Nix darwin module #614
Nix darwin module #614
Conversation
This is somewhat but not entirely duplicative with the home manager support. The difference is primarily for MacOS servers, for which there is no LaunchAgent support (as launch agents are tied to user sessions). This PR adds a nix-darwin module (configured similarly to the home manager module) which is suitable for e.g. other launchd daemons.
|
@Mic92 I've tried to use this but for me it doesn't create the secrets in the EDIT: I think this is because my SSH-key is password protected. I found out by running: |
| launchd.daemons.sops-nix = { | ||
| serviceConfig = { | ||
| Program = script; | ||
| KeepAlive = false; | ||
| RunAtLoad = true; | ||
| StandardOutPath = cfg.logFile; | ||
| StandardErrorPath = cfg.logFile; | ||
| }; | ||
| }; |
There was a problem hiding this comment.
Hi @Mic92, I've tested this module on my setup and it works well but the launchd service isn't started after reboot. This is an issue with nix-darwin where the nix store is not yet mounted when the launchd services are started.
There is some work on the way to fix this in: LnL7/nix-darwin#1052 but for it to work correctly, we need to use command (or script) here instead of serviceConfig.Program.
| launchd.daemons.sops-nix = { | |
| serviceConfig = { | |
| Program = script; | |
| KeepAlive = false; | |
| RunAtLoad = true; | |
| StandardOutPath = cfg.logFile; | |
| StandardErrorPath = cfg.logFile; | |
| }; | |
| }; | |
| launchd.daemons.sops-nix = { | |
| command = script; | |
| serviceConfig = { | |
| KeepAlive = false; | |
| RunAtLoad = true; | |
| StandardOutPath = cfg.logFile; | |
| StandardErrorPath = cfg.logFile; | |
| }; | |
| }; |
| domain-target = "system"; | ||
| in '' | ||
| /bin/launchctl bootout ${domain-target}/org.nixos.sops-nix && true | ||
| /bin/launchctl bootstrap ${domain-target} /Library/LaunchAgents/org.nixos.sops-nix.plist |
There was a problem hiding this comment.
This probably has to be LaunchDaemons instead of LaunchAgents...
| /bin/launchctl bootstrap ${domain-target} /Library/LaunchAgents/org.nixos.sops-nix.plist | |
| /bin/launchctl bootstrap ${domain-target} /Library/LaunchDaemons/org.nixos.sops-nix.plist |
password protected ssh keys are unfortunately nothing we can support, because sops runs early in boot, where we cannot prompt for passwords. I would suggest generating an age key for now. |
Thank you. My solution was to use your ssh-to-age program to generate the age key from my encrypted SSH key and store it locally, and it worked well :) My problem now is that secrets aren't available immediately after logging in for other launchd services to consume. The secrets mount is only available after sops-install-secrets was run. On macOS, this gets triggered by the launchd daemon, and it might take a few seconds to decrypt the secrets and mount the in-memory volume. In my use case, I have another launchd daemon that runs a service dependent on the decrypted secrets file. But this file is not available yet when the service is started. I only realized One solution might be to use For now, it feels like this might be the reason why I can't use sops-nix for my use case. @Mic92 Do you have some thoughts on that? |
|
UPDATE: In the end I used some scripting to restart my other service when the secret files are available: niklasravnsborg/dotfiles@1afccc9. A problem I encountered was that file watching doesn't quite work as expected for symbolic links to files inside of a volume that may not be yet mounted, when the file watcher is started. But my solution handles most cases fine. |
|
@niklasravnsborg do you have a clue how I could make error reporting better in the darwin activation phase? launchd just silently fails, which is not great. I was wondering if I should not just run sops-install-secrets additionally in foreground on updates. |
|
Which errors did you encounter? The I guess it's fine to have it either restart the daemon or run the |
|
I mean if the service fails, I want to see the error in the shell that runs launchd service. |
|
I see, yeah this makes it harder to debug sometimes. I think seeing errors in the shell that bootstraps the service is not what launchd is made for, since launchd services run in the context of the system in the background (similarily to what systemd does on linux). On bootstraping they are just scheduled for starting and there is no immediate feedback. So I guess we could just run the launchd service on boot but use the I found |
No description provided.