mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-01 08:39:54 +03:00
Code Issues Projects Releases Packages Wiki Activity
312 commits 4 branches 12 tags 597 KiB
Commit graph

62 commits

Author SHA1 Message Date
oddlama
08ed896eb6
fix: always treat link destinations as files to ensure error when destination is a directory. 
This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
 2024-05-21 15:08:15 +02:00
Ryan Mulligan
5c1198a352 feat: switch from rage to age 
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139

What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
 2023-12-23 14:09:16 -08:00
Nicolas Lenz
fe4f564f13
fix(home): shellcheck failure for fixed secretsDir 2023-09-09 16:46:53 +02:00
Lin Jian
6e8a48c2dc
doc: fix nixos option format in descriptions 2023-06-27 00:06:58 +08:00
Lin Jian
0d94960783
doc: fix defaultText by adding literalExpression 
I also remove an unnecessary defaultText and fix a typo.
 2023-06-27 00:06:39 +08:00
Sefa Eyeoglu
758cdc98f4
Disable shellcheck warning about impossible comparison 
This shellcheck warning occurs when setting a path for a secret using
the home-manager module.

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
 2023-05-12 20:15:30 +02:00
Bruno BELANYI
9274b82816 Add home-manager module 
This is to update and fix the issues I saw in [1] and [2].

Using a service definition instead of an activation script should
resolve the issue about the secrets disappearing after rebooting.

Removed the `user` and `group` option as they do not make sense to me
for a home-manager module, which should target a single user. They can
always be added back if somebody comes screaming.

This is somewhat modeled after sops-nix's own module [3].

[1]: https://github.com/ryantm/agenix/pull/58/
[2]: https://github.com/ryantm/agenix/pull/109
[3]: https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
 2023-05-06 14:18:17 +01:00
Ryan Mulligan
b67873854d
Revert "fix: disallow Nix store paths in age.identityPaths option" 2023-02-26 15:11:56 -08:00
Ryan Mulligan
1141c36c26 fix: disallow Nix store paths in age.identityPaths option 2023-02-26 09:03:17 -08:00
Ryan Mulligan
2c0ae7d44f contrib: stop packaging rage 
We don't need to package rage anymore, since all the latest maintained
versions of Nix have versions higher than what we need.
 2023-02-21 20:33:19 -08:00
Matthias Putz
ec66ebe0ee Make isDarwin check more robust 2023-02-20 13:47:48 +01:00
Nathan Henrie
37c7297956 Skip missing or unreadable keys 2023-02-11 07:34:06 -07:00
Nathan Henrie
d7fd31756e Remove activation scripts again 2023-01-30 15:52:05 -07:00
Nathan Henrie
6ec0b0f7c7 Revert to hdiutil for older macos compatibility, be explicit about the weird number after ram:// 2023-01-30 15:51:52 -07:00
Nathan Henrie
9779a98f1e Testing for CI -- revert "Remove activation scripts" 
This reverts commit 4c315d9683.
 2023-01-30 15:33:50 -07:00
Nathan Henrie
4b2b6fa111 Simplify removal of trailing spaces 2023-01-30 14:37:15 -07:00
Nathan Henrie
4c315d9683 Remove activation scripts 2023-01-30 14:21:49 -07:00
Nathan Henrie
9b94b43971 format 2023-01-30 14:21:42 -07:00
Nathan Henrie
c69689da58 Use diskutil for more convenient sizes, strip trailing tabs 2023-01-30 14:21:33 -07:00
Nathan Henrie
b818ac2e7d fmt 2023-01-30 09:18:56 -07:00
Nathan Henrie
019784cb7e Give volume a name 2023-01-30 09:06:59 -07:00
Nathan Henrie
8867c12d72 Cleanup, improve readability 2023-01-30 09:06:39 -07:00
Nathan Henrie
4532604741 Silence output 2023-01-30 09:06:03 -07:00
Nathan Henrie
351e874918 Try to add nix-darwin support to agenix 
Merges work by @montchr, @cmhamill, and @rtimush and rebases on main.

- fixes https://github.com/ryantm/agenix/issues/60
- fixes https://github.com/ryantm/agenix/issues/120
- closes https://github.com/ryantm/agenix/pull/107
 2023-01-29 16:41:49 -07:00
Ryan Mulligan
16bef569f4 contrib: format Nix code with Alejandra 2023-01-29 10:57:51 -08:00
Ryan Mulligan
f86b56229b feature: combine root and nonroot secret install; delay chowning 2022-07-10 11:47:58 -07:00
Jeroen Simonetti
fe206b4306
[module] change operation order 
Change the order of operations to:

1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
 2022-07-10 19:12:55 +02:00
Ryan Mulligan
1a4643b779 feature: warn about missing files 
rage itself does not have good error messages when files are missing,
so add some of our own checks and warnings.
 2022-03-08 08:00:43 -08:00
Parthiv Seetharaman
85bd9d01ad modules/age: add option for secrets directory 2022-02-21 15:20:05 -08:00
Jan Tojnar
35ecba5704 Do not try to create /run/agenix in when installing secrets 
That is a job for agenixMountSecrets, which should have already
created a symlink there so the directory creation attempt would
fail anyway.
 2022-01-06 22:55:10 +01:00
Jan Tojnar
26edd03a5a Ensure /run is created before mounting secrets 
Otherwise /run/agenix might disappear if specialfs is toposorted
between agenixMountSecrets and agenixRoot.

Fixes: https://github.com/ryantm/agenix/issues/92
 2022-01-06 22:50:56 +01:00
Ryan Mulligan
dfb2e7e591 feature: rename age.sshKeyPaths to age.identityPaths 
implements #66
 2021-12-05 16:05:06 -08:00
Chuang Zhu
c2f6bd077c
allow customizing ageBin 2021-12-06 07:08:18 +08:00
sohalt
ed0d9ef01a update option descriptions 2021-11-24 18:00:28 +01:00
Ryan Mulligan
5ff75b48b4 fix: make non-root secrets accessible again 
fixes #69
 2021-11-20 12:19:52 -08:00
Cole Helbling
7bb0b5d7f1 modules/age: add option to disable symlinking 
There are some cases where it may be better or even required to have the
secret be a file that is not a symlink. Setting

    age.secrets.some-secret.symlink = false;

will disable the default functionality of symlinking secrets and instead
just forcibly move them to their `path`.
 2021-11-15 21:39:32 -08:00
Cole Helbling
e538664435 modules/age: /run/secrets -> /run/agenix 2021-11-15 21:39:32 -08:00
Cole Helbling
111754b894 modules/age: remove old secrets generations 2021-11-15 21:39:32 -08:00
Cole Helbling
f816a0d5df modules/age: symlink files into place 
This follows sops-nix's implementation, where it creates a
`/run/secrets.d` ramfs mountpoint and a "generation" each time
the activation script runs, and then symlinks `/run/secrets` to
`/run/secrets.d/[generation]`.
 2021-11-15 21:39:32 -08:00
Ryan Mulligan
6d9fdcbd70 fix: remove workaround for #54 
https://github.com/NixOS/nixpkgs/pull/137508 should remove the need
for this.
 2021-09-16 15:39:38 -07:00
Ryan Mulligan
375a33cd97 fix: workaround for #54 2021-09-10 16:30:05 -07:00
Kazutoshi Noguchi
8bad14fe08 run activation scripts after /run mount 2021-07-01 14:13:44 +09:00
Ryan Mulligan
b69fd62fbb fix: umask 
fixes #38
 2021-05-12 20:11:17 -07:00
Ryan Mulligan
6aec6889ba feature: use uid 0 and gid 0 as default owner and group (consider them root) 
This assumes that the root user is always uid 0 and gid 0, which I
believe is a safe assumption. The reason to add this is because when a
declarative VM (for example, a NixOS test) or image boots the first
time, the installRootOwnedSecrets activation script runs BEFORE the
"users" and "groups" activation scripts, so the user and group for
root is not created. Using uid 0 and gid 0 gets around the root user
not being set up yet.
 2021-05-09 14:18:20 -07:00
Ryan Mulligan
ecee2c76b9 fix: allow deps of installRootOwnedSecrets activation script to be overridden 2021-05-09 14:17:48 -07:00
Felix Scheinost
3f07139990 Fix relative path 2021-03-16 18:31:27 +01:00
Cole Helbling
ef7ec993e8
modules/age: build local rage if pkgs.rage is older than 0.5.0 2021-03-01 13:11:02 -08:00
Cole Helbling
9b8f6c01fe
modules/age: nixpkgs-fmt 2021-03-01 13:10:52 -08:00
Cole Helbling
7ba959742e
modules/age: set LANG 
rage has a localization crate as a dependency that whines when LANG
is unset.
 2021-02-25 15:16:28 -08:00
Aluísio Augusto Silva Gonçalves
b0a48f587e
correctly list non-root secrets 
Secrets that are only partly owned by root (i.e. either user or group
are not 'root') are now accounted for during activation.
 2020-12-22 01:34:35 -03:00