Merge pull request #81 from chuangzhu/agebin

Allow customizing ageBin
This commit is contained in:
Ryan Mulligan 2021-12-05 15:53:34 -08:00 committed by GitHub
commit c53ac31e44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 6 deletions

View file

@ -209,6 +209,28 @@ If your secret cannot be a symlink, you should set the `symlink` option to `fals
Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix. Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
## Use other implementations
This project uses the Rust implementation of age, [rage](https://github.com/str4d/rage), by default. You can change it to use the [official implementation](https://github.com/FiloSottile/age).
### Module
```nix
{
age.ageBin = "${pkgs.age}/bin/age";
}
```
### CLI
```nix
{
environment.systemPackages = [
(agenix.defaultPackage.x86_64-linux.override { ageBin = "${pkgs.age}/bin/age"; })
];
}
```
## Threat model/Warnings ## Threat model/Warnings
This project has not be audited by a security professional. This project has not be audited by a security professional.

View file

@ -10,7 +10,7 @@ let
if lib.versionOlder pkgs.rage.version "0.5.0" if lib.versionOlder pkgs.rage.version "0.5.0"
then pkgs.callPackage ../pkgs/rage.nix { } then pkgs.callPackage ../pkgs/rage.nix { }
else pkgs.rage; else pkgs.rage;
ageBin = "${rage}/bin/rage"; ageBin = config.age.ageBin;
users = config.users.users; users = config.users.users;
@ -96,6 +96,13 @@ let
in in
{ {
options.age = { options.age = {
ageBin = mkOption {
type = types.str;
default = "${rage}/bin/rage";
description = ''
The age executable to use.
'';
};
secrets = mkOption { secrets = mkOption {
type = types.attrsOf secretType; type = types.attrsOf secretType;
default = { }; default = { };

View file

@ -8,13 +8,14 @@
nix, nix,
mktemp, mktemp,
diffutils, diffutils,
ageBin ? "${
# we need at least rage 0.5.0 to support ssh keys
if rage.version < "0.5.0"
then callPackage ./rage.nix {}
else rage
}/bin/rage"
} : } :
let let
# we need at least rage 0.5.0 to support ssh keys
rageToUse = if rage.version < "0.5.0"
then callPackage ./rage.nix {}
else rage;
ageBin = "${rageToUse}/bin/rage";
sedBin = "${gnused}/bin/sed"; sedBin = "${gnused}/bin/sed";
nixInstantiate = "${nix}/bin/nix-instantiate"; nixInstantiate = "${nix}/bin/nix-instantiate";
mktempBin = "${mktemp}/bin/mktemp"; mktempBin = "${mktemp}/bin/mktemp";