Agenix & EnvironmentFile: What am I doing wrong?

mackenzie · October 5, 2022, 9:55pm

The dynamic test 2 works, which uses a file on the filesystem. When I put the same contents of the file in agenix, I don’t get the ip when running host home1.example.com. I tried debugging but I don’t see it. This is currently the closest I get.
secret.nix:

...
  "secrets/dynamic-dns.env.age".publicKeys = all-hosts ++ users;
...

agenix -e secrets/dynamic-dns.env.age

DDNS_SUBDOMAIN1=home1.example.com
DDNS_SUBDOMAIN2=home2.example.com
DDNS_P=2sESR62IN2N1

module:

config = {
    age.secrets."dynamic-dns.env".file = ../../../secrets/dynamic-dns.env.age;

    # 1 Doesn't work
    systemd.services.dynamicdns1 = {
      description = "Update DynamicDNS";
      serviceConfig = {
        EnvironmentFile = config.age.secrets."dynamic-dns.env".path;
        ExecStart = "${pkgs.curl}/bin/curl https://dynamicdns.key-systems.net/update.php?hostname=\${DDNS_SUBDOMAIN1}&password=\${DDNS_P}&ip=auto";
      };
    };
    systemd.timers.dynamicdns1 = {
      description = "Update DynamicDNS test1";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnActiveSec = "2m";
        OnUnitActiveSec = "3m";
      };
    };

    # 2 Works
    systemd.services.dynamicdns2 = {
      description = "Update DynamicDNS";
      serviceConfig = {
        EnvironmentFile = "/home/myname/myddns.env";
        ExecStart = "${pkgs.curl}/bin/curl https://dynamicdns.key-systems.net/update.php?hostname=\${DDNS_SUBDOMAIN2}&password=\${DDNS_P}&ip=auto";
      };
    };
    systemd.timers.dynamicdns2 = {
      description = "Update DynamicDNS test2";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnActiveSec = "2m";
        OnUnitActiveSec = "3m";
      };
    };

}

claes · October 5, 2022, 10:33pm

Perhaps running “systemctl show” for your unit can reveal something about the environment path that you can verify.

emmanuelrosa · October 5, 2022, 10:46pm

Another thing to check is the file permissions.

Agenix uses root:root and mode 0400 by default. So if dymanicdns2 runs as a non-root user, it won’t be able to read the clear-text file.

mackenzie · October 6, 2022, 12:45pm

I think it’s an agenix problem with a remote machine.
When I run it on my laptop it works and I see:
Laptop:

tree /run/agenix

/run/agenix
├── dynamic-dns.env
└── passwords
    ├── msmtp
    └── networks

remote router:

tree /run/agenix

/run/agenix
└── passwords

The remote’s agenix is just empty, except for a folder.
Also the lack of msmtp is probably the reason why I’m not receiving email from the router.

nixos-rebuild boot --flake .#router-apu2e5 --target-host myuser@router-apu2e5.local --build-host localhost --use-remote-sudo

The dynamic-dns.env secret has the publickey for all machines and users.

mackenzie · October 6, 2022, 2:42pm

I do see the encrypted age files in the nix store on the router

mackenzie · October 6, 2022, 3:48pm

after an agenix --rekey I see them again in /run/agenix/

I probably didn’t rekey after changing the key locations to /persist, which generated new keys.