oddlama
08ed896eb6
fix: always treat link destinations as files to ensure error when destination is a directory.
...
This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
2024-05-21 15:08:15 +02:00
Ryan Mulligan
5c1198a352
feat: switch from rage to age
...
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139
What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
2023-12-23 14:09:16 -08:00
Nicolas Lenz
fe4f564f13
fix(home): shellcheck failure for fixed secretsDir
2023-09-09 16:46:53 +02:00
Lin Jian
6e8a48c2dc
doc: fix nixos option format in descriptions
2023-06-27 00:06:58 +08:00
Lin Jian
0d94960783
doc: fix defaultText by adding literalExpression
...
I also remove an unnecessary defaultText and fix a typo.
2023-06-27 00:06:39 +08:00
Sefa Eyeoglu
758cdc98f4
Disable shellcheck warning about impossible comparison
...
This shellcheck warning occurs when setting a path for a secret using
the home-manager module.
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
2023-05-12 20:15:30 +02:00
Bruno BELANYI
9274b82816
Add home-manager module
...
This is to update and fix the issues I saw in [1] and [2].
Using a service definition instead of an activation script should
resolve the issue about the secrets disappearing after rebooting.
Removed the `user` and `group` option as they do not make sense to me
for a home-manager module, which should target a single user. They can
always be added back if somebody comes screaming.
This is somewhat modeled after sops-nix's own module [3].
[1]: https://github.com/ryantm/agenix/pull/58/
[2]: https://github.com/ryantm/agenix/pull/109
[3]: https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
2023-05-06 14:18:17 +01:00
Ryan Mulligan
b67873854d
Revert "fix: disallow Nix store paths in age.identityPaths option"
2023-02-26 15:11:56 -08:00
Ryan Mulligan
1141c36c26
fix: disallow Nix store paths in age.identityPaths option
2023-02-26 09:03:17 -08:00
Ryan Mulligan
2c0ae7d44f
contrib: stop packaging rage
...
We don't need to package rage anymore, since all the latest maintained
versions of Nix have versions higher than what we need.
2023-02-21 20:33:19 -08:00
Matthias Putz
ec66ebe0ee
Make isDarwin check more robust
2023-02-20 13:47:48 +01:00
Nathan Henrie
37c7297956
Skip missing or unreadable keys
2023-02-11 07:34:06 -07:00
Nathan Henrie
d7fd31756e
Remove activation scripts again
2023-01-30 15:52:05 -07:00
Nathan Henrie
6ec0b0f7c7
Revert to hdiutil for older macos compatibility, be explicit about the weird number after ram://
2023-01-30 15:51:52 -07:00
Nathan Henrie
9779a98f1e
Testing for CI -- revert "Remove activation scripts"
...
This reverts commit 4c315d9683
.
2023-01-30 15:33:50 -07:00
Nathan Henrie
4b2b6fa111
Simplify removal of trailing spaces
2023-01-30 14:37:15 -07:00
Nathan Henrie
4c315d9683
Remove activation scripts
2023-01-30 14:21:49 -07:00
Nathan Henrie
9b94b43971
format
2023-01-30 14:21:42 -07:00
Nathan Henrie
c69689da58
Use diskutil for more convenient sizes, strip trailing tabs
2023-01-30 14:21:33 -07:00
Nathan Henrie
b818ac2e7d
fmt
2023-01-30 09:18:56 -07:00
Nathan Henrie
019784cb7e
Give volume a name
2023-01-30 09:06:59 -07:00
Nathan Henrie
8867c12d72
Cleanup, improve readability
2023-01-30 09:06:39 -07:00
Nathan Henrie
4532604741
Silence output
2023-01-30 09:06:03 -07:00
Nathan Henrie
351e874918
Try to add nix-darwin support to agenix
...
Merges work by @montchr, @cmhamill, and @rtimush and rebases on main.
- fixes https://github.com/ryantm/agenix/issues/60
- fixes https://github.com/ryantm/agenix/issues/120
- closes https://github.com/ryantm/agenix/pull/107
2023-01-29 16:41:49 -07:00
Ryan Mulligan
16bef569f4
contrib: format Nix code with Alejandra
2023-01-29 10:57:51 -08:00
Ryan Mulligan
f86b56229b
feature: combine root and nonroot secret install; delay chowning
2022-07-10 11:47:58 -07:00
Jeroen Simonetti
fe206b4306
[module] change operation order
...
Change the order of operations to:
1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets
Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
2022-07-10 19:12:55 +02:00
Ryan Mulligan
1a4643b779
feature: warn about missing files
...
rage itself does not have good error messages when files are missing,
so add some of our own checks and warnings.
2022-03-08 08:00:43 -08:00
Parthiv Seetharaman
85bd9d01ad
modules/age: add option for secrets directory
2022-02-21 15:20:05 -08:00
Jan Tojnar
35ecba5704
Do not try to create /run/agenix in when installing secrets
...
That is a job for agenixMountSecrets, which should have already
created a symlink there so the directory creation attempt would
fail anyway.
2022-01-06 22:55:10 +01:00
Jan Tojnar
26edd03a5a
Ensure /run is created before mounting secrets
...
Otherwise /run/agenix might disappear if specialfs is toposorted
between agenixMountSecrets and agenixRoot.
Fixes: https://github.com/ryantm/agenix/issues/92
2022-01-06 22:50:56 +01:00
Ryan Mulligan
dfb2e7e591
feature: rename age.sshKeyPaths to age.identityPaths
...
implements #66
2021-12-05 16:05:06 -08:00
Chuang Zhu
c2f6bd077c
allow customizing ageBin
2021-12-06 07:08:18 +08:00
sohalt
ed0d9ef01a
update option descriptions
2021-11-24 18:00:28 +01:00
Ryan Mulligan
5ff75b48b4
fix: make non-root secrets accessible again
...
fixes #69
2021-11-20 12:19:52 -08:00
Cole Helbling
7bb0b5d7f1
modules/age: add option to disable symlinking
...
There are some cases where it may be better or even required to have the
secret be a file that is not a symlink. Setting
age.secrets.some-secret.symlink = false;
will disable the default functionality of symlinking secrets and instead
just forcibly move them to their `path`.
2021-11-15 21:39:32 -08:00
Cole Helbling
e538664435
modules/age: /run/secrets -> /run/agenix
2021-11-15 21:39:32 -08:00
Cole Helbling
111754b894
modules/age: remove old secrets generations
2021-11-15 21:39:32 -08:00
Cole Helbling
f816a0d5df
modules/age: symlink files into place
...
This follows sops-nix's implementation, where it creates a
`/run/secrets.d` ramfs mountpoint and a "generation" each time
the activation script runs, and then symlinks `/run/secrets` to
`/run/secrets.d/[generation]`.
2021-11-15 21:39:32 -08:00
Ryan Mulligan
6d9fdcbd70
fix: remove workaround for #54
...
https://github.com/NixOS/nixpkgs/pull/137508 should remove the need
for this.
2021-09-16 15:39:38 -07:00
Ryan Mulligan
375a33cd97
fix: workaround for #54
2021-09-10 16:30:05 -07:00
Kazutoshi Noguchi
8bad14fe08
run activation scripts after /run mount
2021-07-01 14:13:44 +09:00
Ryan Mulligan
b69fd62fbb
fix: umask
...
fixes #38
2021-05-12 20:11:17 -07:00
Ryan Mulligan
6aec6889ba
feature: use uid 0 and gid 0 as default owner and group (consider them root)
...
This assumes that the root user is always uid 0 and gid 0, which I
believe is a safe assumption. The reason to add this is because when a
declarative VM (for example, a NixOS test) or image boots the first
time, the installRootOwnedSecrets activation script runs BEFORE the
"users" and "groups" activation scripts, so the user and group for
root is not created. Using uid 0 and gid 0 gets around the root user
not being set up yet.
2021-05-09 14:18:20 -07:00
Ryan Mulligan
ecee2c76b9
fix: allow deps of installRootOwnedSecrets activation script to be overridden
2021-05-09 14:17:48 -07:00
Felix Scheinost
3f07139990
Fix relative path
2021-03-16 18:31:27 +01:00
Cole Helbling
ef7ec993e8
modules/age: build local rage if pkgs.rage is older than 0.5.0
2021-03-01 13:11:02 -08:00
Cole Helbling
9b8f6c01fe
modules/age: nixpkgs-fmt
2021-03-01 13:10:52 -08:00
Cole Helbling
7ba959742e
modules/age: set LANG
...
rage has a localization crate as a dependency that whines when LANG
is unset.
2021-02-25 15:16:28 -08:00
Aluísio Augusto Silva Gonçalves
b0a48f587e
correctly list non-root secrets
...
Secrets that are only partly owned by root (i.e. either user or group
are not 'root') are now accounted for during activation.
2020-12-22 01:34:35 -03:00