From 05591973d7a546f84c60f4992715f8a5e3d74378 Mon Sep 17 00:00:00 2001 From: Charles Hall Date: Fri, 3 Nov 2023 14:53:33 -0700 Subject: [PATCH 01/27] use named variable instead of numbered one --- pkgs/agenix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index f638b10..27a53c9 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -181,7 +181,7 @@ function edit { @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1 - mv -f "$REENCRYPTED_FILE" "$1" + mv -f "$REENCRYPTED_FILE" "$FILE" } function rekey { From 65fe5959c3014be90cbc046f30288b6e14beff48 Mon Sep 17 00:00:00 2001 From: Charles Hall Date: Fri, 3 Nov 2023 14:57:48 -0700 Subject: [PATCH 02/27] create leading directories if they don't exist This works for files without directories too because `dirname` prints `.` in that case. --- pkgs/agenix.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index 27a53c9..5212977 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -181,6 +181,8 @@ function edit { @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1 + mkdir -p "$(dirname "$FILE")" + mv -f "$REENCRYPTED_FILE" "$FILE" } From 4c4860609491a98c1e4a6f03e0ba27c0a23982c0 Mon Sep 17 00:00:00 2001 From: Shiva Kaul Date: Sun, 19 Mar 2023 00:17:27 -0400 Subject: [PATCH 03/27] only backup cleartext file if it exists Avoids complaints from `cp` about nonexistent files. --- pkgs/agenix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index f638b10..b82d942 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -155,7 +155,7 @@ function edit { decrypt "$FILE" "$KEYS" || exit 1 - cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" + [ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" [ -t 0 ] || EDITOR='cp /dev/stdin' From 221a1f22e5333882419023c698d21fbfc3017642 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 07:51:36 -0800 Subject: [PATCH 04/27] dev: add release-drafter --- .github/release-drafter.yml | 33 +++++++++++++++++++++++++++ .github/workflows/release-drafter.yml | 33 +++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/release-drafter.yml create mode 100644 .github/workflows/release-drafter.yml diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml new file mode 100644 index 0000000..a6d2e95 --- /dev/null +++ b/.github/release-drafter.yml @@ -0,0 +1,33 @@ + +name-template: '$RESOLVED_VERSION' +tag-template: '$RESOLVED_VERSION' +categories: + - title: '🚀 Features' + labels: + - 'feature' + - 'enhancement' + - title: '🐛 Bug Fixes' + labels: + - 'fix' + - 'bugfix' + - 'bug' + - title: '🧰 Development' + label: 'dev' + - title: '🤖 Dependencies' + label: 'dependencies' +change-template: '- $TITLE @$AUTHOR (#$NUMBER)' +change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks. +version-resolver: + major: + labels: + - 'major' + minor: + labels: + - 'minor' + patch: + labels: + - 'patch' + default: patch +template: | + ## Changes + $CHANGES diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 0000000..dd646d2 --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,33 @@ +name: Release Drafter + +on: + push: + # branches to consider in the event; optional, defaults to all + branches: + - main + # pull_request event is required only for autolabeler + pull_request: + # Only following types are handled by the action, but one can default to all as well + types: [opened, reopened, synchronize] + # pull_request_target event is required for autolabeler to support PRs from forks + pull_request_target: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +jobs: + update_release_draft: + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write + runs-on: ubuntu-latest + steps: + # Drafts your next Release notes as Pull Requests are merged into "main" + - uses: release-drafter/release-drafter@v5 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 93cec0ce6ed1061bf0973c5fef76b2d8e76d4810 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 08:03:06 -0800 Subject: [PATCH 05/27] dev: add security label category --- .github/release-drafter.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml index a6d2e95..125ac0c 100644 --- a/.github/release-drafter.yml +++ b/.github/release-drafter.yml @@ -15,6 +15,8 @@ categories: label: 'dev' - title: '🤖 Dependencies' label: 'dependencies' + - title: '🔒 Security' + label: 'security' change-template: '- $TITLE @$AUTHOR (#$NUMBER)' change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks. version-resolver: From 9d3b37a1177fedcce0a6c72ff4d337283a393fe2 Mon Sep 17 00:00:00 2001 From: Samuele Facenda Date: Wed, 15 Nov 2023 18:29:09 +0100 Subject: [PATCH 06/27] fix: update keys functions in agenix.sh The functions was always called with `$FILE` as first argument, but inside the argument is ignored. This change doesn' have any impact, but can solve problems caused by the keys function called with an argument different from `$FILE` --- pkgs/agenix.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index 098802e..b78b441 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -115,7 +115,7 @@ function cleanup { trap "cleanup" 0 2 3 15 function keys { - (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$FILE\".publicKeys)" | @jqBin@ -r .[]) || exit 1 + (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1 } function decrypt { From 564595d0ad4be7277e07fa63b5a991b3c645655d Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 08:33:16 -0800 Subject: [PATCH 07/27] version 0.15.0 --- pkgs/agenix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index e399dd0..0d35bf4 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -12,7 +12,7 @@ }: stdenv.mkDerivation rec { pname = "agenix"; - version = "0.14.0"; + version = "0.15.0"; src = substituteAll { inherit ageBin version; jqBin = "${jq}/bin/jq"; From 344f98552660520eb2b5f354d16cf3534f0849bf Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 08:56:05 -0800 Subject: [PATCH 08/27] dev: remove i686 support; simplify flake Why === * flake.nix had a lot of almost redundant lines in it. * i686 support is probably being dropped soon in nixpkgs https://github.com/NixOS/nixpkgs/pull/266164 What changed == * Add new input nix-systems/default which represents the default systems typically used in the Nix community * Define and use an eachSystem function that simplifies the flake.nix file --- flake.lock | 18 +++++++++++++++++- flake.nix | 34 +++++++++------------------------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index 3be370f..8ec68d4 100644 --- a/flake.lock +++ b/flake.lock @@ -61,7 +61,23 @@ "inputs": { "darwin": "darwin", "home-manager": "home-manager", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "systems": "systems" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 13d863f..1df2443 100644 --- a/flake.nix +++ b/flake.nix @@ -11,6 +11,7 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + systems.url = "github:nix-systems/default"; }; outputs = { @@ -18,9 +19,9 @@ nixpkgs, darwin, home-manager, + systems, }: let - agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {}; - doc = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {}; + eachSystem = nixpkgs.lib.genAttrs (import systems); in { nixosModules.age = import ./modules/age.nix; nixosModules.default = self.nixosModules.age; @@ -33,30 +34,13 @@ overlays.default = import ./overlay.nix; - formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra; - packages.x86_64-darwin.agenix = agenix "x86_64-darwin"; - packages.x86_64-darwin.doc = doc "x86_64-darwin"; - packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix; + formatter = eachSystem (system: nixpkgs.legacyPackages.${system}.alejandra); - formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra; - packages.aarch64-darwin.agenix = agenix "aarch64-darwin"; - packages.aarch64-darwin.doc = doc "aarch64-darwin"; - packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix; - - formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra; - packages.aarch64-linux.agenix = agenix "aarch64-linux"; - packages.aarch64-linux.doc = doc "aarch64-linux"; - packages.aarch64-linux.default = self.packages.aarch64-linux.agenix; - - formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra; - packages.i686-linux.agenix = agenix "i686-linux"; - packages.i686-linux.doc = doc "i686-linux"; - packages.i686-linux.default = self.packages.i686-linux.agenix; - - formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra; - packages.x86_64-linux.agenix = agenix "x86_64-linux"; - packages.x86_64-linux.default = self.packages.x86_64-linux.agenix; - packages.x86_64-linux.doc = doc "x86_64-linux"; + packages = eachSystem (system: { + agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {}; + doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {}; + default = self.packages.${system}.agenix; + }); checks = nixpkgs.lib.genAttrs ["aarch64-darwin" "x86_64-darwin"] (system: { From 097aa18b593a9f8215ce743a0796ae76b19b28d5 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Tue, 21 Feb 2023 20:35:56 -0800 Subject: [PATCH 09/27] contrib: add direct tests for agenix These tests are MUCH faster than the NixOS tests. --- .github/workflows/ci.yaml | 8 +++-- pkgs/agenix.nix | 66 +++++++++++++++++++++++++-------------- 2 files changed, 49 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b53a3f2..29be3c5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,9 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v22 with: - extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" + extra_nix_config: | + system-features = nixos-test recursive-nix benchmark big-parallel kvm + extra-experimental-features = recursive-nix nix-command flakes - run: nix build - run: nix build .#doc - run: nix fmt . -- --check @@ -20,7 +22,9 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v22 with: - extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" + extra_nix_config: | + system-features = nixos-test recursive-nix benchmark big-parallel kvm + extra-experimental-features = recursive-nix nix-command flakes - run: nix build - run: nix build .#doc - run: nix fmt . -- --check diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index 0d35bf4..d2fcbce 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -9,29 +9,49 @@ substituteAll, ageBin ? "${rage}/bin/rage", shellcheck, -}: -stdenv.mkDerivation rec { - pname = "agenix"; - version = "0.15.0"; - src = substituteAll { - inherit ageBin version; - jqBin = "${jq}/bin/jq"; - nixInstantiate = "${nix}/bin/nix-instantiate"; - mktempBin = "${mktemp}/bin/mktemp"; - diffBin = "${diffutils}/bin/diff"; - src = ./agenix.sh; - }; - dontUnpack = true; +}: let + bin = "${placeholder "out"}/bin/agenix"; +in + stdenv.mkDerivation rec { + pname = "agenix"; + version = "0.15.0"; + src = substituteAll { + inherit ageBin version; + jqBin = "${jq}/bin/jq"; + nixInstantiate = "${nix}/bin/nix-instantiate"; + mktempBin = "${mktemp}/bin/mktemp"; + diffBin = "${diffutils}/bin/diff"; + src = ./agenix.sh; + }; + dontUnpack = true; + doInstallCheck = true; + installCheckInputs = [shellcheck]; + postInstallCheck = '' + shellcheck ${bin} + ${bin} -h | grep ${version} - doCheck = true; - checkInputs = [shellcheck]; - postCheck = '' - shellcheck $src - ''; + mkdir -p /tmp/home/.ssh + cp -r "${../example}" /tmp/home/secrets + chmod -R u+rw /tmp/home/secrets + export HOME=/tmp/home + ( + umask u=rw,g=r,o=r + cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub + chown $UID $HOME/.ssh/id_ed25519.pub + ) + ( + umask u=rw,g=,o= + cp ${../example_keys/user1} $HOME/.ssh/id_ed25519 + chown $UID $HOME/.ssh/id_ed25519 + ) - installPhase = '' - install -D $src ${placeholder "out"}/bin/agenix - ''; + cd /tmp/home/secrets + test $(${bin} -d secret1.age) = "hello" + ''; - meta.description = "age-encrypted secrets for NixOS"; -} + installPhase = '' + install -D $src ${bin} + ''; + + meta.description = "age-encrypted secrets for NixOS"; + } From 08dc5068e6b5f8c985dba6490c219ea439f48ac1 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Fri, 22 Dec 2023 07:48:06 -0800 Subject: [PATCH 10/27] Revert "contrib: add direct tests for agenix " --- .github/workflows/ci.yaml | 8 ++--- pkgs/agenix.nix | 66 ++++++++++++++------------------------- 2 files changed, 25 insertions(+), 49 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 29be3c5..b53a3f2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,9 +9,7 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v22 with: - extra_nix_config: | - system-features = nixos-test recursive-nix benchmark big-parallel kvm - extra-experimental-features = recursive-nix nix-command flakes + extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" - run: nix build - run: nix build .#doc - run: nix fmt . -- --check @@ -22,9 +20,7 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v22 with: - extra_nix_config: | - system-features = nixos-test recursive-nix benchmark big-parallel kvm - extra-experimental-features = recursive-nix nix-command flakes + extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" - run: nix build - run: nix build .#doc - run: nix fmt . -- --check diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index d2fcbce..0d35bf4 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -9,49 +9,29 @@ substituteAll, ageBin ? "${rage}/bin/rage", shellcheck, -}: let - bin = "${placeholder "out"}/bin/agenix"; -in - stdenv.mkDerivation rec { - pname = "agenix"; - version = "0.15.0"; - src = substituteAll { - inherit ageBin version; - jqBin = "${jq}/bin/jq"; - nixInstantiate = "${nix}/bin/nix-instantiate"; - mktempBin = "${mktemp}/bin/mktemp"; - diffBin = "${diffutils}/bin/diff"; - src = ./agenix.sh; - }; - dontUnpack = true; - doInstallCheck = true; - installCheckInputs = [shellcheck]; - postInstallCheck = '' - shellcheck ${bin} - ${bin} -h | grep ${version} +}: +stdenv.mkDerivation rec { + pname = "agenix"; + version = "0.15.0"; + src = substituteAll { + inherit ageBin version; + jqBin = "${jq}/bin/jq"; + nixInstantiate = "${nix}/bin/nix-instantiate"; + mktempBin = "${mktemp}/bin/mktemp"; + diffBin = "${diffutils}/bin/diff"; + src = ./agenix.sh; + }; + dontUnpack = true; - mkdir -p /tmp/home/.ssh - cp -r "${../example}" /tmp/home/secrets - chmod -R u+rw /tmp/home/secrets - export HOME=/tmp/home - ( - umask u=rw,g=r,o=r - cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub - chown $UID $HOME/.ssh/id_ed25519.pub - ) - ( - umask u=rw,g=,o= - cp ${../example_keys/user1} $HOME/.ssh/id_ed25519 - chown $UID $HOME/.ssh/id_ed25519 - ) + doCheck = true; + checkInputs = [shellcheck]; + postCheck = '' + shellcheck $src + ''; - cd /tmp/home/secrets - test $(${bin} -d secret1.age) = "hello" - ''; + installPhase = '' + install -D $src ${placeholder "out"}/bin/agenix + ''; - installPhase = '' - install -D $src ${bin} - ''; - - meta.description = "age-encrypted secrets for NixOS"; - } + meta.description = "age-encrypted secrets for NixOS"; +} From 5c1198a352b5fac579be4aff9cd9cbfe2920c282 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 13:13:47 -0800 Subject: [PATCH 11/27] feat: switch from rage to age Why === * Someone said age works better with password protected keys, requiring entering the password less often. * We switched to rage from age in https://github.com/ryantm/agenix/commit/07ce686870f52a7397164b755d721bc85f110aac because it was limiting recipients to 20. This was fixed https://github.com/FiloSottile/age/issues/139 What changed === * Switch from rage back to age (the reference implementation) in all the spots * Update the docs to show how to switch back to Rage * Skip keys that are empty files, which fixes the integration test. --- README.md | 10 +++++----- doc/notices.md | 2 +- doc/reference.md | 2 +- modules/age-home.nix | 2 +- modules/age.nix | 5 +++-- pkgs/agenix.nix | 4 ++-- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 998bfc2..b66df95 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita ## Notices -* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. +* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. ## Installation @@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath: #### `age.ageBin` `age.ageBin` the string of the path to the `age` binary. Usually, you -don't need to change this. Defaults to `rage/bin/rage`. +don't need to change this. Defaults to `age/bin/age`. Overriding `age.ageBin` example: @@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.) #### Overriding age binary -The agenix CLI uses `rage` by default as its age implemenation, you -can use the reference implementation `age` with Flakes like this: +The agenix CLI uses `age` by default as its age implemenation, you +can use the `rage` implementation with Flakes like this: ```nix {pkgs,agenix,...}:{ environment.systemPackages = [ - (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; }) + (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; }) ]; } ``` diff --git a/doc/notices.md b/doc/notices.md index 5dcc5a9..a186507 100644 --- a/doc/notices.md +++ b/doc/notices.md @@ -1,3 +1,3 @@ # Notices {#notices} -* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. +* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. diff --git a/doc/reference.md b/doc/reference.md index 614b0c9..2419559 100644 --- a/doc/reference.md +++ b/doc/reference.md @@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath: ### `age.ageBin` `age.ageBin` the string of the path to the `age` binary. Usually, you -don't need to change this. Defaults to `rage/bin/rage`. +don't need to change this. Defaults to `age/bin/age`. Overriding `age.ageBin` example: diff --git a/modules/age-home.nix b/modules/age-home.nix index 99ccccb..9577eb8 100644 --- a/modules/age-home.nix +++ b/modules/age-home.nix @@ -155,7 +155,7 @@ with lib; let ''; in { options.age = { - package = mkPackageOption pkgs "rage" {}; + package = mkPackageOption pkgs "age" {}; secrets = mkOption { type = types.attrsOf secretType; diff --git a/modules/age.nix b/modules/age.nix index 9468779..86c4447 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -69,6 +69,7 @@ with lib; let IDENTITIES=() for identity in ${toString cfg.identityPaths}; do test -r "$identity" || continue + test -s "$identity" || continue IDENTITIES+=(-i) IDENTITIES+=("$identity") done @@ -189,9 +190,9 @@ in { options.age = { ageBin = mkOption { type = types.str; - default = "${pkgs.rage}/bin/rage"; + default = "${pkgs.age}/bin/age"; defaultText = literalExpression '' - "''${pkgs.rage}/bin/rage" + "''${pkgs.age}/bin/age" ''; description = '' The age executable to use. diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index 0d35bf4..7ce6de2 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -1,13 +1,13 @@ { lib, stdenv, - rage, + age, jq, nix, mktemp, diffutils, substituteAll, - ageBin ? "${rage}/bin/rage", + ageBin ? "${age}/bin/age", shellcheck, }: stdenv.mkDerivation rec { From eb3b5cf4fd2e177a7dd020b1f62eb1219ad78f68 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 21:16:28 -0800 Subject: [PATCH 12/27] update nixpkgs --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 8ec68d4..881ab8e 100644 --- a/flake.lock +++ b/flake.lock @@ -43,11 +43,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677676435, - "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { From bd86c0696163645c78fcecc2724a94d74840e2f7 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 21:24:28 -0800 Subject: [PATCH 13/27] fix doc build --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 1df2443..fc900d8 100644 --- a/flake.nix +++ b/flake.nix @@ -38,7 +38,7 @@ packages = eachSystem (system: { agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {}; - doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {}; + doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;}; default = self.packages.${system}.agenix; }); From 58017c0c932f24787d60c93c54df2b0f7bb9a766 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 21:29:26 -0800 Subject: [PATCH 14/27] update inputs --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 881ab8e..5d6236c 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1682203081, - "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "owner": "nix-community", "repo": "home-manager", - "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "type": "github" }, "original": { From b6aa6180dbfc8a5df9296db264c01b49eb173f4c Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 21:38:19 -0800 Subject: [PATCH 15/27] test removing installer --- flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/flake.nix b/flake.nix index fc900d8..8a44679 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,6 @@ inherit system; modules = [ ./test/integration_darwin.nix - "${darwin.outPath}/pkgs/darwin-installer/installer.nix" home-manager.darwinModules.home-manager { home-manager = { From 23d4d5d29193a5ab1b1514375d578209a6119392 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Wed, 20 Dec 2023 21:56:50 -0800 Subject: [PATCH 16/27] maybe this fixes darwin checks? --- flake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/flake.nix b/flake.nix index 8a44679..4f4ccc7 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,8 @@ inherit system; modules = [ ./test/integration_darwin.nix + darwin.darwinModules.simple + home-manager.darwinModules.home-manager { home-manager = { From 6ce42cc7684cb59b3a9390256f68909d7dfb9af0 Mon Sep 17 00:00:00 2001 From: Nathan Henrie Date: Thu, 21 Dec 2023 13:15:07 -0700 Subject: [PATCH 17/27] Fix CI for darwin nix-darwin is detecting `/etc/nix/nix.conf` from the cachix/install-nix-action and refusing to overwrite it, failing the nix-darwin activation and therefore the rest of CI. This commit `mv`s the existing `nix.conf` to avoid the above, and then adds support for new-style nix commands and flakes to the nix-darwin configuration to allow their subsequent use in CI. It also removes the nix config from the `cachix/install-nix-action` step, which was duplicated effort since we are blowing it away with nix-darwin anyway. Relevant: - https://github.com/LnL7/nix-darwin/issues/149 --- .github/workflows/ci.yaml | 20 ++++++++++++++------ flake.nix | 4 +++- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b53a3f2..6345634 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,21 +15,29 @@ jobs: - run: nix fmt . -- --check - run: nix flake check tests-darwin: - runs-on: macos-11 + runs-on: macos-12 steps: - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v22 + - uses: cachix/install-nix-action@v24 with: - extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" + extra_nix_config: | + system-features = nixos-test recursive-nix benchmark big-parallel kvm + extra-experimental-features = recursive-nix nix-command flakes - run: nix build - run: nix build .#doc - run: nix fmt . -- --check - run: nix flake check - name: "Install nix-darwin module" run: | - system=$(nix build --no-link --print-out-paths .#checks.x86_64-darwin.integration) - ${system}/activate-user - sudo ${system}/activate + # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385 + + sudo mv /etc/nix/nix.conf{,.bak} + nix \ + --extra-experimental-features 'nix-command flakes' \ + build .#checks.x86_64-darwin.integration + + ./result/activate-user + sudo ./result/activate - name: "Test nix-darwin module" run: | sudo /run/current-system/sw/bin/agenix-integration diff --git a/flake.nix b/flake.nix index 4f4ccc7..587138e 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,9 @@ inherit system; modules = [ ./test/integration_darwin.nix - darwin.darwinModules.simple + + # Allow new-style nix commands in CI + {nix.extraOptions = "experimental-features = nix-command flakes";} home-manager.darwinModules.home-manager { From bc24f2e510e045c70203cff80d34a8a024c38dec Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sat, 23 Dec 2023 14:43:03 -0800 Subject: [PATCH 18/27] Revert "Revert "contrib: add direct tests for agenix "" This reverts commit 08dc5068e6b5f8c985dba6490c219ea439f48ac1. --- .github/workflows/ci.yaml | 4 ++- pkgs/agenix.nix | 66 +++++++++++++++++++++++++-------------- 2 files changed, 46 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6345634..e48411b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -9,7 +9,9 @@ jobs: - uses: actions/checkout@v3 - uses: cachix/install-nix-action@v22 with: - extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" + extra_nix_config: | + system-features = nixos-test recursive-nix benchmark big-parallel kvm + extra-experimental-features = recursive-nix nix-command flakes - run: nix build - run: nix build .#doc - run: nix fmt . -- --check diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index 7ce6de2..e8f59ae 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -9,29 +9,49 @@ substituteAll, ageBin ? "${age}/bin/age", shellcheck, -}: -stdenv.mkDerivation rec { - pname = "agenix"; - version = "0.15.0"; - src = substituteAll { - inherit ageBin version; - jqBin = "${jq}/bin/jq"; - nixInstantiate = "${nix}/bin/nix-instantiate"; - mktempBin = "${mktemp}/bin/mktemp"; - diffBin = "${diffutils}/bin/diff"; - src = ./agenix.sh; - }; - dontUnpack = true; +}: let + bin = "${placeholder "out"}/bin/agenix"; +in + stdenv.mkDerivation rec { + pname = "agenix"; + version = "0.15.0"; + src = substituteAll { + inherit ageBin version; + jqBin = "${jq}/bin/jq"; + nixInstantiate = "${nix}/bin/nix-instantiate"; + mktempBin = "${mktemp}/bin/mktemp"; + diffBin = "${diffutils}/bin/diff"; + src = ./agenix.sh; + }; + dontUnpack = true; + doInstallCheck = true; + installCheckInputs = [shellcheck]; + postInstallCheck = '' + shellcheck ${bin} + ${bin} -h | grep ${version} - doCheck = true; - checkInputs = [shellcheck]; - postCheck = '' - shellcheck $src - ''; + mkdir -p /tmp/home/.ssh + cp -r "${../example}" /tmp/home/secrets + chmod -R u+rw /tmp/home/secrets + export HOME=/tmp/home + ( + umask u=rw,g=r,o=r + cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub + chown $UID $HOME/.ssh/id_ed25519.pub + ) + ( + umask u=rw,g=,o= + cp ${../example_keys/user1} $HOME/.ssh/id_ed25519 + chown $UID $HOME/.ssh/id_ed25519 + ) - installPhase = '' - install -D $src ${placeholder "out"}/bin/agenix - ''; + cd /tmp/home/secrets + test $(${bin} -d secret1.age) = "hello" + ''; - meta.description = "age-encrypted secrets for NixOS"; -} + installPhase = '' + install -D $src ${bin} + ''; + + meta.description = "age-encrypted secrets for NixOS"; + } From a23aa271bec82d3e962bafb994595c1c4a62b133 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sat, 23 Dec 2023 14:47:15 -0800 Subject: [PATCH 19/27] dev: reland add direct tests for agenix Why === * We'd like some tests for the CLI * Last time we tried it failed on macos What changed === * This time, we try to create the temp diretory in a way that works with macos too --- pkgs/agenix.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index e8f59ae..987d679 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -30,10 +30,15 @@ in shellcheck ${bin} ${bin} -h | grep ${version} - mkdir -p /tmp/home/.ssh - cp -r "${../example}" /tmp/home/secrets - chmod -R u+rw /tmp/home/secrets - export HOME=/tmp/home + HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') + function cleanup { + rm -rf $HOME + } + trap "cleanup" 0 2 3 15 + + mkdir -p $HOME/.ssh + cp -r "${../example}" $HOME/secrets + chmod -R u+rw $HOME/secrets ( umask u=rw,g=r,o=r cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub @@ -45,7 +50,7 @@ in chown $UID $HOME/.ssh/id_ed25519 ) - cd /tmp/home/secrets + cd $HOME/secrets test $(${bin} -d secret1.age) = "hello" ''; From 1746e4f5ec0849a50c2b7b634b4b84e3e09c6f87 Mon Sep 17 00:00:00 2001 From: sternenseemann Date: Thu, 1 Feb 2024 13:30:22 +0100 Subject: [PATCH 20/27] agenix: fix installCheckPhase with Nix 2.3 As opposed to e.g. Nix 2.18, Nix 2.3 doesn't try to create a fallback store in $HOME if $NIX_STORE_DIR and $NIX_STATE_DIR aren't writable. --- pkgs/agenix.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix index 987d679..e51a5c6 100644 --- a/pkgs/agenix.nix +++ b/pkgs/agenix.nix @@ -30,9 +30,13 @@ in shellcheck ${bin} ${bin} -h | grep ${version} - HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') + test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') + export HOME="$test_tmp/home" + export NIX_STORE_DIR="$test_tmp/nix/store" + export NIX_STATE_DIR="$test_tmp/nix/var" + mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR" function cleanup { - rm -rf $HOME + rm -rf "$test_tmp" } trap "cleanup" 0 2 3 15 From 1f62cef426d11795bdd588e507c2845df8434e32 Mon Sep 17 00:00:00 2001 From: kraem Date: Wed, 7 Feb 2024 08:48:49 +0100 Subject: [PATCH 21/27] fix: update docs for 5c1198a --- doc/overriding-age-binary.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/overriding-age-binary.md b/doc/overriding-age-binary.md index 9ee3a11..34ae232 100644 --- a/doc/overriding-age-binary.md +++ b/doc/overriding-age-binary.md @@ -1,12 +1,12 @@ # Overriding age binary {#overriding-age-binary} -The agenix CLI uses `rage` by default as its age implemenation, you -can use the reference implementation `age` with Flakes like this: +The agenix CLI uses `age` by default as its age implemenation, you +can use the `rage` implementation with Flakes like this: ```nix {pkgs,agenix,...}:{ environment.systemPackages = [ - (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; }) + (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; }) ]; } ``` From 3fd98a2c3b1a9a46341a975ee0a4b488194ecb56 Mon Sep 17 00:00:00 2001 From: oluceps Date: Wed, 3 Apr 2024 00:59:47 +0800 Subject: [PATCH 22/27] doc: fix wrong ssh-keyscan usage --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b66df95..c6d8f8d 100644 --- a/README.md +++ b/README.md @@ -273,7 +273,7 @@ e.g. inside your `flake.nix` file: * your local computer usually in `~/.ssh`, e.g. `~/.ssh/id_ed25519.pub`. * from a running target machine with `ssh-keyscan`: ```ShellSession - $ ssh-keyscan @ + $ ssh-keyscan ... ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1 ... ``` From 2c1d1fb13467184256e352b00ed2d89046c16cd6 Mon Sep 17 00:00:00 2001 From: Ellis Gibbons Date: Fri, 12 Apr 2024 17:50:07 -0400 Subject: [PATCH 23/27] fix: allow for newlines in keys --- pkgs/agenix.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index b78b441..3d0415e 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -171,7 +171,9 @@ function edit { ENCRYPT=() while IFS= read -r key do - ENCRYPT+=(--recipient "$key") + if [ -n "$key" ]; then + ENCRYPT+=(--recipient "$key") + fi done <<< "$KEYS" REENCRYPTED_DIR=$(@mktempBin@ -d) From 07479c2e7396acaaaac5925483498154034ea80a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 7 May 2024 19:12:37 +0200 Subject: [PATCH 24/27] update link to nixos wiki (#258) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6d8f8d..0f5b4f2 100644 --- a/README.md +++ b/README.md @@ -205,7 +205,7 @@ You can run the CLI tool ad-hoc without installing it: nix run github:ryantm/agenix -- --help ``` -But you can also add it permanently into a [NixOS module](https://nixos.wiki/wiki/NixOS_modules) +But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules) (replace system "x86_64-linux" with your system): ```nix From 63a57d8dfb16daca46721fdc505fee7cc2eb4cbf Mon Sep 17 00:00:00 2001 From: hansemschnokeloch Date: Thu, 9 May 2024 22:25:29 +0200 Subject: [PATCH 25/27] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f5b4f2..f65144e 100644 --- a/README.md +++ b/README.md @@ -445,7 +445,7 @@ Example: #### `age.secrets..symlink` `age.secrets..symlink` is a boolean. If true (the default), -secrets are symlinked to `age.secrets..path`. If false, secerts +secrets are symlinked to `age.secrets..path`. If false, secrets are copied to `age.secrets..path`. Usually, you want to keep this as true, because it secure cleanup of secrets no longer used. (The symlink will still be there, but it will be broken.) If From 08ed896eb60cf738d5a1d12cb713663d6e83db9b Mon Sep 17 00:00:00 2001 From: oddlama Date: Sat, 20 May 2023 01:51:05 +0200 Subject: [PATCH 26/27] fix: always treat link destinations as files to ensure error when destination is a directory. This can happen if for example a secret is used in the initrd, which materializes it as a directory, which then causes agenix to silently create an incorrect link when switching to stage2. This ensures that agenix will abort with an error. --- modules/age-home.nix | 4 ++-- modules/age.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/age-home.nix b/modules/age-home.nix index 9577eb8..7c1051f 100644 --- a/modules/age-home.nix +++ b/modules/age-home.nix @@ -61,7 +61,7 @@ with lib; let ${optionalString secretType.symlink '' # shellcheck disable=SC2193,SC2050 - [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" + [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" ''} ''; @@ -76,7 +76,7 @@ with lib; let _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)" (( ++_agenix_generation )) echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." - ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" + ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" (( _agenix_generation > 1 )) && { echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." diff --git a/modules/age.nix b/modules/age.nix index 86c4447..e49d9d8 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -88,7 +88,7 @@ with lib; let mv -f "$TMP_FILE" "$_truePath" ${optionalString secretType.symlink '' - [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" + [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" ''} ''; @@ -103,7 +103,7 @@ with lib; let _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" (( ++_agenix_generation )) echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." - ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} + ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} (( _agenix_generation > 1 )) && { echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." From 760751b6d1d07bebad4b836c4014f6f20bc6db68 Mon Sep 17 00:00:00 2001 From: KREYREN Date: Wed, 19 Jun 2024 15:37:53 +0000 Subject: [PATCH 27/27] README: Add warning about HNDL and PQS in theat model --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f65144e..67718f6 100644 --- a/README.md +++ b/README.md @@ -618,6 +618,8 @@ authentication code (MAC) like other implementations like GPG or [sops](https://github.com/Mic92/sops-nix) have, however this was left out for simplicity in `age`. +Additionally you should only encrypt secrets that you are able to make useless in the event that they are decrypted in the future and be ready to rotate them periodically as [age](https://github.com/FiloSottile/age) is [as of 19th June 2024 NOT Post-Quantum Safe](https://github.com/FiloSottile/age/discussions/231#discussioncomment-3092773) and so in case the threat actor can access your encrypted keys e.g. via their use in a public repository then they can utilize the strategy of [Harvest Now, Decrypt Later](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later) to store your keys now for later decryption including the case where a major vulnerability is found that would expose the secrets. See https://github.com/FiloSottile/age/issues/578 for details. + ## Contributing * The main branch is protected against direct pushes