bug: sops-nix activation in home-manager

[gesker]

Are you following the right branch?

• My Nixpkgs and Home Manager versions are in sync

Is there an existing issue for this?

• I have searched the existing issues

Issue description

There appears to be a plist file conflict when trying to activate sops-nix on home-manager; nix-darwin module. This issue was was mentioned under a possibly related - or at least similar - issue #710 in the sops-nix repository.

It was recommended to the OP on that issue that the issue be reported directly to home-manager. Again, not 100% sure that this is the same issue. Also, I did not see the OP of that issue RE-report in this repository.

Upon issuing nix run nix-darwin -- switch --flake /etc/nix-darwin an error is returned shortly after reaching Home-Manager activation:

Starting Home Manager activation
Activating checkFilesChanged
Activating checkKittyTheme
Activating checkLaunchAgents
Existing file '/Users/gesker/Library/LaunchAgents/**org.nix-community.home.sops-nix.plist' is in the way of '/nix/store/x96razajz78mkr4p223bdc91l9yny65y-home-manager-agents/org.nix-community.home.sops-nix.plist'

I have tried completely uninstalling Nix and then reinstalling nix running home-manager only (without nix-darwin) and the same error is encountered.

Maintainer CC

Unsure which maintainer it would be appropriate to tag.

System information

- system: `"aarch64-darwin"`
 - host os: `Darwin 24.3.0, macOS 15.3.1`
 - multi-user?: `yes`
 - sandbox: `no`
 - version: `nix-env (Nix) 2.24.12`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/store/593xvgv994xlkm5mb7w4p1xxnzrs9wv6-source`

[khaneliman]

Been meaning to look into it more, but it is inconsistent when it occurs for me.

[gesker]

@khaneliman I was grateful to find your original issue.

I had been trouble shooting on a different/incorrect path as I was not having this same issue on my regular NixOS systems and I'm still new enough to the nix ecosystem that I was not confident in firing off an issue report.

For a short time I was sure it was nix-darwin related and at one point I completely uninstalled nix from the Mac and then reinstalled without nix-darwin using home-manager only. And, then I repeated all combinations of the uninstall/reinstall again but instead of nix from nixos.org I tried the nix distributed by determinate. Again, first with nix-darwin then home-manager only.

As of now I'm back to nix from nixos.org with both nix-darwin and home-manager and the issue is consistent.

Having to go back to managing keys/secrets/misc items manually very much drove home how important the sops-nix project has become in my day to day workflow. sops-nix really is super useful and I am so glad it exists.

[khaneliman]

Whenever I get the conflict, I just sudo rm ..../sops.plist to remove the file and rerun my activation script. But, it's definitely not fun to deal with... it's been occurring less often for me so I haven't been too motivated, but I still do see it from time to time.

home-manager/modules/launchd/default.nix

Lines 94 to 130 in b71edac

	home.activation.checkLaunchAgents =
	hm.dag.entryBefore [ "writeBoundary" ] ''
	checkLaunchAgents() {
	local oldDir newDir dstDir err
	oldDir=""
	err=0
	if [[ -n "''${oldGenPath:-}" ]]; then
	oldDir="$(readlink -m "$oldGenPath/LaunchAgents")" || err=$?
	if (( err )); then
	oldDir=""
	fi
	fi
	newDir=${escapeShellArg agentsDrv}
	dstDir=${escapeShellArg dstDir}
	local oldSrcPath newSrcPath dstPath agentFile agentName
	find -L "$newDir" -maxdepth 1 -name '*.plist' -type f -print0 \
	| while IFS= read -rd "" newSrcPath; do
	agentFile="''${newSrcPath##*/}"
	agentName="''${agentFile%.plist}"
	dstPath="$dstDir/$agentFile"
	oldSrcPath="$oldDir/$agentFile"
	if [[ ! -e "$dstPath" ]]; then
	continue
	fi
	if ! cmp --quiet "$oldSrcPath" "$dstPath"; then
	errorEcho "Existing file '$dstPath' is in the way of '$newSrcPath'"
	exit 1
	fi
	done
	}
	checkLaunchAgents
	'';

is the bash script that causes the issue. Just haven't drilled in to analyze it and figure out why it has issues randomly. (It was also consistent for me for a while too)

[gesker]

Even after removing the file that is in the way no joy.

First run:

Starting Home Manager activation
Activating checkFilesChanged
Activating checkKittyTheme
Activating checkLaunchAgents
Existing file '/Users/gesker/Library/LaunchAgents/org.nix-community.home.sops-nix.plist' is in the way of '/nix/store/x96razajz78mkr4p223bdc91l9yny65y-home-manager-agents/org.nix-community.home.sops-nix.plist'

then remove the blocking file:

rm /Users/gesker/Library/LaunchAgents/org.nix-community.home.sops-nix.plist

Second run:

Starting Home Manager activation
Activating checkFilesChanged
Activating checkKittyTheme
Activating checkLaunchAgents
Activating checkLinkTargets
Activating writeBoundary
Creating new profile generation
Activating createGpgHomedir
Activating installPackages
Activating migrateGhAccounts
Activating linkGeneration
Cleaning up orphan links from /Users/gesker
Creating home file links in /Users/gesker
Activating onFilesChange
Activating setupLaunchAgents
Bootstrap failed: 5: Input/output error
Try re-running the command as root for richer errors.

Third run:

Back to original error

Activating home-manager configuration for gesker
Starting Home Manager activation
Activating checkFilesChanged
Activating checkKittyTheme
Activating checkLaunchAgents
Existing file '/Users/gesker/Library/LaunchAgents/org.nix-community.home.sops-nix.plist' is in the way of '/nix/store/x96razajz78mkr4p223bdc91l9yny65y-home-manager-agents/org.nix-community.home.sops-nix.plist'

I did try with sudo just to see if there was a difference but encountered:

sudo nix run nix-darwin -- switch --flake /etc/nix-darwin


warning: $HOME ('/Users/gesker') is not owned by you, falling back to the one defined in the 'passwd' file ('/var/root')
building the system configuration...
warning: $HOME ('/Users/gesker') is not owned by you, falling back to the one defined in the 'passwd' file ('/var/root')
warning: Git tree '/etc/nix-darwin' is dirty
warning: $HOME ('/Users/gesker') is not owned by you, falling back to the one defined in the 'passwd' file ('/var/root')
setting up Homebrew (/opt/homebrew)...
setting up Homebrew (/usr/local)...
user defaults...
setting up user launchd services...
Homebrew bundle...
Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.

It is every time so stuck on macOS.

[water-sucks]

I have been running into the same errors, but this is not just with sops-nix. It is with every single launchd service that I have configured, including ones that are in HM already like Atuin, so I'm not actually sure if this is related to sops-nix directly or if it's a launchd activation issue in general.

It's pretty consistent for me though, I get this on every single activation and it makes nix-darwin borderline unusable for me unless I remove all of the offending launchd services from my config.

home-manager/modules/launchd/default.nix

Lines 134 to 210 in b71edac

	home.activation.setupLaunchAgents =
	hm.dag.entryAfter [ "writeBoundary" ] ''
	setupLaunchAgents() {
	local oldDir newDir dstDir domain err
	oldDir=""
	err=0
	if [[ -n "''${oldGenPath:-}" ]]; then
	oldDir="$(readlink -m "$oldGenPath/LaunchAgents")" || err=$?
	if (( err )); then
	oldDir=""
	fi
	fi
	newDir="$(readlink -m "$newGenPath/LaunchAgents")"
	dstDir=${escapeShellArg dstDir}
	domain="gui/$UID"
	err=0
	local srcPath dstPath agentFile agentName i bootout_retries
	bootout_retries=10
	find -L "$newDir" -maxdepth 1 -name '*.plist' -type f -print0 \
	| while IFS= read -rd "" srcPath; do
	agentFile="''${srcPath##*/}"
	agentName="''${agentFile%.plist}"
	dstPath="$dstDir/$agentFile"
	if cmp --quiet "$srcPath" "$dstPath"; then
	continue
	fi
	if [[ -f "$dstPath" ]]; then
	for (( i = 0; i < bootout_retries; i++ )); do
	run /bin/launchctl bootout "$domain/$agentName" || err=$?
	if [[ -v DRY_RUN ]]; then
	break
	fi
	if (( err != 9216 )) &&
	! /bin/launchctl print "$domain/$agentName" &> /dev/null; then
	break
	fi
	sleep 1
	done
	if (( i == bootout_retries )); then
	warnEcho "Failed to stop '$domain/$agentName'"
	return 1
	fi
	fi
	run install -Dm444 -T "$srcPath" "$dstPath"
	run /bin/launchctl bootstrap "$domain" "$dstPath"
	done
	if [[ ! -e "$oldDir" ]]; then
	return
	fi
	find -L "$oldDir" -maxdepth 1 -name '*.plist' -type f -print0 \
	| while IFS= read -rd "" srcPath; do
	agentFile="''${srcPath##*/}"
	agentName="''${agentFile%.plist}"
	dstPath="$dstDir/$agentFile"
	if [[ -e "$newDir/$agentFile" ]]; then
	continue
	fi
	run /bin/launchctl bootout "$domain/$agentName" || :
	if [[ ! -e "$dstPath" ]]; then
	continue
	fi
	if ! cmp --quiet "$srcPath" "$dstPath"; then
	warnEcho "Skipping deletion of '$dstPath', since its contents have diverged"
	continue
	fi
	run rm -f $VERBOSE_ARG "$dstPath"
	done
	}
	setupLaunchAgents
	'';

the errors that I see with relation to Bootstrap failed: 5: Input/output error and Boot-out failed come from the setupLaunchAgents activation script when launchctl bootout or launchctl boostrap are ran.