Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flakes recently broke use of git-crypt #139978

Closed
danderson opened this issue Sep 29, 2021 · 1 comment
Closed

flakes recently broke use of git-crypt #139978

danderson opened this issue Sep 29, 2021 · 1 comment
Labels
0.kind: bug

Comments

@danderson
Copy link
Contributor

Describe the bug

I have a git repository with my personal NixOS configurations. Some of the configuration is private, so I use git-crypt to transparently encrypt all private.nix files. Because of how git-crypt works, in my own checkout the files are in cleartext (once git-crypt has been initialized/unlocked), but once committed and pushed, the files are just encrypted noise. For example, https://github.com/danderson/homelab/tree/main/iris .

My personal configs use flakes.

As of a recent (~last few weeks? Unsure exactly when) update to Nix, nix can no longer evaluate any of my configurations, because for some reason it now only sees the encrypted version of the files, not the decrypted version in the worktree.

I'm assuming this is some kind of change that was made to make things "more hermetic" in some way, but reading pre-smudge files out of git is almost never the correct behavior, as git smudges are designed to take checked-in file blobs, which may be mangled and generally not fit for use, and turn them into a usable file.

Please consider reverting this change, and using post-smudge versions of files when Nix is invoked from within a git repository. Note this behavior only makes sense in the "apex" git repository in which Nix evaluations are being requested, since setting up smudges and authorizing specific git filters is a post-clone operation that requires human involvement, and therefore there's no good place to insert that step when pulling third-party flakes off the internet.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Create a git repository containing .nix files
  2. Set up git-crypt so that some of the .nix files are encrypted at rest when checked in
  3. Attempt to evaluate one of the cleartext .nix files, which imports one of the encrypted .nix files

Expected behavior

Nix evaluations should succeed if the set of nix definitions in my git worktree form a valid evaluation.

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 5.13.16, NixOS, 21.05.20210923.056a3c1 (Okapi)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.4pre20210908_3c56f62`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
@Artturin
Copy link
Member

This is a nix issue NixOS/nix#5260

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danderson @Artturin