agenix
agenix copied to clipboard
Order of operations
As suggested in Matrix I am creating this issue about the order in which agenix operates.
When switching generations I consistantly see the following order of operations in the log output:
[agenix] symlinking new secrets to /run/agenix (generation 6)...
[agenix] removing old secrets (generation 5)...
[agenix] decrypting root secrets...
decrypting '/nix/store/xxx.age' to '/run/agenix.d/6/xxx'...
decrypting '/nix/store/yyy.age' to '/run/agenix.d/6/yyy'...
[agenix] decrypting non-root secrets...
decrypting '/nix/store/zzz.age' to '/run/agenix.d/6/zzz'...
This got me wondering as I would expect the order of operations to be:
- decrypt secrets into new generation
- symlink new secrets
- remove old generation/secrets
Could we get some clarification about the actual order?
Looking at the source at https://github.com/ryantm/agenix/blob/main/modules/age.nix#L155 it looks like the logged order is actually the order in which operations take place.
The agenixMountSecret
activation script creates a new generation, (forcefully) symlinks it to the ${cfg.secretsDir}
and (if it is larger then 1) removes the old generation.
The installRootOwnedSecrets
and installNonRootSecrets
both depend on agenixMountSecret
and are therefor executed after that.
If I read this correctly, there a brief state in which the current/old generation no longer exists and the new/to-be generation is still empty (no decrypted secrets).
I think the solution would be to move lines 174-178 from https://github.com/ryantm/agenix/blob/main/modules/age.nix#L174 to a new script that depends on the installRootOwnedSecrets
and installNonRootSecrets
scripts.
What do you think? I can make a PR if you agree.
@cole-h as the author of the symlinking PR, maybe you can comment?
Yeah, that sounds like a good change to make -- thanks for catching that!