Merge pull request #137 from ryantm/rtm-1-30-nix-format

contrib: format with Alejandra
This commit is contained in:
Ryan Mulligan 2023-01-29 11:51:44 -08:00 committed by GitHub
commit 6d3a415637
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 283 additions and 245 deletions

View file

@ -4,20 +4,22 @@ on:
push: push:
jobs: jobs:
tests-linux: tests-linux:
runs-on: ubuntu-20.04 runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2.3.4 - uses: actions/checkout@v3
- uses: cachix/install-nix-action@v15 - uses: cachix/install-nix-action@v18
with: with:
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
- run: nix build - run: nix build
- run: nix fmt . -- --check
- run: nix flake check - run: nix flake check
tests-darwin: tests-darwin:
runs-on: macos-11 runs-on: macos-11
steps: steps:
- uses: actions/checkout@v2.3.4 - uses: actions/checkout@v3
- uses: cachix/install-nix-action@v15 - uses: cachix/install-nix-action@v18
with: with:
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm" extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
- run: nix build - run: nix build
- run: nix fmt . -- --check
- run: nix flake check - run: nix flake check

View file

@ -25,6 +25,7 @@
* [agenix CLI reference](#agenix-cli-reference) * [agenix CLI reference](#agenix-cli-reference)
* [Community and Support](#community-and-support) * [Community and Support](#community-and-support)
* [Threat model/Warnings](#threat-modelwarnings) * [Threat model/Warnings](#threat-modelwarnings)
* [Contributing](#contributing)
* [Acknowledgements](#acknowledgements) * [Acknowledgements](#acknowledgements)
## Problem and solution ## Problem and solution
@ -536,6 +537,19 @@ authentication code (MAC) like other implementations like GPG or
[sops](https://github.com/Mic92/sops-nix) have, however this was left [sops](https://github.com/Mic92/sops-nix) have, however this was left
out for simplicity in `age`. out for simplicity in `age`.
## Contributing
* The main branch is protected against direct pushes
* All changes must go through GitHub PR review and get at least one approval
* PR titles and commit messages should be prefixed with at least one of these categories:
* contrib - things that make the project development better
* doc - documentation
* feature - new features
* fix - bug fixes
* Please update or make integration tests for new features
* Use `nix fmt` to format nix code
## Acknowledgements ## Acknowledgements
This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice. This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.

View file

@ -1,4 +1,3 @@
{ pkgs ? import <nixpkgs> {} }: {pkgs ? import <nixpkgs> {}}: {
{
agenix = pkgs.callPackage ./pkgs/agenix.nix {}; agenix = pkgs.callPackage ./pkgs/agenix.nix {};
} }

View file

@ -1,8 +1,7 @@
let let
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE"; system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
in in {
{
"secret1.age".publicKeys = [user1 system1]; "secret1.age".publicKeys = [user1 system1];
"secret2.age".publicKeys = [user1]; "secret2.age".publicKeys = [user1];
"passwordfile-user1.age".publicKeys = [user1 system1]; "passwordfile-user1.age".publicKeys = [user1 system1];

View file

@ -14,18 +14,23 @@
overlays.default = import ./overlay.nix; overlays.default = import ./overlay.nix;
packages.aarch64-linux.agenix = agenix "aarch64-linux"; formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra;
packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
packages.i686-linux.agenix = agenix "i686-linux";
packages.i686-linux.default = self.packages.i686-linux.agenix;
packages.x86_64-darwin.agenix = agenix "x86_64-darwin"; packages.x86_64-darwin.agenix = agenix "x86_64-darwin";
packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix; packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix;
formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra;
packages.aarch64-darwin.agenix = agenix "aarch64-darwin"; packages.aarch64-darwin.agenix = agenix "aarch64-darwin";
packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix; packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix;
formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra;
packages.aarch64-linux.agenix = agenix "aarch64-linux";
packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra;
packages.i686-linux.agenix = agenix "i686-linux";
packages.i686-linux.default = self.packages.i686-linux.agenix;
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
packages.x86_64-linux.agenix = agenix "x86_64-linux"; packages.x86_64-linux.agenix = agenix "x86_64-linux";
packages.x86_64-linux.default = self.packages.x86_64-linux.agenix; packages.x86_64-linux.default = self.packages.x86_64-linux.agenix;
checks.x86_64-linux.integration = import ./test/integration.nix { checks.x86_64-linux.integration = import ./test/integration.nix {

View file

@ -1,8 +1,11 @@
{ config, options, lib, pkgs, ... }: {
config,
with lib; options,
lib,
let pkgs,
...
}:
with lib; let
cfg = config.age; cfg = config.age;
# we need at least rage 0.5.0 to support ssh keys # we need at least rage 0.5.0 to support ssh keys
@ -28,11 +31,15 @@ let
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths); identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);
setTruePath = secretType: '' setTruePath = secretType: ''
${if secretType.symlink then '' ${
if secretType.symlink
then ''
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}" _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
'' else '' ''
else ''
_truePath="${secretType.path}" _truePath="${secretType.path}"
''} ''
}
''; '';
installSecret = secretType: '' installSecret = secretType: ''
@ -55,9 +62,11 @@ let
''} ''}
''; '';
testIdentities = map (path: '' testIdentities =
map (path: ''
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!' test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
'') cfg.identityPaths; '')
cfg.identityPaths;
cleanupAndLink = '' cleanupAndLink = ''
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
@ -92,7 +101,8 @@ let
chownSecrets = builtins.concatStringsSep "\n" ( chownSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] chowning...'"] ["echo '[agenix] chowning...'"]
++ [chownMountPoint] ++ [chownMountPoint]
++ (map chownSecret (builtins.attrValues cfg.secrets))); ++ (map chownSecret (builtins.attrValues cfg.secrets))
);
secretType = types.submodule ({config, ...}: { secretType = types.submodule ({config, ...}: {
options = { options = {
@ -140,9 +150,7 @@ let
symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;}; symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
}; };
}); });
in in {
{
imports = [ imports = [
(mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"]) (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
]; ];
@ -170,9 +178,11 @@ in
''; '';
}; };
secretsMountPoint = mkOption { secretsMountPoint = mkOption {
type = types.addCheck types.str type =
types.addCheck types.str
(s: (s:
(builtins.match "[ \t\n]*" s) == null # non-empty (builtins.match "[ \t\n]*" s)
== null # non-empty
&& (builtins.match ".+/" s) == null) # without trailing slash && (builtins.match ".+/" s) == null) # without trailing slash
// {description = "${types.str.description} (with check: non-empty without trailing slash)";}; // {description = "${types.str.description} (with check: non-empty without trailing slash)";};
default = "/run/agenix.d"; default = "/run/agenix.d";
@ -184,8 +194,8 @@ in
identityPaths = mkOption { identityPaths = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
default = default =
if config.services.openssh.enable then if config.services.openssh.enable
map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys) then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
else []; else [];
description = '' description = ''
Path to SSH keys to be used as identities in age decryption. Path to SSH keys to be used as identities in age decryption.
@ -194,10 +204,12 @@ in
}; };
config = mkIf (cfg.secrets != {}) { config = mkIf (cfg.secrets != {}) {
assertions = [{ assertions = [
{
assertion = cfg.identityPaths != []; assertion = cfg.identityPaths != [];
message = "age.identityPaths must be set."; message = "age.identityPaths must be set.";
}]; }
];
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
@ -235,5 +247,4 @@ in
deps = ["agenixChown"]; deps = ["agenixChown"];
}; };
}; };
} }

View file

@ -1,4 +1,3 @@
final: prev: final: prev: {
{
agenix = prev.callPackage ./pkgs/agenix.nix {}; agenix = prev.callPackage ./pkgs/agenix.nix {};
} }

View file

@ -13,9 +13,8 @@
if rage.version < "0.5.0" if rage.version < "0.5.0"
then callPackage ./rage.nix {} then callPackage ./rage.nix {}
else rage else rage
}/bin/rage" }/bin/rage",
} : }: let
let
sedBin = "${gnused}/bin/sed"; sedBin = "${gnused}/bin/sed";
nixInstantiate = "${nix}/bin/nix-instantiate"; nixInstantiate = "${nix}/bin/nix-instantiate";
mktempBin = "${mktemp}/bin/mktemp"; mktempBin = "${mktemp}/bin/mktemp";
@ -183,7 +182,6 @@ function rekey {
[ $REKEY -eq 1 ] && rekey && exit 0 [ $REKEY -eq 1 ] && rekey && exit 0
edit "$FILE" && cleanup && exit 0 edit "$FILE" && cleanup && exit 0
'') '')
{ {
meta.description = "age-encrypted secrets for NixOS"; meta.description = "age-encrypted secrets for NixOS";
} }

View file

@ -1,5 +1,10 @@
{ stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }: {
stdenv,
rustPlatform,
fetchFromGitHub,
installShellFiles,
darwin,
}:
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "rage"; pname = "rage";
version = "0.5.0"; version = "0.5.0";
@ -15,7 +20,8 @@ rustPlatform.buildRustPackage rec {
nativeBuildInputs = [installShellFiles]; nativeBuildInputs = [installShellFiles];
buildInputs = with darwin.apple_sdk.frameworks; stdenv.lib.optionals stdenv.isDarwin [ buildInputs = with darwin.apple_sdk.frameworks;
stdenv.lib.optionals stdenv.isDarwin [
Security Security
Foundation Foundation
]; ];

View file

@ -1,14 +1,20 @@
{ {
nixpkgs ? <nixpkgs>, nixpkgs ? <nixpkgs>,
pkgs ? import <nixpkgs> { inherit system; config = {}; }, pkgs ?
system ? builtins.currentSystem import <nixpkgs> {
inherit system;
config = {};
},
system ? builtins.currentSystem,
} @ args: } @ args:
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: { import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
name = "agenix-integration"; name = "agenix-integration";
nodes.system1 = { config, lib, ... }: { nodes.system1 = {
config,
lib,
...
}: {
imports = [ imports = [
../modules/age.nix ../modules/age.nix
./install_ssh_host_keys.nix ./install_ssh_host_keys.nix
@ -30,11 +36,9 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
}; };
}; };
}; };
}; };
testScript = testScript = let
let
user = "user1"; user = "user1";
password = "password1234"; password = "password1234";
in '' in ''
@ -55,4 +59,5 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
system1.wait_for_file("/tmp/1") system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1") assert "${user}" in system1.succeed("cat /tmp/1")
''; '';
}) args })
args