Agenix Line 162: unbound variable

[Supermarcel10]

Issue

It seems like there is an issue with how agenix might be retrieving the $EDITOR variable as superuser.

Line 162 seems to be referring to the following line of code:

[ -t 0 ] || EDITOR='cp /dev/stdin'

$EDITOR "$CLEARTEXT_FILE" # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

if [ ! -f "$CLEARTEXT_FILE" ]
then
  warn "$FILE wasn't created."
  return
fi

Terminal

[marcel@marcel-pc:/etc/nixos/secrets]$ agenix -e github-token.age
mv: cannot move '/tmp/tmp.TB9tizadZX/github-token.age' to 'github-token.age': Permission denied

[marcel@marcel-pc:/etc/nixos/secrets]$ sudo !!
sudo agenix -e github-token.age
/run/current-system/sw/bin/agenix: line 162: EDITOR: unbound variable

[marcel@marcel-pc:/etc/nixos/secrets]$ sudo echo $EDITOR
nano

[marcel@marcel-pc:/etc/nixos/secrets]$ echo $EDITOR
nano

[ccalhoun1999]

I am running into the same issue. Is there any workaround for this?

[Supermarcel10]

@ccalhoun1999

So by the looks of it, the permissions agenix has are very specific, but I haven't seen it documented anywhere clearly and definitively.

As far as my testing goes, because of the error you'd be tempted to normally try running as sudo user but this is actually not the intended way to do it.

For my setup I have the following:
etc/nixos/secrets containing:

• secrets.nix:
  Note: You might have to comment out the line with example.age when building for the first time.

let
  username = "age1..."
in
{
  "example1.age".publicKeys = [ username ];
  ...
}

• example1.age
• example2.age
• ...

In terms of the permissions I've set the entire secrets directory as 775, owned by root, with a custom user group for managing it (but the default "users" is sufficient).

This will allow anyone to read all files within it, and execute on them, and only root and the user group can edit them (add new secrets, edit them, etc)