"Error: Is a directory" when running `nixos-rebuild switch`

[71]

I'm getting the following error when running nixos-rebuild switch:

activating the configuration...
[agenix] symlinking new secrets to /run/agenix (generation 1)...
[agenix] decrypting root secrets...
decrypting '/nix/store/k7c3rf9fc8qymkhj4ljw6awbnwqql737-password-g.age' to '/run/agenix.d/1/password-g'...
Error: Is a directory (os error 21)

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]
chmod: cannot access '/run/agenix.d/1/password-g.tmp': No such file or directory
chown: cannot access '/run/agenix.d/1/password-g.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password-g.tmp': No such file or directory
decrypting '/nix/store/yh5y30pprwzpny5fiqpwxirz13mshvr6-password-root.age' to '/run/agenix.d/1/password-root'...
Error: Is a directory (os error 21)

[ Did rage not do what you expected? Could an error be more useful? ]
[ Tell us: https://str4d.xyz/rage/report                            ]
chmod: cannot access '/run/agenix.d/1/password-root.tmp': No such file or directory
chown: cannot access '/run/agenix.d/1/password-root.tmp': No such file or directory
mv: cannot stat '/run/agenix.d/1/password-root.tmp': No such file or directory
Activation script snippet 'agenixRoot' failed (1)
warning: password file ‘/run/agenix/password-g’ does not exist
warning: password file ‘/run/agenix/password-root’ does not exist
[agenix] decrypting non-root secrets...
setting up /etc...

This looks a lot like #45; I do have a similar setup using Impermance, but in my case even nixos-rebuild switch failed (before even attempting a reboot).

[71]

I believe this was caused by identityPaths pointing to the wrong path (more precisely, the secrets directory which contains the .age files). I changed it and the build succeeded. Something should be done to avoid this kind of issue, though (in my case, my user passwords used agenix so the fail in switch locked me out of my system; I had to go back to a previous NixOS generation to fix the issue).

[ryantm]

It's possible we should make it so the activation script fails if a decryption fails. What do you think @cole-h?

[cole-h]

Would failing prevent further decryption from taking place (e.g. on different files), or would it just set the error code for the script so that NixOS knows there was an error? I'd think that the latter would already be happening...

If failing would prevent further decryption, I don't think that's a good idea -- then a situation could arise that some unrelated secret file was misspelled or improperly encrypted, preventing user passwords from being decrypted down the line (similar to what happened here).