mynix
/
agenix
mirror of https://github.com/ryantm/agenix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
301 Commits 4 Branches 12 Tags 943 KiB
Commit Graph

61 Commits

Author SHA1 Message Date
Ryan Mulligan 5c1198a352 feat: switch from rage to age 
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139

What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
 2023-12-23 14:09:16 -08:00
Nicolas Lenz fe4f564f13
fix(home): shellcheck failure for fixed secretsDir 2023-09-09 16:46:53 +02:00
Lin Jian 6e8a48c2dc
doc: fix nixos option format in descriptions 2023-06-27 00:06:58 +08:00
Lin Jian 0d94960783
doc: fix defaultText by adding literalExpression 
I also remove an unnecessary defaultText and fix a typo.
 2023-06-27 00:06:39 +08:00
Sefa Eyeoglu 758cdc98f4
Disable shellcheck warning about impossible comparison 
This shellcheck warning occurs when setting a path for a secret using
the home-manager module.

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
 2023-05-12 20:15:30 +02:00
Bruno BELANYI 9274b82816 Add home-manager module 
This is to update and fix the issues I saw in [1] and [2].

Using a service definition instead of an activation script should
resolve the issue about the secrets disappearing after rebooting.

Removed the `user` and `group` option as they do not make sense to me
for a home-manager module, which should target a single user. They can
always be added back if somebody comes screaming.

This is somewhat modeled after sops-nix's own module [3].

[1]: https://github.com/ryantm/agenix/pull/58/
[2]: https://github.com/ryantm/agenix/pull/109
[3]: https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
 2023-05-06 14:18:17 +01:00
Ryan Mulligan b67873854d
Revert "fix: disallow Nix store paths in age.identityPaths option" 2023-02-26 15:11:56 -08:00
Ryan Mulligan 1141c36c26 fix: disallow Nix store paths in age.identityPaths option 2023-02-26 09:03:17 -08:00
Ryan Mulligan 2c0ae7d44f contrib: stop packaging rage 
We don't need to package rage anymore, since all the latest maintained
versions of Nix have versions higher than what we need.
 2023-02-21 20:33:19 -08:00
Matthias Putz ec66ebe0ee Make isDarwin check more robust 2023-02-20 13:47:48 +01:00
Nathan Henrie 37c7297956 Skip missing or unreadable keys 2023-02-11 07:34:06 -07:00
Nathan Henrie d7fd31756e Remove activation scripts again 2023-01-30 15:52:05 -07:00
Nathan Henrie 6ec0b0f7c7 Revert to hdiutil for older macos compatibility, be explicit about the weird number after ram:// 2023-01-30 15:51:52 -07:00
Nathan Henrie 9779a98f1e Testing for CI -- revert "Remove activation scripts" 
This reverts commit 4c315d9683.
 2023-01-30 15:33:50 -07:00
Nathan Henrie 4b2b6fa111 Simplify removal of trailing spaces 2023-01-30 14:37:15 -07:00
Nathan Henrie 4c315d9683 Remove activation scripts 2023-01-30 14:21:49 -07:00
Nathan Henrie 9b94b43971 format 2023-01-30 14:21:42 -07:00
Nathan Henrie c69689da58 Use diskutil for more convenient sizes, strip trailing tabs 2023-01-30 14:21:33 -07:00
Nathan Henrie b818ac2e7d fmt 2023-01-30 09:18:56 -07:00
Nathan Henrie 019784cb7e Give volume a name 2023-01-30 09:06:59 -07:00
Nathan Henrie 8867c12d72 Cleanup, improve readability 2023-01-30 09:06:39 -07:00
Nathan Henrie 4532604741 Silence output 2023-01-30 09:06:03 -07:00
Nathan Henrie 351e874918 Try to add nix-darwin support to agenix 
Merges work by @montchr, @cmhamill, and @rtimush and rebases on main.

- fixes https://github.com/ryantm/agenix/issues/60
- fixes https://github.com/ryantm/agenix/issues/120
- closes https://github.com/ryantm/agenix/pull/107
 2023-01-29 16:41:49 -07:00
Ryan Mulligan 16bef569f4 contrib: format Nix code with Alejandra 2023-01-29 10:57:51 -08:00
Ryan Mulligan f86b56229b feature: combine root and nonroot secret install; delay chowning 2022-07-10 11:47:58 -07:00
Jeroen Simonetti fe206b4306
[module] change operation order 
Change the order of operations to:

1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
 2022-07-10 19:12:55 +02:00
Ryan Mulligan 1a4643b779 feature: warn about missing files 
rage itself does not have good error messages when files are missing,
so add some of our own checks and warnings.
 2022-03-08 08:00:43 -08:00
Parthiv Seetharaman 85bd9d01ad modules/age: add option for secrets directory 2022-02-21 15:20:05 -08:00
Jan Tojnar 35ecba5704 Do not try to create /run/agenix in when installing secrets 
That is a job for agenixMountSecrets, which should have already
created a symlink there so the directory creation attempt would
fail anyway.
 2022-01-06 22:55:10 +01:00
Jan Tojnar 26edd03a5a Ensure /run is created before mounting secrets 
Otherwise /run/agenix might disappear if specialfs is toposorted
between agenixMountSecrets and agenixRoot.

Fixes: https://github.com/ryantm/agenix/issues/92
 2022-01-06 22:50:56 +01:00
Ryan Mulligan dfb2e7e591 feature: rename age.sshKeyPaths to age.identityPaths 
implements #66
 2021-12-05 16:05:06 -08:00
Chuang Zhu c2f6bd077c
allow customizing ageBin 2021-12-06 07:08:18 +08:00
sohalt ed0d9ef01a update option descriptions 2021-11-24 18:00:28 +01:00
Ryan Mulligan 5ff75b48b4 fix: make non-root secrets accessible again 
fixes #69
 2021-11-20 12:19:52 -08:00
Cole Helbling 7bb0b5d7f1 modules/age: add option to disable symlinking 
There are some cases where it may be better or even required to have the
secret be a file that is not a symlink. Setting

    age.secrets.some-secret.symlink = false;

will disable the default functionality of symlinking secrets and instead
just forcibly move them to their `path`.
 2021-11-15 21:39:32 -08:00
Cole Helbling e538664435 modules/age: /run/secrets -> /run/agenix 2021-11-15 21:39:32 -08:00
Cole Helbling 111754b894 modules/age: remove old secrets generations 2021-11-15 21:39:32 -08:00
Cole Helbling f816a0d5df modules/age: symlink files into place 
This follows sops-nix's implementation, where it creates a
`/run/secrets.d` ramfs mountpoint and a "generation" each time
the activation script runs, and then symlinks `/run/secrets` to
`/run/secrets.d/[generation]`.
 2021-11-15 21:39:32 -08:00
Ryan Mulligan 6d9fdcbd70 fix: remove workaround for #54 
https://github.com/NixOS/nixpkgs/pull/137508 should remove the need
for this.
 2021-09-16 15:39:38 -07:00
Ryan Mulligan 375a33cd97 fix: workaround for #54 2021-09-10 16:30:05 -07:00
Kazutoshi Noguchi 8bad14fe08 run activation scripts after /run mount 2021-07-01 14:13:44 +09:00
Ryan Mulligan b69fd62fbb fix: umask 
fixes #38
 2021-05-12 20:11:17 -07:00
Ryan Mulligan 6aec6889ba feature: use uid 0 and gid 0 as default owner and group (consider them root) 
This assumes that the root user is always uid 0 and gid 0, which I
believe is a safe assumption. The reason to add this is because when a
declarative VM (for example, a NixOS test) or image boots the first
time, the installRootOwnedSecrets activation script runs BEFORE the
"users" and "groups" activation scripts, so the user and group for
root is not created. Using uid 0 and gid 0 gets around the root user
not being set up yet.
 2021-05-09 14:18:20 -07:00
Ryan Mulligan ecee2c76b9 fix: allow deps of installRootOwnedSecrets activation script to be overridden 2021-05-09 14:17:48 -07:00
Felix Scheinost 3f07139990 Fix relative path 2021-03-16 18:31:27 +01:00
Cole Helbling ef7ec993e8
modules/age: build local rage if pkgs.rage is older than 0.5.0 2021-03-01 13:11:02 -08:00
Cole Helbling 9b8f6c01fe
modules/age: nixpkgs-fmt 2021-03-01 13:10:52 -08:00
Cole Helbling 7ba959742e
modules/age: set LANG 
rage has a localization crate as a dependency that whines when LANG
is unset.
 2021-02-25 15:16:28 -08:00
Aluísio Augusto Silva Gonçalves b0a48f587e
correctly list non-root secrets 
Secrets that are only partly owned by root (i.e. either user or group
are not 'root') are now accounted for during activation.
 2020-12-22 01:34:35 -03:00
Ryan Mulligan baf623214b Merge branch 'master' of github.com:ryantm/age-nix into master 2020-11-20 17:55:23 -08:00