Merge pull request #137 from ryantm/rtm-1-30-nix-format

contrib: format with Alejandra
2024-11-22 17:50:48 +03:00 · 2023-01-29 11:51:44 -08:00 · 2023-01-29 11:51:44 -08:00 · 6d3a415637
commit 6d3a415637
parent bf537f5b72 16bef569f4
11 changed files with 283 additions and 245 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -4,20 +4,22 @@ on:
  push:
 jobs:
  tests-linux:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v2.3.4
-    - uses: cachix/install-nix-action@v15
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v18
      with:
        extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
    - run: nix build
+    - run: nix fmt . -- --check
    - run: nix flake check
  tests-darwin:
    runs-on: macos-11
    steps:
-    - uses: actions/checkout@v2.3.4
-    - uses: cachix/install-nix-action@v15
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v18
      with:
        extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
    - run: nix build
+    - run: nix fmt . -- --check
    - run: nix flake check
--- a/README.md
+++ b/README.md
@ -25,6 +25,7 @@
  * [agenix CLI reference](#agenix-cli-reference)
 * [Community and Support](#community-and-support)
 * [Threat model/Warnings](#threat-modelwarnings)
+* [Contributing](#contributing)
 * [Acknowledgements](#acknowledgements)

 ## Problem and solution
@ -536,6 +537,19 @@ authentication code (MAC) like other implementations like GPG or
 [sops](https://github.com/Mic92/sops-nix) have, however this was left
 out for simplicity in `age`.

+## Contributing
+
+* The main branch is protected against direct pushes
+* All changes must go through GitHub PR review and get at least one approval
+* PR titles and commit messages should be prefixed with at least one of these categories:
+  * contrib - things that make the project development better
+  * doc - documentation
+  * feature - new features
+  * fix - bug fixes
+* Please update or make integration tests for new features
+* Use `nix fmt` to format nix code
+
+
 ## Acknowledgements

 This project is based off of [sops-nix](https://github.com/Mic92/sops-nix) created Mic92. Thank you to Mic92 for inspiration and advice.
--- a/default.nix
+++ b/default.nix
@ -1,4 +1,3 @@
-{ pkgs ? import <nixpkgs> {} }:
-{
+{pkgs ? import <nixpkgs> {}}: {
  agenix = pkgs.callPackage ./pkgs/agenix.nix {};
 }
--- a/example/secrets.nix
+++ b/example/secrets.nix
@ -1,8 +1,7 @@
 let
  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
-in
-{
+in {
  "secret1.age".publicKeys = [user1 system1];
  "secret2.age".publicKeys = [user1];
  "passwordfile-user1.age".publicKeys = [user1 system1];
--- a/flake.nix
+++ b/flake.nix
@ -14,18 +14,23 @@

    overlays.default = import ./overlay.nix;

-    packages.aarch64-linux.agenix = agenix "aarch64-linux";
-    packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
-
-    packages.i686-linux.agenix = agenix "i686-linux";
-    packages.i686-linux.default = self.packages.i686-linux.agenix;
-
+    formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra;
    packages.x86_64-darwin.agenix = agenix "x86_64-darwin";
    packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix;

+    formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra;
    packages.aarch64-darwin.agenix = agenix "aarch64-darwin";
    packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix;

+    formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra;
+    packages.aarch64-linux.agenix = agenix "aarch64-linux";
+    packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
+
+    formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra;
+    packages.i686-linux.agenix = agenix "i686-linux";
+    packages.i686-linux.default = self.packages.i686-linux.agenix;
+
+    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
    packages.x86_64-linux.agenix = agenix "x86_64-linux";
    packages.x86_64-linux.default = self.packages.x86_64-linux.agenix;
    checks.x86_64-linux.integration = import ./test/integration.nix {
--- a/modules/age.nix
+++ b/modules/age.nix
@ -1,8 +1,11 @@
-{ config, options, lib, pkgs, ... }:
-
-with lib;
-
-let
+{
+  config,
+  options,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
  cfg = config.age;

  # we need at least rage 0.5.0 to support ssh keys
@ -28,11 +31,15 @@ let
  identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.identityPaths);

  setTruePath = secretType: ''
-    ${if secretType.symlink then ''
+    ${
+      if secretType.symlink
+      then ''
        _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
-    '' else ''
+      ''
+      else ''
        _truePath="${secretType.path}"
-    ''}
+      ''
+    }
  '';

  installSecret = secretType: ''
@ -55,9 +62,11 @@ let
    ''}
  '';

-  testIdentities = map (path: ''
+  testIdentities =
+    map (path: ''
      test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
-  '') cfg.identityPaths;
+    '')
+    cfg.identityPaths;

  cleanupAndLink = ''
    _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
@ -92,7 +101,8 @@ let
  chownSecrets = builtins.concatStringsSep "\n" (
    ["echo '[agenix] chowning...'"]
    ++ [chownMountPoint]
-    ++ (map chownSecret (builtins.attrValues cfg.secrets)));
+    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+  );

  secretType = types.submodule ({config, ...}: {
    options = {
@ -140,9 +150,7 @@ let
      symlink = mkEnableOption "symlinking secrets to their destination" // {default = true;};
    };
  });
-in
-{
-
+in {
  imports = [
    (mkRenamedOptionModule ["age" "sshKeyPaths"] ["age" "identityPaths"])
  ];
@ -170,9 +178,11 @@ in
      '';
    };
    secretsMountPoint = mkOption {
-      type = types.addCheck types.str
+      type =
+        types.addCheck types.str
        (s:
-          (builtins.match "[ \t\n]*" s) == null # non-empty
+          (builtins.match "[ \t\n]*" s)
+          == null # non-empty
          && (builtins.match ".+/" s) == null) # without trailing slash
        // {description = "${types.str.description} (with check: non-empty without trailing slash)";};
      default = "/run/agenix.d";
@ -184,8 +194,8 @@ in
    identityPaths = mkOption {
      type = types.listOf types.path;
      default =
-        if config.services.openssh.enable then
-          map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
+        if config.services.openssh.enable
+        then map (e: e.path) (lib.filter (e: e.type == "rsa" || e.type == "ed25519") config.services.openssh.hostKeys)
        else [];
      description = ''
        Path to SSH keys to be used as identities in age decryption.
@ -194,10 +204,12 @@ in
  };

  config = mkIf (cfg.secrets != {}) {
-    assertions = [{
+    assertions = [
+      {
        assertion = cfg.identityPaths != [];
        message = "age.identityPaths must be set.";
-    }];
+      }
+    ];

    # Create a new directory full of secrets for symlinking (this helps
    # ensure removed secrets are actually removed, or at least become
@ -235,5 +247,4 @@ in
      deps = ["agenixChown"];
    };
  };
-
 }
--- a/overlay.nix
+++ b/overlay.nix
@ -1,4 +1,3 @@
-final: prev:
-{
+final: prev: {
  agenix = prev.callPackage ./pkgs/agenix.nix {};
 }
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@ -13,9 +13,8 @@
    if rage.version < "0.5.0"
    then callPackage ./rage.nix {}
    else rage
-  }/bin/rage"
-} :
-let
+  }/bin/rage",
+}: let
  sedBin = "${gnused}/bin/sed";
  nixInstantiate = "${nix}/bin/nix-instantiate";
  mktempBin = "${mktemp}/bin/mktemp";
@ -183,7 +182,6 @@ function rekey {
    [ $REKEY -eq 1 ] && rekey && exit 0
    edit "$FILE" && cleanup && exit 0
  '')
-
  {
    meta.description = "age-encrypted secrets for NixOS";
  }
--- a/pkgs/rage.nix
+++ b/pkgs/rage.nix
@ -1,5 +1,10 @@
-{ stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
-
+{
+  stdenv,
+  rustPlatform,
+  fetchFromGitHub,
+  installShellFiles,
+  darwin,
+}:
 rustPlatform.buildRustPackage rec {
  pname = "rage";
  version = "0.5.0";
@ -15,7 +20,8 @@ rustPlatform.buildRustPackage rec {

  nativeBuildInputs = [installShellFiles];

-  buildInputs = with darwin.apple_sdk.frameworks; stdenv.lib.optionals stdenv.isDarwin [
+  buildInputs = with darwin.apple_sdk.frameworks;
+    stdenv.lib.optionals stdenv.isDarwin [
      Security
      Foundation
    ];
--- a/test/integration.nix
+++ b/test/integration.nix
@ -1,14 +1,20 @@
 {
  nixpkgs ? <nixpkgs>,
-pkgs ? import <nixpkgs> { inherit system; config = {}; },
-system ? builtins.currentSystem
+  pkgs ?
+    import <nixpkgs> {
+      inherit system;
+      config = {};
+    },
+  system ? builtins.currentSystem,
 } @ args:
-
 import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: {
  name = "agenix-integration";

-  nodes.system1 = { config, lib, ... }: {
-
+  nodes.system1 = {
+    config,
+    lib,
+    ...
+  }: {
    imports = [
      ../modules/age.nix
      ./install_ssh_host_keys.nix
@ -30,11 +36,9 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
        };
      };
    };
-
  };

-  testScript =
-  let
+  testScript = let
    user = "user1";
    password = "password1234";
  in ''
@ -55,4 +59,5 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
    system1.wait_for_file("/tmp/1")
    assert "${user}" in system1.succeed("cat /tmp/1")
  '';
-}) args
+})
+args