Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Symlink functionality does not seem to work #571

Open
noggynoggy opened this issue Jun 1, 2024 · 3 comments
Open

Symlink functionality does not seem to work #571

noggynoggy opened this issue Jun 1, 2024 · 3 comments

Comments

@noggynoggy
Copy link

I am just starting to use sops-nix (awesome project btw!), this might be my fault:

The symlink functionality does not seem to work for me:

The following snippet contains my config for Syncthing. The Syncthing module thankfully has an option to set the path to the cert and key, so I was able to fix my issue by using the code below.
But with the path not commented out (and the other two lines in the syncthing block), it didn't work, because no symlinks to the specified directory were made.

  sops.secrets = {
    "syncthing/${host}-cert.pem" = {
      owner = user;
      # path = "/home/${user}/.config/syncthing/cert.pem";
    };
    "syncthing/${host}-key.pem" = {
      owner = user;
      # path = "/home/${user}/.config/syncthing/key.pem";
    };
  };

  services.syncthing = (builtins.trace config.sops.secrets."syncthing/${host}-cert.pem".path) {
    enable = true;
    user = "${user}";
    # key = "/home/${user}/.config/syncthing/key.pem";
    # cert = "/home/${user}/.config/syncthing/cert.pem";
    key = config.sops.secrets."syncthing/${host}-key.pem".path;
    cert = config.sops.secrets."syncthing/${host}-cert.pem".path;
    # ...

The secrets were to be found in the /run/secrets/syncthing directory, in ~/.config/syncthing there is no file that could "block" the links, the trace shows the right path, and the build does not crash or show any errors, but the symlink is not created.

This simple example below does work and the symlink is created in my home directory after rebuild.

  secrets.example = {
   path = "/home/${user}/test";
  };

It doesn't seem to matter who the owner of the file is or what mode it has. I read through the code but I am no Go wizard so I couldn't figure out why it behaves like this.

Is this maybe Syncthing specific?
@k6av
Copy link

k6av commented Jun 4, 2024
edited
Loading

I've done some testing on my own configuration, and the issue seems to arise when using nested secrets (with a / in the secret name) together with the path option. Definitely seems like some sort of bug to me. The issue is probably not specific to Syncthing.

@k6av
Copy link

k6av commented Jun 4, 2024

Nevermind, nested secrets work fine for me. Back to square 1.

@k6av
Copy link

k6av commented Jun 4, 2024
edited
Loading

I've (roughly, see below) copy-pasted the snippet you provided into my own NixOS configuration and I can't reproduce the issue you're having; the files get symlinked fine in my configuration. Not sure what the issue could be... I'd look closer at the rest of your NixOS configuration as the snippet you provided should work fine on its own.

syncthing-test.nix 

{ config, ... }: let
  user = "someuser";
  host = "somehost";
in {
  sops.secrets = {
    "syncthing/${host}-cert.pem" = {
      owner = user;
      path = "/home/${user}/.config/syncthing/cert.pem";
    };
    "syncthing/${host}-key.pem" = {
      owner = user;
      path = "/home/${user}/.config/syncthing/key.pem";
    };
  };

  services.syncthing = (builtins.trace config.sops.secrets."syncthing/${host}-cert.pem".path) {
    enable = true;
    user = "${user}";
    key = "/home/${user}/.config/syncthing/key.pem";
    cert = "/home/${user}/.config/syncthing/cert.pem";
  };
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k6av @noggynoggy