Error when trying to edit file

Question

Error when trying to edit file

a12l opened this issue 2 years ago · comments

When I try to edit the file a12l_password.age I get an error message

$ ragenix -e a12l_password.age
error: secrets rules are invalid: './secrets.nix'
Failed to read ./secrets.nix as JSON

My expected result is that my $EDITOR starts with the decrypted file in a buffer.

This is my secrets.nix file:

let
  a12l = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9yYBrcu2A7N5S93yOgK7J9wNcMUWMN2va2cd7srZ6m";
  users = [a12l];
  p-desktop1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK1YN6HPXhnwhxr/qzvIstjLP70h+EXJ95/Ilsrl9W/0";
  systems = [p-desktop1];
in {"a12l_password.age".publicKeys = [a12l p-desktop1];}

I've looked at

$ ragenix --schema
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "description": "Agenix secrets rules schema",
  "type": "object",
  "properties": {},
  "additionalProperties": {
    "type": "object",
    "description": "An age-encrypted file",
    "required": [
      "publicKeys"
    ],
    "properties": {
      "publicKeys": {
        "type": "array",
        "minItems": 1,
        "items": {
          "type": "string",
          "description": "An age-compatible recipient, e.g., an ed25519 SSH public key"
        },
        "uniqueItems": true
      }
    }
  }
}

but I don't know when the schema is checked in the evaluation process.

Vincent Haupert · Answer 1 · Wed Mar 09 2022 05:51:11 GMT+0800 (China Standard Time)

Thanks for reporting! Unfortunately, I cannot reproduce this: the given secrets.nix works fine with ragenix -e a12l_password.age, i.e., my $EDITOR opens the (new) file for editing.

Maybe ragenix fails to execute nix. Does the following work for you?

nix --extra-experimental-features nix-command eval -f secrets.nix --json

Albin Otterhäll · Answer 2 · Wed Mar 09 2022 16:38:13 GMT+0800 (China Standard Time)

Maybe ragenix fails to execute nix. Does the following work for you?

$ nix --extra-experimental-features nix-command eval -f secrets.nix --json
{"a12l_password.age":{"publicKeys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9yYBrcu2A7N5S93yOgK7J9wNcMUWMN2va2cd7srZ6m","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK1YN6HPXhn

Addendum:

I've enabled all the necessary features (I think), and have the latest Nix stable version from unstable.

nix = {
  package = pkgs.nixStable;
  extraOptions = ''
    experimental-features = nix-command flakes recursive-nix
    keep-outputs = true
    keep-derivations = true
  '';
  systemFeatures = ["recursive-nix"];
}

So this works

$ nix eval -f secrets.nix --json
{"a12l_password.age":{"publicKeys":["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9yYBrcu2A7N5S93yOgK7J9wNcMUWMN2va2cd7srZ6m","ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK1YN6HPXhnwhxr/qzvIstjLP70h+EXJ95/Ilsrl9W/0"]}}

$ nix --version
nix (Nix) 2.6.1

Albin Otterhäll · Answer 3 · Wed Mar 09 2022 18:02:57 GMT+0800 (China Standard Time)

I'm using the latest commit of Ragenix on main.

Vincent Haupert · Answer 4 · Wed Mar 09 2022 18:17:20 GMT+0800 (China Standard Time)

Could you please retry with the latest main (I've just merged #99)? I have my doubts that this helps but who knows.

Albin Otterhäll · Answer 5 · Wed Mar 09 2022 18:36:00 GMT+0800 (China Standard Time)

Could you please retry with the latest main (I've just merged #99)? I have my doubts that this helps but who knows.

Done. But the problem persists. :(

chris montgomery · Answer 6 · Wed Apr 27 2022 07:39:02 GMT+0800 (China Standard Time)

I'm running into the same issue while attempting to --rekey on x86_64-darwin.

I've run nix eval on the file with no issues. The original agenix command is also able to read the file and rekey.

❯ ragenix --verbose --rekey
error: secrets rules are invalid: './secrets.nix'
Failed to read ./secrets.nix as JSON

❯ nix --version
nix (Nix) 2.8.0

~~I'm wondering if it has something to do with the use of defining variables with let ... in at the beginning of the file…?~~

Edit: Doesn't seem to be caused by the variables… I took the time to copy the keys verbatim into each secret's publicKeys list and removed the let ... in, but I still get the same error.

Yeah I have no idea. I reduced my secrets.nix to just the following:

{
  "wireless.env.age".publicKeys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsVn0I6Q0rL94W2V89efhUiffAeJfDtHYcW6czXcPkh"
  ];
}

And still the same error.

Vincent Haupert · Answer 7 · Sun Apr 16 2023 17:15:10 GMT+0800 (China Standard Time)

Do you still see this error @a12l @montchr with the latest commit? I still cannot really make any sense of it.

Alex Palmer · Answer 8 · Sat Mar 09 2024 05:13:42 GMT+0800 (China Standard Time)

I've also come across this issue... But only running in a terminal inside of VS Code. Other terminals were OK.

I looked through the differences in the environments and ragenix --rekey broke immediately when the LD_LIBRARY_PATH variable was defined:

$ ragenix --rekey
Rekeying /home/x/nix-secrets/test.age
$ declare -x LD_LIBRARY_PATH="/run/current-system/sw/share/nix-ld/lib"
$ ragenix --rekey
error: secrets rules are invalid: './secrets.nix'
Failed to read ./secrets.nix as JSON

This variable exists (apparently only in VS Code environments for me) because I also have nix-ld installed to allow VS Code extensions and other binaries to work in NixOS and other systems. So I'm wondering if something about the substituted libraries coming from nix-ld and the LD_LIBRARY_PATH might be interfering with ragenix.

As others have reported, agenix continues to work as intended.

The contents of secrets.nix doesn't appear to matter.

Hope this helps. 🙂