Make agenix-rekey pick up secrets in container configuration

[glanch]

Currently I use NixOS declarative containers in my configuration. They can use agenix-rekey for secrets. To make agenix-rekey pick up the container's secrets, I separate container configuration and secret configuration of container and import the secret module file as an artificial nixosConfiguration in my flake as a module. This works fine for the basic use cases when configuration and secret definition do not overlap. This is not always the case as I may configure a module which then configures a secret. Then, my artificial configurations do not contain the implicit secrets and cannot be rekeyed.

I cannot refactor the container configuration into a separate module so I can import it in my artificial configuration as the container configuration is currently realized as a host module and is deeply tied to the host configuration. Therefore, I would like to make agenix-rekey pick up the whole container configuration including secrets without separating it into modules. However, I have no idea how to conduct this.

[lordkekz]

Yeah, the CLI doesn't inspect NixOS containers or microvms (see https://github.com/astro/microvm.nix) or any other guest configuration for that matter. I don't think there's a clean way for agenix-rekey to actually inspect guest configurations and recognize relevant secrets definitions.

Maybe it'd be best to allow users to write their own Nix code to collect the secrets from guest configurations? In that case you would write some Nix function to get the secrets both from your host config and any guest configurations you may use and then expose those as a flake output.

[oddlama]

It would probably be nicer if agenix-rekey would support it directly, but it has always been possible. It's one of my main usecases :D
I've pasted the relevant code to make this work below. I have some meta information in my repo (like that backend option), so you'll have to adjust it to your usecase:

# True NixOS nodes can define additional guest nodes that are built
# together with it. We collect all defined guests from each node here
# to allow accessing any node via the unified attribute `nodes`.
guestConfigs = flip concatMapAttrs self.nixosConfigurations (
  _: node:
  flip mapAttrs' (node.config.guests or { }) (
    guestName: guestDef:
    nameValuePair guestDef.nodeName (
      if guestDef.backend == "microvm" then
        node.config.microvm.vms.${guestName}.config
      else
        node.config.containers.${guestName}.nixosConfiguration
    )
  )
);

# All nixosSystem instanciations are collected here, so that we can refer
# to any system via nodes.<name>
nodes = self.nixosConfigurations // self.guestConfigs;

and in agenix rekeys global configuration refer to nodes

agenix-rekey.nixosConfigurations = self.nodes;

Taken from https://github.com/oddlama/nix-config/blob/20477ecdc52165058d2b076adbdfb1ca4c37b1bb/nix/hosts.nix#L63-L77