybridConfig.path;

I just tried it and it works, thank you so much for this hint. I only had to adjust the owner and mode attributes so that my user could access the file. For anyone stumbling upon this thread looking for help, here's how you do that:

age.secrets = {
  my-secret = {
    file = /path/to/my/secret;  # Can also be a string
    owner = "my-user";
    mode = "0500";  # Makes it user-readable and writeable
  };
};

And for good measure for those coming from the Internet: if you try to confirm the presence of your secret inside of /run/agenix or whatever your agenix cache dir is by using ls /run/agenix as your non-superuser user, you'll get a permissions error because you don't have read permissions on the directory itself. However, if you run ls /run/agenix/my-secret, you'll see your secret is there after activation (i.e., after nixos-rebuild switch, not just nixos-rebuild build).