Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Symlinks to other directories: "cannot chown symlink/too many levels of symbolic links" #701

Open
mettavi opened this issue Jan 1, 2025 · 1 comment

Comments

@mettavi
Copy link

mettavi commented Jan 1, 2025

Hi, I am running sops-nix on nix-darwin, with home-manager as a nix-darwin module, using flakes.

Whenever I set the path = option on a secret to create a symlink, I am getting an error. For example, I set the following options on one secret:

github_token = {
  owner = "${config.users.users.ta.name}";
  path = "${config.users.users.ta.home}/.config/sops/age/github_token";
  };

Then when I run darwin-rebuild switch I get the following error on activation:

Setting up secrets...
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key
with fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/nix/store/rrlk1kncx6mvzaqb8fz5fnqpfcbpma3p-sops-install-secrets-0.0.1/bin/sops-install-secrets: 
failed to prepare symlinks to secret store: failed to symlink secret '/Users/timotheos/.config/sops/age/github_token': 
cannot chown symlink '/Users/timotheos/.config/sops/age/github_token': 
failed to open /Users/timotheos/.config/sops/age/github_token: too many levels of symbolic links

My home-manager sops config then doesn't get activated.

However, inspecting the symlink directory shows that the symlink has indeed been created.

 ls -al ~/.config/sops/age
total 4
drwxr-xr-x 5 timotheos staff 160 Jan  1 17:57 .
drwxr-xr-x 3 timotheos staff  96 Dec 30 14:46 ..
lrwxr-xr-x 1 root      staff  25 Jan  1 17:57 github_token -> /run/secrets/github_token
-rw------- 1 timotheos staff 189 Dec 30 14:48 keys.bak
lrwxr-xr-x 1 root      staff  27 Jan  1 17:38 keys.txt -> /run/secrets/encryption_key

And the actual file:

 sudo ls -al /run/secrets/
total 12
drwxr-x--x 2 root      wheel 170 Jan  1 17:35 .
drwxr-xr-x 4 root      wheel 272 Jan  1 17:57 ..
-r-------- 1 timotheos staff 149 Jan  1 17:35 cachix_auth_token
-rw-r--r-- 1 timotheos staff 189 Jan  1 17:35 encryption_key
-r-------- 1 timotheos staff  40 Jan  1 17:35 github_token

(Running darwin-rebuild switch a second time brings no change.)

However, if I change the sops-nix config to NOT change the user, then I can use path = without error:

      github_token = {
        # owner = "${config.users.users.ta.name}";
        path = "${config.users.users.ta.home}/.config/sops/age/github_token";
      };

Resulting in:

Setting up secrets...
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key
with fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Setting up secrets for users
sops-install-secrets: Imported /etc/ssh/ssh_host_ed25519_key as age key
with fingerprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

So in other words, it looks like the owner = and the path = options are mutually exclusive. I can only use one of them at a time.

If anyone can help to diagnose the problem here, I would really appreciate it. Happy to provide further information if needed.

 nix-info
system: "x86_64-darwin", multi-user?: yes, version: nix-env (Nix) 2.24.10,
channels(root): "", nixpkgs: /nix/store/w5fqkpwgg6q0iw7c5sd9nab8dq94wapk-source
@Swoorup
Copy link

Swoorup commented Jan 13, 2025

Facing this exact problem for symlink in the logs but it works somehow. A workaround for me was to use mode = "0440" , which is not ideal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants