Secret never builds

[TheSirC]

Thank you for the secret management library !

When I try to use it in an option defined like the following :

{
  config,
  pkgs,
  lib,
  ...
}:
with lib; {
  options.perso.cache = mkEnableOption "the build cache offloading";
  config = mkIf config.perso.cache {
    secrix.system.secrets.cachixToken.encrypted.file = ../../secrix/secrets/cachix;
    environment = {
      systemPackages = with pkgs; [cachix];
      variables.CACHIX_AUTH_TOKEN = (import config.secrix.system.secrets.cachixToken.decrypted.path).ouroboros;
    };
   # Whatever
  };
}

I get the following error message error: path '/run/system-keys/cachixToken' does not exist when I do sudo nixos-rebuild --flake .#host --impure build

As if the function defined here is never called :

secrix/module.nix

Lines 402 to 418 in f783b03

	systemKeysMainService = {
	secrix-system-secrets = {
	script = ''
	${c "mkdir"} -p ${runKeyDir}
	'';
	wantedBy = [ "multi-user.target" ];
	unitConfig.PropagatesStopTo = map (x: "secrix-system-secret-${x}.service") (attrNames cfg.system.secrets);
	serviceConfig = {
	Type = "oneshot";
	RemainAfterExit = true;
	RuntimeDirectory = cfg.system.secretsDir.name;
	RuntimeDirectoryMode = cfg.system.secretsDir.permissions;
	User = cfg.system.secretsDir.user;
	Group = cfg.system.secretsDir.group;
	};
	};
	};

In my flake.nix I have :

 outputs = inputs @ {
    secrix,
    self,
    ...
  }: {
      # ...
      host.modules = [
        # Here
        secrix.nixosModules.default
        ./modules
      ];
      apps.x86_64-linux.secrix = secrix.secrix self;
}

and I import somewhere in the host configuration :

    secrix.hostIdentityFile = builtins.readFile (../. + "/secrix/keys/ed25519-default-secrix");
    secrix.hostPubKey = builtins.readFile (../. + "/secrix/keys/ed25519-default-secrix.pub");

Of course, the selected key can decrypt the secret (tested independently with age).

[DarthPJB]

Hello again @TheSirC
It appears you have misunderstood the use of secret management in this context.
you cannot import config.secrix.system.secrets.cachixToken.decrypted.path because this path exists on the REMOTE machine at runtime.

I believe you want to instead use:
CACHIX_AUTH_TOKEN = "$(cat config.secrix.system.secrets.cachixToken.decrypted.path)
This will when the service starts, on the remote computer 'cat' the contents of the decrypted-secret into the enviroment-variable.

The key knowledge here is:

config.secrix.system.secrets.cachixToken.encrypted.file - an encrypted file (created with nix run .#secrix create
config.secrix.system.secrets.cachixToken.decrypted.path - The decrypted file, decrypted AT RUN TIME on the machine this configuration is deployed to.

For example; If you are building the conifguration on machine-1 for machine-2
encrypted.file would be in your local git repostory on machine-1
decrypted.path would be in /run/system-keys on machine-2

---

In furtherance, you may wish to properly use systemd-services for your cachix deployment.

for your consideration, here's an example of a Nix-cache (using nix-serve, not cachix) that does something similar

{ config, ... }:
let
  fqdn = "cache.example.com";
in
{
  nix.sshServe = {
    enable = true;
    keys = [ "<cachepublic-ssh-key-here>" ];
    write = true;
    protocol = "ssh-ng";
  };
  nix.settings.trusted-users = [ "nix-ssh" ];

  secrix.services.nix-serve.secrets.cache-priv-key.encrypted.file = ../secrets/cache-priv-key;
  services.nix-serve = {
    enable = true;
    secretKeyFile = config.secrix.services.nix-serve.secrets.cache-priv-key.decrypted.path;
    bindAddress = 192.168.0.0;
    port = 5001;
  };

  services.nginxProxyHost."${fqdn}" = {
    host = config.physical.networks.internal.address;
    proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
    public = false;
  };
}