Conflicts with Perlless Activation

[nyabinary]

Reproduce

systemd.sysusers.enable = true;

the error in question:

unpacking channels...
warning: Git tree '/etc/nixos' is dirty
building the system configuration...
warning: Git tree '/etc/nixos' is dirty
error:
       … while calling the 'head' builtin

         at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/attrsets.nix:960:11:

          959|         || pred here (elemAt values 1) (head values) then
          960|           head values
             |           ^
          961|         else

       … while evaluating the attribute 'value'

         at /nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/lib/modules.nix:809:9:

          808|     in warnDeprecation opt //
          809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          810|         inherit (res.defsFinal') highestPrio;

       (stack trace truncated; use '--show-trace' to show the full trace)

       error: The option `system.activationScripts.users' is defined multiple times while it's expected to be unique.

       Definition values:
       - In `/nix/store/dhf97ymc733klg6vkjavrfqss7qp5qjr-source/flake.nix':
           {
             deps = [
               "setupSecretsForUsers"
             ];
           }
       - In `/nix/store/9s5qs4hni9fj88x79iw6im7amv7ghb76-source/nixos/modules/config/users-groups.nix': ""
       Use `lib.mkForce value` or `lib.mkDefault value` to change the priority on any of these definitions.
       ```

[Mic92]

What systemd target can I use instead for sops now? @nikstur
I need one that comes before any users are created to decrypt password hashes and one that is started before any services that might need scripts.

[nikstur]

You could just order before systemd-sysusers I guess. It's very difficult to tell which services might need scripts (if you mean activationScripts) because they run as early as possible (in the systemd-initrd even BEFORE stage 1 finishes).

EDIT: sysupdate -> sysusers

[Mic92]

I think I mostly care about multi-user.target style services.

[nikstur]

Then ordering before systemd-sysusers.service should be plenty early.

[Mic92]

Looks like we cannot use sysusers with sops-nix secrets. i.e. it requires hashedPasswordFile at build time.

nix-shell-env % nix build .#checks.x86_64-linux.user-passwords-sysusers -L
warning: unknown experimental feature 'configurable-impure-env'
system-path> created 6454 symlinks in user environment
static-sysusers-credentials> cat: /run/secrets-for-users/test_key: No such file or directory
error: build of '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' on 'ssh-ng://nix@vislor' failed: builder for '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' failed wit
h exit code 1;
       last 1 log lines:
       > cat: /run/secrets-for-users/test_key: No such file or directory
       For full logs, run 'nix log /nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv'.
error: builder for '/nix/store/dcnrvj5fws1iqh292s6f57p94nj3gz67-static-sysusers-credentials.drv' failed with exit code 1
error: 1 dependencies of derivation '/nix/store/4hmpakm8pd1j82kg9j13kzrm5nkfk33s-static-sysusers.drv' failed to build
error: 1 dependencies of derivation '/nix/store/x9r5m6yw6clna4frkf13f4yq1qrcbf9s-etc.drv' failed to build
error: 1 dependencies of derivation '/nix/store/5icridr0ydymmd8c7xgh0d41vfk26036-nixos-system-machine-24.05pre-git.drv' failed to build
error: 1 dependencies of derivation '/nix/store/v8lk0xzh2sas7gn48kb8ligl8l65y15q-nixos-vm.drv' failed to build
error: 1 dependencies of derivation '/nix/store/59wkb4x1kw9mwlj5hqg07xib6f7n2s8d-nixos-test-driver-sops-user-passwords-sysusers.drv' failed to build
error: 1 dependencies of derivation '/nix/store/6af5f9vi4a3p3jdcf8qvx0f1fdmxskjc-vm-test-run-sops-user-passwords-sysusers.drv' failed to build
noglob nix build .#checks.x86_64-linux.user-passwords-sysusers -L  2.26s user 2.15s system 30% cpu 14.595 total

[Mic92]

with mutableUsers enabled this works at least: #484

[nyabinary]

with mutableUsers enabled this works at least: #484

What about a solution without mutableUsers? I don't have mutable users enabled personally. Is there any realistic solution?

[Mic92]

No. This is a limitation of the implementation of sysusers works in NixOS and not sops-nix. It wants to open secrets at build time rather activation time.

[eclairevoyant]

When using sops-nix's templating, it seems even with mutableUsers enabled, the same error comes up again

MWE

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    sops-nix = {
      url = "github:mic92/sops-nix";
      inputs = {
        nixpkgs.follows = "nixpkgs";
        nixpkgs-stable.follows = "nixpkgs";
      };
    };
  };

  outputs =
    {
      self,
      nixpkgs,
      sops-nix,
    }:
    {
      nixosConfigurations.test = nixpkgs.lib.nixosSystem {
        modules = [
          (
            { config, modulesPath, ... }:
            {
              imports = [
                "${modulesPath}/profiles/minimal.nix"
                sops-nix.nixosModules.sops
              ];

              boot = {
                initrd.systemd.enable = true;
                loader.systemd-boot.enable = true;
              };

              fileSystems."/".device = "PLACEHOLDER";
              nixpkgs.hostPlatform = "x86_64-linux";

              sops = {
                age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
                secrets.secret1 = {
                  format = "binary";
                  sopsFile = self + /secrets/test.bin;
                };
                templates.secret1.content = ''
                  TEST
                  ${config.sops.placeholder.secret1}
                  TEST
                '';
              };

              system = {
                etc.overlay.enable = true;
                stateVersion = "24.05";
              };

              systemd.sysusers.enable = true;
            }
          )
        ];
      };
    };
}

Error

building the system configuration...
error:
       … while calling the 'head' builtin
         at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/attrsets.nix:1575:11:
         1574|         || pred here (elemAt values 1) (head values) then
         1575|           head values
             |           ^
         1576|         else

       … while evaluating the attribute 'value'
         at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/modules.nix:809:9:
          808|     in warnDeprecation opt //
          809|       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
             |         ^
          810|         inherit (res.defsFinal') highestPrio;

       … while evaluating the option `system.build.toplevel':

       … while evaluating definitions from `/nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/nixos/modules/system/activation/top-level.nix':

       … while evaluating the option `system.systemBuilderArgs':

       … while evaluating definitions from `/nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/nixos/modules/system/activation/activatable-system.nix':

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: attribute 'setupSecrets' missing
       at /nix/store/0qd773b63yg8435w8hpm13zqz7iipcbs-source/lib/strings-with-deps.nix:72:71:
           71|           else if done ? ${entry} then f done (tail todo)
           72|           else f (done // listToAttrs [{name = entry; value = 1;}]) ([predefined.${entry}] ++ tail todo);
             |                                                                       ^
           73|     in (f {} arg).result;

[Shawn8901]

Would this change the situation for sops-nix?
NixOS/nixpkgs@2710a49 which is part of NixOS/nixpkgs#328926

If i understood the initial issue is that the user spec was created on build time. If i got that change correctly that changes it, due to keeping uid/gid on machines.

Still it points out that sysusers just does initial passwords, but that's an assertion that is then not sops-nix releated (and also on that PR).

[Mic92]

Probably? One can just enable it in the nixos test for sysusers and see if it breaks.

[nikstur]

To overcome the limitations of systemd-sysusers, I wrote Userborn. This should be able to work fully with sops-nix.

See the Nixpkgs PR: NixOS/nixpkgs#332719

[Mic92]

I would suggest migrating to userborn, if possible.