Mic92
Conflicts with Perlless Activation
Reproduce
systemd.sysusers.enable = true;
the error in question:
unpacking channels...
warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error:
… while calling the 'head' builtin
at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/attrsets.nix:960:11:
959| || pred here (elemAt values 1) (head values) then
960| head values
| ^
961| else
… while evaluating the attribute 'value'
at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/modules.nix:809:9:
808| in warnDeprecation opt //
809| { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
| ^
810| inherit (res.defsFinal') highestPrio;
(stack trace truncated; use '--show-trace' to show the full trace)
error: The option `system.activationScripts.users' is defined multiple times while it's expected to be unique.
Definition values:
- In `/nix/store/dhf97ymc733klg6vkjavrfqss7qp5qjr-source/flake.nix':
{
deps = [
"setupSecretsForUsers"
];
}
- In `/nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/nixos/modules/config/users-groups.nix': ""
Use `lib.mkForce value` or `lib.mkDefault value` to change the priority on any of these definitions.
```
What systemd target can I use instead for sops now? @nikstur I need one that comes before any users are created to decrypt password hashes and one that is started before any services that might need scripts.
You could just order before systemd-sysusers I guess. It's very difficult to tell which services might need scripts (if you mean activationScripts) because they run as early as possible (in the systemd-initrd even BEFORE stage 1 finishes).
EDIT: sysupdate -> sysusers
Looks like we cannot use sysusers with sops-nix secrets. i.e. it requires hashedPasswordFile at build time.
nix-shell-env % nix build .#checks.x86_64-linux.user-passwords-sysusers -L
warning: unknown experimental feature 'configurable-impure-env'
system-path> created 6454 symlinks in user environment
static-sysusers-credentials> cat: /run/secrets-for-users/test_key: No such file or directory
error: build of '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' on 'ssh-ng://nix@vislor' failed: builder for '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' failed wit
h exit code 1;
last 1 log lines:
> cat: /run/secrets-for-users/test_key: No such file or directory
For full logs, run 'nix log /nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv'.
error: builder for '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' failed with exit code 1
error: 1 dependencies of derivation '/nix/store/4hmpakm8pd1j82kg9j13kzrm5nkfk33s-static-sysusers.drv' failed to build
error: 1 dependencies of derivation '/nix/store/x9r5m6yw6clna4frkf13f4yq1qrcbf9s-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/5icridr0ydymmd8c7xgh0d41vfk26036-nixos-system-machine-24.05pre-git.drv' failed to build
error: 1 dependencies of derivation '/nix/store/v8lk0xzh2sas7gn48kb8ligl8l65y15q-nixos-vm.drv' failed to build
error: 1 dependencies of derivation '/nix/store/59wkb4x1kw9mwlj5hqg07xib6f7n2s8d-nixos-test-driver-sops-user-passwords-sysusers.drv' failed to build
error: 1 dependencies of derivation '/nix/store/6af5f9vi4a3p3jdcf8qvx0f1fdmxskjc-vm-test-run-sops-user-passwords-sysusers.drv' failed to build
noglob nix build .#checks.x86_64-linux.user-passwords-sysusers -L 2.26s user 2.15s system 30% cpu 14.595 total
with mutableUsers enabled this works at least: https://github.com/Mic92/sops-nix/pull/484
with mutableUsers enabled this works at least: #484
What about a solution without mutableUsers? I don't have mutable users enabled personally. Is there any realistic solution?
No. This is a limitation of the implementation of sysusers works in NixOS and not sops-nix. It wants to open secrets at build time rather activation time.
When using sops-nix's templating, it seems even with mutableUsers enabled, the same error comes up again
MWE
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
sops-nix = {
url = "github:mic92/sops-nix";
inputs = {
nixpkgs.follows = "nixpkgs";
nixpkgs-stable.follows = "nixpkgs";
};
};
};
outputs =
{
self,
nixpkgs,
sops-nix,
}:
{
nixosConfigurations.test = nixpkgs.lib.nixosSystem {
modules = [
(
{ config, modulesPath, ... }:
{
imports = [
"${modulesPath}/profiles/minimal.nix"
sops-nix.nixosModules.sops
];
boot = {
initrd.systemd.enable = true;
loader.systemd-boot.enable = true;
};
fileSystems."/".device = "PLACEHOLDER";
nixpkgs.hostPlatform = "x86_64-linux";
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets.secret1 = {
format = "binary";
sopsFile = self + /secrets/test.bin;
};
templates.secret1.content = ''
TEST
${config.sops.placeholder.secret1}
TEST
'';
};
system = {
etc.overlay.enable = true;
stateVersion = "24.05";
};
systemd.sysusers.enable = true;
}
)
];
};
};
}
Error
building the system configuration...
error:
… while calling the 'head' builtin
at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/attrsets.nix:1575:11:
1574| || pred here (elemAt values 1) (head values) then
1575| head values
| ^
1576| else
… while evaluating the attribute 'value'
at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/modules.nix:809:9:
808| in warnDeprecation opt //
809| { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
| ^
810| inherit (res.defsFinal') highestPrio;
… while evaluating the option `system.build.toplevel':
… while evaluating definitions from `/nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/nixos/modules/system/activation/top-level.nix':
… while evaluating the option `system.systemBuilderArgs':
… while evaluating definitions from `/nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/nixos/modules/system/activation/activatable-system.nix':
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: attribute 'setupSecrets' missing
at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/strings-with-deps.nix:72:71:
71| else if done ? ${entry} then f done (tail todo)
72| else f (done // listToAttrs [{name = entry; value = 1;}]) ([predefined.${entry}] ++ tail todo);
| ^
73| in (f {} arg).result;
Would this change the situation for sops-nix? https://github.com/NixOS/nixpkgs/pull/328926/commits/2710a49adb11016f2e1bb4f3786dc099b99cd315 which is part of https://github.com/NixOS/nixpkgs/pull/328926
If i understood the initial issue is that the user spec was created on build time. If i got that change correctly that changes it, due to keeping uid/gid on machines.
Still it points out that sysusers just does initial passwords, but that's an assertion that is then not sops-nix releated (and also on that PR).
Probably? One can just enable it in the nixos test for sysusers and see if it breaks.
To overcome the limitations of systemd-sysusers, I wrote Userborn. This should be able to work fully with sops-nix.
See the Nixpkgs PR: https://github.com/NixOS/nixpkgs/pull/332719