mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 17:50:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

use unstable verison of rage in place of age

Browse source 
* age limits the number of recipients to 20
* the latest release of rage (0.4.0) doesn't work with ssh-rsa keys
This commit is contained in:
Ryan Mulligan 2020-09-18 11:59:01 -07:00
parent d2dc883f3a
commit 07ce686870
5 changed files with 74 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
flake.lock
View file

@ -1,5 +1,20 @@
{ {
"nodes": { "nodes": {
"flake-utils": {
"locked": {
"lastModified": 1600209923,
"narHash": "sha256-zoOWauTliFEjI++esk6Jzk7QO5EKpddWXQm9yQK24iM=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cd06d3c1df6879c9e41cb2c33113df10566c760",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1599148892, "lastModified": 1599148892,
@ -16,6 +31,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
} }

23
flake.nix
View file

@ -1,18 +1,13 @@
{ {
description = "Secret management with age"; description = "Secret management with age";
outputs = { self, nixpkgs }: let
systems = [ inputs.flake-utils.url = "github:numtide/flake-utils";
"x86_64-linux"
"i686-linux" outputs = { self, nixpkgs, flake-utils }:
"x86_64-darwin" flake-utils.lib.eachDefaultSystem (system:
"aarch64-linux" {
"armv6l-linux"
"armv7l-linux"
];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
in {
nixosModules.age = import ./modules/age.nix; nixosModules.age = import ./modules/age.nix;
packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {}); packages = nixpkgs.legacyPackages.${system}.callPackage ./default.nix {};
defaultPackage = forAllSystems (system: self.packages.${system}.agenix); defaultPackage = self.packages.${system}.agenix;
}; });
} }

5
modules/age.nix
View file

@ -4,12 +4,15 @@ with lib;
let let
cfg = config.age; cfg = config.age;
rage = pkgs.callPackage ../pkgs/rage.nix {};
ageBin = "${rage}/bin/rage";
users = config.users.users; users = config.users.users;
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths); identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
installSecret = secretType: '' installSecret = secretType: ''
TMP_FILE="${secretType.path}.tmp" TMP_FILE="${secretType.path}.tmp"
(umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}") (umask 0400; ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
chmod ${secretType.mode} "$TMP_FILE" chmod ${secretType.mode} "$TMP_FILE"
chown ${secretType.owner}:${secretType.group} "$TMP_FILE" chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
mv -f "$TMP_FILE" '${secretType.path}' mv -f "$TMP_FILE" '${secretType.path}'

10
pkgs/agenix.nix
View file

@ -1,4 +1,8 @@
{writeShellScriptBin, runtimeShell, age} : {writeShellScriptBin, runtimeShell, pkgs} :
let
rage = pkgs.callPackage ./rage.nix {};
ageBin = "${rage}/bin/rage";
in
writeShellScriptBin "agenix" '' writeShellScriptBin "agenix" ''
set -Eeuo pipefail set -Eeuo pipefail
@ -103,7 +107,7 @@ function edit {
DECRYPT+=(--identity "$key") DECRYPT+=(--identity "$key")
done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)" done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE") DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
${age}/bin/age "''${DECRYPT[@]}" || exit 1 ${ageBin} "''${DECRYPT[@]}" || exit 1
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
fi fi
@ -127,7 +131,7 @@ function edit {
ENCRYPT+=(-o "$REENCRYPTED_FILE") ENCRYPT+=(-o "$REENCRYPTED_FILE")
${age}/bin/age "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1 ${ageBin} "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
mv -f "$REENCRYPTED_FILE" "$1" mv -f "$REENCRYPTED_FILE" "$1"
} }

37
pkgs/rage.nix Normal file
View file

@ -0,0 +1,37 @@
{stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
rustPlatform.buildRustPackage rec {
pname = "rage";
version = "unstable-2020-09-05";
src = fetchFromGitHub {
owner = "str4d";
repo = pname;
rev = "8368992e60cbedb2d6b725c3e25440e65d8544d1";
sha256 = "sha256-ICcApZQrR4hGxo/RcFMktenE4dswAXA2/nJ5D++O2ig=";
};
cargoSha256 = "sha256-QwNtp7Hxsiads3bh8NRra25RdPbIdjp+pSWTllAvdmQ=";
nativeBuildInputs = [ installShellFiles ];
buildInputs = stdenv.lib.optionals stdenv.isDarwin [ darwin.Security ];
postBuild = ''
cargo run --example generate-docs
cargo run --example generate-completions
'';
postInstall = ''
installManPage target/manpages/*
installShellCompletion target/completions/*.{bash,fish,zsh}
'';
meta = with stdenv.lib; {
description = "A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability";
homepage = "https://github.com/str4d/rage";
changelog = "https://github.com/str4d/rage/releases/tag/v${version}";
license = licenses.asl20;
maintainers = [ maintainers.marsam ];
};
}