Sops-nix managed secrets

varingst · December 14, 2023, 3:24pm

I’m trying to set up sops-nix to manage secrets for gitlab

I’ve set up flakes, and installed sops-nix through that. I’m on 23.11

Beyond the install/setup guide at the sops-nix repo readme, I’ve also been looking at these guides:

I’ve set up the ./secrets/secrets.yaml. Here’s the relevant section from configuration.nix:

sops = {
  age.keyFile = "/root/.config/sops/age/keys.txt";
  defaultSopsFile = ./secrets/secrets.yaml;
  defaultSopsFormat = "yaml";
}

sops.secrets."gitlab/dbPass" = { };

The last line is the problem. If I comment it out, it builds. If I don’t, I get this:

error:
       … while calling the 'head' builtin

         at /nix/store/dg2g5qwvs36dhfqj9khx4sfv0klwl9f0-source/lib/attrsets.nix:922:11:

          921|         || pred here (elemAt values 1) (head values) then
          922|           head values
             |           ^
          923|         else

       … while evaluating the attribute 'value'

         at /nix/store/dg2g5qwvs36dhfqj9khx4sfv0klwl9f0-source/lib/modules.nix:807:9:

          806|     in warnDeprecation opt //
          807|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;                                                                 │    mirroredBoots = [
             |         ^
          808|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: getting status of '/nix/store/nqjkmjqsgc7xrac9ywbwgq0a1dvqc6k5-source/secrets/secrets.yaml': No such file or directory

which according to this is supposed to communicate in the most unhelpful way that the option is of the wrong type.

But it’s not?

Cheers

Janik · December 14, 2023, 3:37pm

do you have a .sops.yaml in your Projects root?

This is the minimum you need:

keys:
  - &yourName agePublicKey

creation_rules:
  - path_regex: ^secrets/secrets.yamll$
    key_groups:
      - age:
        - *yourName

also try doing a git add on the file in case you are using flakes, since untracked files won’t be copied into the flake.

varingst · December 14, 2023, 3:44pm

Yeah, I have it

It wasn’t added, but it is now, and I get the same error

R-VdP · December 14, 2023, 3:48pm

It shouldn’t be the same error, since nix should at least be able to open the file if your added it to the git index now.

Janik · December 14, 2023, 3:57pm

would you mind sharing the ouput of running the following command in your projects root:

nix-shell -p tree --run tree

(just want to verify that all the paths are correct and that no typos are in there.)
Other then that try replacing:

-  defaultSopsFile = ./secrets/secrets.yaml;
+  defaultSopsFile = "${./secrets/secrets.yaml}";

this should really be the same.

varingst · December 14, 2023, 4:09pm

[root@server:/etc/nixos]# nix-shell -p tree --run "tree -a -I .git"
.
├── configuration.nix
├── flake.lock
├── flake.nix
├── .gitignore
├── gitlab.nix
├── hardware-configuration.nix
├── result -> /nix/store/xy95wam7wk7a4gbwvapjl2j1dllp0f6l-nixos-system-sentech-server-23.05.4853.d4b5a67bbe9e
├── secrets
│   └── secrets.yaml
└── .sops.yaml

2 directories, 8 files

Janik · December 14, 2023, 4:15pm

lgtm, I’m probably missing something obvious but this should work.

sops is imported correctly (otherwise there would be an error about config.sops.* attributes missing
you have a .sops.yaml with a valid config, other wise the sops cli wouldn’t work as expected.
your nixos sops module config looks correct
you are tracking all the relevant files with git
there is no typos in the file-names

what am I missing?

TLATER · December 14, 2023, 9:09pm

You should not get the exact same error. The source directory hash should have changed:

error: getting status of '/nix/store/nqjkmjqsgc7xrac9ywbwgq0a1dvqc6k5-source/secrets/secrets.yaml': No such file or directory

This is splitting hairs, but if that didn’t change, is there any chance you added stuff to the wrong git repo? Can you check the contents of that directory in the store to maybe see what the mismatch is?

varingst · December 14, 2023, 9:41pm

The hash has changed, but I get the same error: No such file or directory

varingst · December 14, 2023, 9:45pm

If I knew that, I prob wouldn’t be here asking ;)

Is there anything the flake setup can mangle? I’m very new nix, and only set up flakes for sops … Are there any ‘similar’ flakes I can try to see if they fail in a similar way? Are there any diagnosis/consistency checks I can run?

Janik · December 14, 2023, 9:47pm

There is a lot of examples, just take a look at: https://github.com/search?q=lang%3Anix+inputs.sops-nix&type=code

NobbZ · December 25, 2023, 8:30pm

Very dumb question, but does the secrets/secrets.yaml exist in your flake and did you remember to git add it?