dev: reland add direct tests for agenix

[ryantm]

Why

• We'd like some tests for the CLI
• Last time we tried it failed on macos

What changed

• This time, we try to create the temp directory in a way that works
  with macos too

[vtuan10]

When trying to install agenix on my darwin machine with this commit, I get the following error:

error: getting status of /nix/var/nix/daemon-socket/socket: Operation not permitted

[n8henrie]

@vtuan10 did you intend to start a new issue, or is that related to this PR?

You'll also need to include the command you're running.

[vtuan10]

I can create an separate issue if wished, but it is related to this PR.

I encountered this issue, when I upgraded my flake inputs. I tested all commits since 0.14.0 and the commit responsible currently for the above mentioned error lies in a23aa27, which came from this PR.

I can reproduce this error, when I simply run nix run github:ryantm/agenix -- --help on my M1 Mac with nix-darwin.

[n8henrie]

Ah, thanks for the additional context. I'll see if I can reproduce next time I'm at my MBP.

[n8henrie]

@vtuan10 not seeing it here.

$ nix-info -m
 - system: `"aarch64-darwin"`
 - host os: `Darwin 23.2.0, macOS 14.2.1`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.19.2`
 - channels(n8henrie): `""`
 - channels(root): `""`
 - nixpkgs: `/nix/store/b10famgvgsb87ppxvza6cbb4fb6qpw0d-source`
$ nix run github:ryantm/agenix -- --help
agenix - edit and rekey age secret files

agenix -e FILE [-i PRIVATE_KEY]
agenix -r [-i PRIVATE_KEY]

options:
-h, --help                show help
-e, --edit FILE           edits FILE using $EDITOR
-r, --rekey               re-encrypts all secrets with specified recipients
-d, --decrypt FILE        decrypts FILE to STDOUT
-i, --identity            identity to use when decrypting
-v, --verbose             verbose output

FILE an age-encrypted file

PRIVATE_KEY a path to a private SSH key used to decrypt file

EDITOR environment variable of editor to use when editing FILE

If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"

RULES environment variable with path to Nix file specifying recipient public keys.
Defaults to './secrets.nix'

agenix version: 0.15.0
age binary path: /nix/store/2bgv9ynggp3rilwl05bd8pij7sap7fhg-age-1.1.1/bin/age
age version: 1.1.1

[vtuan10]

Thanks for testing. I was able to run it as well, but only when I set sandbox = false. It's strange, as your sandbox is active as well..

[chrisportela]

I am also experiencing the same thing. I originally was using Nix 2.18 with "relaxed" sandbox and ran in to the issue. But I updated to 2.19 and made my sandbox set to true to hopefully match the config you posted and this is what I got.

Given this is some kind of permission error it makes me think maybe @vtuan10 and I have our nix installs in some state which it shouldn't be in. My install was from an early version of the determinate systems installer; to help rule this out, @n8henrie is your install relatively recent?

on lux in ~
❯ nix-info -m
 - system: `"aarch64-darwin"`
 - host os: `Darwin 23.2.0, macOS 14.2.1`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.19.2`
 - channels(cmp): `"darwin"`
 - channels(root): `"nixpkgs"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixpkgs`

on lux in ~
❯ nix run github:ryantm/agenix -- --help
warning: Ignoring setting 'auto-allocate-uids' because experimental feature 'auto-allocate-uids' is not enabled
warning: Ignoring setting 'impure-env' because experimental feature 'configurable-impure-env' is not enabled
error: builder for '/nix/store/s8bm7wj8564sa4pz8zxcl9wv5kc84wdx-agenix-0.15.0.drv' failed with exit code 2;
       last 10 log lines:
       > patching script interpreter paths in /nix/store/jz2n4y4l69jk9w6kx5yqzpzcxr7s28kp-agenix-0.15.0
       > /nix/store/jz2n4y4l69jk9w6kx5yqzpzcxr7s28kp-agenix-0.15.0/bin/agenix: interpreter directive changed from "#!/usr/bin/env bash" to "/nix/store/6nxav88iiz0g8m598xy643f8hhdz5kkx-bash-5.2-p21/bin/bash"
       > stripping (with command strip and flags -S) in  /nix/store/jz2n4y4l69jk9w6kx5yqzpzcxr7s28kp-agenix-0.15.0/bin
       > Running phase: installCheckPhase
       > no Makefile or custom installCheckPhase, doing nothing
       > agenix version: 0.15.0
       > error: getting status of /nix/var/nix/daemon-socket/socket: Operation not permitted
       > There is no rule for secret1.age in ./secrets.nix.
       > /nix/store/sf52i9wcklk5i5f2w15p0kng8dq3qqwx-stdenv-darwin/setup: line 147: test: =: unary operator expected
       > /nix/store/sf52i9wcklk5i5f2w15p0kng8dq3qqwx-stdenv-darwin/setup: line 140: pop_var_context: head of shell_variables not a function context
       For full logs, run 'nix log /nix/store/s8bm7wj8564sa4pz8zxcl9wv5kc84wdx-agenix-0.15.0.drv'.
on lux in ~  took 27s
❯

[n8henrie]

@chrisportela sorry for not getting back to you on this -- I guess #248 is what I deserve :)

I probably wasn't seeing it in #232 (comment) due to a cached build success; running with --rebuild triggers the bug.

I'm also on nix 2.19.3 now.