Merge pull request #230 from ryantm/rtm-12-20-age

feat: switch from rage to age
This commit is contained in:
Ryan Mulligan 2023-12-23 14:40:41 -08:00 committed by GitHub
commit 457669db42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 41 additions and 29 deletions

View file

@ -15,21 +15,29 @@ jobs:
- run: nix fmt . -- --check - run: nix fmt . -- --check
- run: nix flake check - run: nix flake check
tests-darwin: tests-darwin:
runs-on: macos-11 runs-on: macos-12
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- uses: cachix/install-nix-action@v22 - uses: cachix/install-nix-action@v24
with: with:
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" extra_nix_config: |
system-features = nixos-test recursive-nix benchmark big-parallel kvm
extra-experimental-features = recursive-nix nix-command flakes
- run: nix build - run: nix build
- run: nix build .#doc - run: nix build .#doc
- run: nix fmt . -- --check - run: nix fmt . -- --check
- run: nix flake check - run: nix flake check
- name: "Install nix-darwin module" - name: "Install nix-darwin module"
run: | run: |
system=$(nix build --no-link --print-out-paths .#checks.x86_64-darwin.integration) # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
${system}/activate-user
sudo ${system}/activate sudo mv /etc/nix/nix.conf{,.bak}
nix \
--extra-experimental-features 'nix-command flakes' \
build .#checks.x86_64-darwin.integration
./result/activate-user
sudo ./result/activate
- name: "Test nix-darwin module" - name: "Test nix-darwin module"
run: | run: |
sudo /run/current-system/sw/bin/agenix-integration sudo /run/current-system/sw/bin/agenix-integration

View file

@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
## Notices ## Notices
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. * Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
## Installation ## Installation
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
#### `age.ageBin` #### `age.ageBin`
`age.ageBin` the string of the path to the `age` binary. Usually, you `age.ageBin` the string of the path to the `age` binary. Usually, you
don't need to change this. Defaults to `rage/bin/rage`. don't need to change this. Defaults to `age/bin/age`.
Overriding `age.ageBin` example: Overriding `age.ageBin` example:
@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
#### Overriding age binary #### Overriding age binary
The agenix CLI uses `rage` by default as its age implemenation, you The agenix CLI uses `age` by default as its age implemenation, you
can use the reference implementation `age` with Flakes like this: can use the `rage` implementation with Flakes like this:
```nix ```nix
{pkgs,agenix,...}:{ {pkgs,agenix,...}:{
environment.systemPackages = [ environment.systemPackages = [
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; }) (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
]; ];
} }
``` ```

View file

@ -1,3 +1,3 @@
# Notices {#notices} # Notices {#notices}
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times. * Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

View file

@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
### `age.ageBin` ### `age.ageBin`
`age.ageBin` the string of the path to the `age` binary. Usually, you `age.ageBin` the string of the path to the `age` binary. Usually, you
don't need to change this. Defaults to `rage/bin/rage`. don't need to change this. Defaults to `age/bin/age`.
Overriding `age.ageBin` example: Overriding `age.ageBin` example:

View file

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1673295039, "lastModified": 1700795494,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1682203081, "lastModified": 1703113217,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -43,11 +43,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1677676435, "lastModified": 1703013332,
"narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -38,7 +38,7 @@
packages = eachSystem (system: { packages = eachSystem (system: {
agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {}; agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {}; doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;};
default = self.packages.${system}.agenix; default = self.packages.${system}.agenix;
}); });
@ -49,7 +49,10 @@
inherit system; inherit system;
modules = [ modules = [
./test/integration_darwin.nix ./test/integration_darwin.nix
"${darwin.outPath}/pkgs/darwin-installer/installer.nix"
# Allow new-style nix commands in CI
{nix.extraOptions = "experimental-features = nix-command flakes";}
home-manager.darwinModules.home-manager home-manager.darwinModules.home-manager
{ {
home-manager = { home-manager = {

View file

@ -155,7 +155,7 @@ with lib; let
''; '';
in { in {
options.age = { options.age = {
package = mkPackageOption pkgs "rage" {}; package = mkPackageOption pkgs "age" {};
secrets = mkOption { secrets = mkOption {
type = types.attrsOf secretType; type = types.attrsOf secretType;

View file

@ -69,6 +69,7 @@ with lib; let
IDENTITIES=() IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue test -r "$identity" || continue
test -s "$identity" || continue
IDENTITIES+=(-i) IDENTITIES+=(-i)
IDENTITIES+=("$identity") IDENTITIES+=("$identity")
done done
@ -189,9 +190,9 @@ in {
options.age = { options.age = {
ageBin = mkOption { ageBin = mkOption {
type = types.str; type = types.str;
default = "${pkgs.rage}/bin/rage"; default = "${pkgs.age}/bin/age";
defaultText = literalExpression '' defaultText = literalExpression ''
"''${pkgs.rage}/bin/rage" "''${pkgs.age}/bin/age"
''; '';
description = '' description = ''
The age executable to use. The age executable to use.

View file

@ -1,13 +1,13 @@
{ {
lib, lib,
stdenv, stdenv,
rage, age,
jq, jq,
nix, nix,
mktemp, mktemp,
diffutils, diffutils,
substituteAll, substituteAll,
ageBin ? "${rage}/bin/rage", ageBin ? "${age}/bin/age",
shellcheck, shellcheck,
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {