agenix icon indicating copy to clipboard operation
agenix copied to clipboard
verified publisher icon ryantm

[BUG] Agenix not creating secrets

Open xqtc161 opened this issue 1 year ago • 4 comments

I added agenix as a home-manager module to my flake-based NixOS configuration.

sudo nixos-rebuild switch builds with no errors. Yet there are no secrets in /run/users/1000/. Not even the agenix folder exists, just agenix.d. I use a similar config like a friend of mine, and everything works for him.

xqtc161 avatar Feb 23 '24 20:02 xqtc161

Same issue here, I can't seem to get the directories to pop up and home manager activation fails outright

krad246 avatar Mar 09 '24 06:03 krad246

The /run/users/1000/agenix gets mounted if and only if there are secrets (logic is in this block) with the actual mounting code here.

Sample flake with agenix imported in home-manager

This flake exposes a test VM that can be run as nix run .\#checks.x86_64-linux.test.driverInteractive.

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    agenix.url = "github:ryantm/agenix";
  };

  outputs =
    inputs@{ self, nixpkgs, ... }:
    let
      system = "x86_64-linux";
      pkgs = import nixpkgs { inherit system; };
      inherit (pkgs) lib;
    in
    {

      checks.${system}.test = pkgs.testers.runNixOSTest {
        name = "foo";
        nodes.machine1 =
          { config, pkgs, ... }:
          {
            services.getty.autologinUser = "alice";
            imports = [ inputs.home-manager.nixosModules.home-manager ];
            users.users.alice = {
              isNormalUser = true;
              password = "hunter2";
            };
            home-manager.users.alice =
              { config, ... }: # config is home-manager's config, not the OS one
              {
                imports = [ inputs.agenix.homeManagerModules.default ];
                home.stateVersion = "24.05";
                home.file.".ssh/id_ed25519".source = ./id_ed25519; # Don't do this to a real key, it's world-readable in store. For test VM it's OK.

                home.file.".ssh/id_ed25519.pub".source = ./id_ed25519.pub;
                programs.ssh = {
                  enable = true;
                  includes = [
                    (lib.removePrefix ".ssh/" config.age.secrets.ssh-config.path) # This makes the include relative
                  ];
                };
                age.secrets.ssh-config.file = ./ssh-config.age;
                age.secrets.ssh-config.path = ".ssh/includes/ssh-config-agenix";
              };
          };
        testScript = "start_all()";
      };
    };
}

VTimofeenko avatar Mar 09 '24 23:03 VTimofeenko

A possible workaround is to "deploy" the secrets from the host system if the host system has not used agenix so far.

  1. In the home-manager module for my user <user> I have set:
age.secretsDir ="/run/user/1000/agenix";
age.identityPaths = [ "/home/<user>/.ssh/<key>" ];
age.secrets.<name>.file = ../../secrets/<name>.age;
  1. In the host module of that user I have set:
age.secretsDir = "/run/user/1000/agenix";
age.identityPaths = [ "/home/<user>/.ssh/<key>" ];
age.secrets.<name> = {
  file = ../../secrets/<file>.age";
  mode = "400";
  owner = "<user>";
  group = "users";
};

dnstzk avatar Apr 16 '25 06:04 dnstzk

For anyone with this issue: Take a look at systemctl --user status agenix.service and check if the secrets were correctly decrypted.

My issue was an ssh key secured with a password. Those break the decryption process.

Maximilian-Staab avatar Aug 12 '25 13:08 Maximilian-Staab