Order of operations

[jsimonetti]

As suggested in Matrix I am creating this issue about the order in which agenix operates.

When switching generations I consistantly see the following order of operations in the log output:

[agenix] symlinking new secrets to /run/agenix (generation 6)...
[agenix] removing old secrets (generation 5)...
[agenix] decrypting root secrets...
decrypting '/nix/store/xxx.age' to '/run/agenix.d/6/xxx'...
decrypting '/nix/store/yyy.age' to '/run/agenix.d/6/yyy'...
[agenix] decrypting non-root secrets...
decrypting '/nix/store/zzz.age' to '/run/agenix.d/6/zzz'...

This got me wondering as I would expect the order of operations to be:

1. decrypt secrets into new generation
2. symlink new secrets
3. remove old generation/secrets

Could we get some clarification about the actual order?

[jsimonetti]

Looking at the source at https://github.com/ryantm/agenix/blob/main/modules/age.nix#L155 it looks like the logged order is actually the order in which operations take place.

The agenixMountSecret activation script creates a new generation, (forcefully) symlinks it to the ${cfg.secretsDir} and (if it is larger then 1) removes the old generation.

The installRootOwnedSecrets and installNonRootSecrets both depend on agenixMountSecret and are therefor executed after that.

If I read this correctly, there a brief state in which the current/old generation no longer exists and the new/to-be generation is still empty (no decrypted secrets).

[jsimonetti]

I think the solution would be to move lines 174-178 from https://github.com/ryantm/agenix/blob/main/modules/age.nix#L174 to a new script that depends on the installRootOwnedSecrets and installNonRootSecrets scripts.

What do you think? I can make a PR if you agree.

[ryantm]

@cole-h as the author of the symlinking PR, maybe you can comment?

[cole-h]

Yeah, that sounds like a good change to make -- thanks for catching that!