Comments (3)
Thank you for the answer, I was fully expecting this just to be a stupid mistake of mine somewhere in my config (due to my inexperience with nix and linux as a whole).
Something that I've just tried and currently works on my machine:tm: is the following:
Setting
nix.settings.extra-sandbox-paths = [ "/var/tmp/agenix-rekey" ]
age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
systemd.tmpfiles.rules = [
"d /var/tmp/agenix-rekey 1777 root root"
];
So that might be another solution depending on the setup :)
from agenix-rekey.
Thanks for bringing this up, that's a very good point.. The issue is that the parent directory needs to have the sticky bit set (chmod 1777) so that only the owner of a directory may delete it. That is the case for /tmp
but not for /tmp/agenix-rekey
which would be created by the first user running rekey. Missing the sticky bit would then compromise integrity for other users running rekey since that first user might just replace rekeyed secrets by simply deleting the uid folder for another user and replacing the content with something else.
The only possible solutions I can see are:
- Manually adding
nix.settings.extra-sandbox-paths = ["/tmp/agenix-rekey-<UID>"];
for each user that needs to be able to rekey - Be less strict in the sandbox and add
nix.settings.extra-sandbox-paths = ["/tmp"];
(not very elegant) - Add a different persistent cache folder for agenix-rekey somewhere else (
/var/cache/agenix-rekey
, with mode 1777), then setcacheDir = "/var/cache/agenix-rekey/\"$UID\""
and addnix.settings.extra-sandbox-paths = ["/var/cache/agenix-rekey"];
.
The third solution is basically what you are proposing and what I've done in my own config, but it requires creating a directory with 1777. So the downside is that you have to manually do that or write an activation script that does it. Alternatively, if you are using impermanence you can do the following:
age.rekey.cacheDir = "/var/tmp/agenix-rekey/\"$UID\"";
environment.persistence."/state".directories = [
{ directory = "/var/tmp/agenix-rekey"; mode = "1777"; }
];
I've corrected the example in the readme and linked here for future readers. If you have any other suggestions on making this more accessible let me know!
from agenix-rekey.
Related Issues (14)
- [Question] How do I use this to encrypt/decrypt agenix secrets with a Yubikey age key? HOT 7
- SSH keypair or public file generation support HOT 10
- Agenix wrapper errors out for flakes that exist as a subdirectory in a git repository HOT 2
- /run/agenix/...: No such file or directory HOT 2
- Feature request: add option to use `age` instead of `rage` HOT 6
- Error while handling error of rekeyed file missing HOT 6
- agenix rekey --help fails if all hosts are not configured HOT 3
- The option `age.secrets.generators.wireguard-priv' does not exist HOT 1
- wg: Trailing characters found after key HOT 1
- CI: No rekeyed secrets were found, please run `nix run .#rekey` again. HOT 6
- cross-systems usage with colmena & --build-on-host HOT 4
- The "unencrypted identity" warning is triggered when it shouldn't be HOT 1
- [Documentation] Specify that flake and user's app must follow the same nixpkgs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from agenix-rekey.