Merge branch 'master' of github.com:ryantm/age-nix into master

This commit is contained in:
Ryan Mulligan 2020-11-20 17:55:23 -08:00
commit baf623214b
5 changed files with 77 additions and 19 deletions

View file

@ -1,5 +1,20 @@
{ {
"nodes": { "nodes": {
"flake-utils": {
"locked": {
"lastModified": 1600209923,
"narHash": "sha256-zoOWauTliFEjI++esk6Jzk7QO5EKpddWXQm9yQK24iM=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "3cd06d3c1df6879c9e41cb2c33113df10566c760",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1599148892, "lastModified": 1599148892,
@ -16,6 +31,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
} }

View file

@ -1,18 +1,13 @@
{ {
description = "Secret management with age"; description = "Secret management with age";
outputs = { self, nixpkgs }: let
systems = [ inputs.flake-utils.url = "github:numtide/flake-utils";
"x86_64-linux"
"i686-linux" outputs = { self, nixpkgs, flake-utils }:
"x86_64-darwin" flake-utils.lib.eachDefaultSystem (system:
"aarch64-linux" {
"armv6l-linux" nixosModules.age = import ./modules/age.nix;
"armv7l-linux" packages = nixpkgs.legacyPackages.${system}.callPackage ./default.nix {};
]; defaultPackage = self.packages.${system}.agenix;
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); });
in {
nixosModules.age = import ./modules/age.nix;
packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {});
defaultPackage = forAllSystems (system: self.packages.${system}.agenix);
};
} }

View file

@ -4,6 +4,9 @@ with lib;
let let
cfg = config.age; cfg = config.age;
rage = pkgs.callPackage ../pkgs/rage.nix {};
ageBin = "${rage}/bin/rage";
users = config.users.users; users = config.users.users;
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths); identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
@ -11,7 +14,7 @@ let
echo "decrypting ${secretType.file} to ${secretType.path}..." echo "decrypting ${secretType.file} to ${secretType.path}..."
TMP_FILE="${secretType.path}.tmp" TMP_FILE="${secretType.path}.tmp"
mkdir -p $(dirname ${secretType.path}) mkdir -p $(dirname ${secretType.path})
(umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}") (umask 0400; ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
chmod ${secretType.mode} "$TMP_FILE" chmod ${secretType.mode} "$TMP_FILE"
chown ${secretType.owner}:${secretType.group} "$TMP_FILE" chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
mv -f "$TMP_FILE" '${secretType.path}' mv -f "$TMP_FILE" '${secretType.path}'

View file

@ -1,4 +1,8 @@
{writeShellScriptBin, runtimeShell, age} : {writeShellScriptBin, runtimeShell, pkgs} :
let
rage = pkgs.callPackage ./rage.nix {};
ageBin = "${rage}/bin/rage";
in
writeShellScriptBin "agenix" '' writeShellScriptBin "agenix" ''
set -Eeuo pipefail set -Eeuo pipefail
@ -24,6 +28,9 @@ function show_help () {
echo ' ' echo ' '
echo 'RULES environment variable with path to Nix file specifying recipient public keys.' echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
echo "Defaults to './secrets.nix'" echo "Defaults to './secrets.nix'"
echo ' '
echo "age binary path: ${ageBin}"
echo "age version: $(${ageBin} --version)"
} }
test $# -eq 0 && (show_help && exit 1) test $# -eq 0 && (show_help && exit 1)
@ -103,7 +110,7 @@ function edit {
DECRYPT+=(--identity "$key") DECRYPT+=(--identity "$key")
done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)" done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE") DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
${age}/bin/age "''${DECRYPT[@]}" || exit 1 ${ageBin} "''${DECRYPT[@]}" || exit 1
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
fi fi
@ -127,7 +134,7 @@ function edit {
ENCRYPT+=(-o "$REENCRYPTED_FILE") ENCRYPT+=(-o "$REENCRYPTED_FILE")
${age}/bin/age "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1 ${ageBin} "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
mv -f "$REENCRYPTED_FILE" "$1" mv -f "$REENCRYPTED_FILE" "$1"
} }

37
pkgs/rage.nix Normal file
View file

@ -0,0 +1,37 @@
{stdenv, rustPlatform, fetchFromGitHub, installShellFiles, darwin }:
rustPlatform.buildRustPackage rec {
pname = "rage";
version = "unstable-2020-09-05";
src = fetchFromGitHub {
owner = "str4d";
repo = pname;
rev = "8368992e60cbedb2d6b725c3e25440e65d8544d1";
sha256 = "sha256-ICcApZQrR4hGxo/RcFMktenE4dswAXA2/nJ5D++O2ig=";
};
cargoSha256 = "sha256-QwNtp7Hxsiads3bh8NRra25RdPbIdjp+pSWTllAvdmQ=";
nativeBuildInputs = [ installShellFiles ];
buildInputs = stdenv.lib.optionals stdenv.isDarwin [ darwin.Security ];
postBuild = ''
cargo run --example generate-docs
cargo run --example generate-completions
'';
postInstall = ''
installManPage target/manpages/*
installShellCompletion target/completions/*.{bash,fish,zsh}
'';
meta = with stdenv.lib; {
description = "A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability";
homepage = "https://github.com/str4d/rage";
changelog = "https://github.com/str4d/rage/releases/tag/v${version}";
license = licenses.asl20;
maintainers = [ maintainers.marsam ];
};
}