mirror of https://github.com/ryantm/agenix.git
Compare commits
52 Commits
Author | SHA1 | Date |
---|---|---|
Nathan Henrie | 8d37c5bdea | |
hansemschnokeloch | 63a57d8dfb | |
Jörg Thalheim | 07479c2e73 | |
Ryan Mulligan | 24a7ea3905 | |
Ellis Gibbons | 2c1d1fb134 | |
Cole Helbling | 1381a759b2 | |
oluceps | 3fd98a2c3b | |
Ryan Mulligan | 8cb01a0e71 | |
kraem | 1f62cef426 | |
Ryan Mulligan | 417caa847f | |
Ryan Mulligan | a23aa271be | |
Ryan Mulligan | bc24f2e510 | |
Ryan Mulligan | 457669db42 | |
Nathan Henrie | 6ce42cc768 | |
Ryan Mulligan | 23d4d5d291 | |
Ryan Mulligan | b6aa6180db | |
Ryan Mulligan | 58017c0c93 | |
Ryan Mulligan | bd86c06961 | |
Ryan Mulligan | eb3b5cf4fd | |
Ryan Mulligan | 5c1198a352 | |
Ryan Mulligan | 9bc80dc4ce | |
Ryan Mulligan | d0d4ad5be6 | |
Ryan Mulligan | 08dc5068e6 | |
Ryan Mulligan | 17090d105a | |
Ryan Mulligan | 097aa18b59 | |
Ryan Mulligan | 344f985526 | |
Ryan Mulligan | 564595d0ad | |
Ryan Mulligan | b7e0494b10 | |
Samuele Facenda | 9d3b37a117 | |
Ryan Mulligan | 93cec0ce6e | |
Ryan Mulligan | 221a1f22e5 | |
Ryan Mulligan | 6cb7cd66c2 | |
Ryan Mulligan | 13ac9ac6d6 | |
Shiva Kaul | 4c48606094 | |
Charles Hall | 65fe5959c3 | |
Charles Hall | 05591973d7 | |
Ryan Mulligan | daf42cb35b | |
Ryan Mulligan | dbc533ddc2 | |
Ryan Mulligan | e2f339274d | |
Tim Häring | b5fa96a90e | |
Ryan Mulligan | 1f677b3e16 | |
William McKinnon | 115e561054 | |
Ryan Mulligan | 7f9dfa309f | |
Nathan Henrie | da763b2c4b | |
Nathan Henrie | eb1386f3b2 | |
Ryan Mulligan | 572baca9b0 | |
Nathan Henrie | b76899f4c1 | |
Nathan Henrie | 7f30f9b4b3 | |
Nathan Henrie | da5d6f05f9 | |
Ryan Mulligan | 20deb735cc | |
Ryan Mulligan | 2ed2dc7582 | |
Nicolas Lenz | fe4f564f13 |
|
@ -0,0 +1,35 @@
|
|||
|
||||
name-template: '$RESOLVED_VERSION'
|
||||
tag-template: '$RESOLVED_VERSION'
|
||||
categories:
|
||||
- title: '🚀 Features'
|
||||
labels:
|
||||
- 'feature'
|
||||
- 'enhancement'
|
||||
- title: '🐛 Bug Fixes'
|
||||
labels:
|
||||
- 'fix'
|
||||
- 'bugfix'
|
||||
- 'bug'
|
||||
- title: '🧰 Development'
|
||||
label: 'dev'
|
||||
- title: '🤖 Dependencies'
|
||||
label: 'dependencies'
|
||||
- title: '🔒 Security'
|
||||
label: 'security'
|
||||
change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
|
||||
change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
|
||||
version-resolver:
|
||||
major:
|
||||
labels:
|
||||
- 'major'
|
||||
minor:
|
||||
labels:
|
||||
- 'minor'
|
||||
patch:
|
||||
labels:
|
||||
- 'patch'
|
||||
default: patch
|
||||
template: |
|
||||
## Changes
|
||||
$CHANGES
|
|
@ -7,29 +7,39 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: cachix/install-nix-action@v18
|
||||
- uses: cachix/install-nix-action@v22
|
||||
with:
|
||||
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
extra_nix_config: |
|
||||
system-features = nixos-test recursive-nix benchmark big-parallel kvm
|
||||
extra-experimental-features = recursive-nix nix-command flakes
|
||||
- run: nix build
|
||||
- run: nix build .#doc
|
||||
- run: nix fmt . -- --check
|
||||
- run: nix flake check
|
||||
tests-darwin:
|
||||
runs-on: macos-11
|
||||
runs-on: macos-12
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- uses: cachix/install-nix-action@v18
|
||||
- uses: cachix/install-nix-action@v24
|
||||
with:
|
||||
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
extra_nix_config: |
|
||||
system-features = nixos-test recursive-nix benchmark big-parallel kvm
|
||||
extra-experimental-features = recursive-nix nix-command flakes
|
||||
- run: nix build
|
||||
- run: nix build .#doc
|
||||
- run: nix fmt . -- --check
|
||||
- run: nix flake check
|
||||
- name: "Install nix-darwin module"
|
||||
run: |
|
||||
system=$(nix build --no-link --print-out-paths .#checks.x86_64-darwin.integration)
|
||||
${system}/activate-user
|
||||
sudo ${system}/activate
|
||||
# https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
|
||||
|
||||
sudo mv /etc/nix/nix.conf{,.bak}
|
||||
nix \
|
||||
--extra-experimental-features 'nix-command flakes' \
|
||||
build .#checks.x86_64-darwin.integration
|
||||
|
||||
./result/activate-user
|
||||
sudo ./result/activate
|
||||
- name: "Test nix-darwin module"
|
||||
run: |
|
||||
sudo /run/current-system/sw/bin/agenix-integration
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
name: Release Drafter
|
||||
|
||||
on:
|
||||
push:
|
||||
# branches to consider in the event; optional, defaults to all
|
||||
branches:
|
||||
- main
|
||||
# pull_request event is required only for autolabeler
|
||||
pull_request:
|
||||
# Only following types are handled by the action, but one can default to all as well
|
||||
types: [opened, reopened, synchronize]
|
||||
# pull_request_target event is required for autolabeler to support PRs from forks
|
||||
pull_request_target:
|
||||
types: [opened, reopened, synchronize]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update_release_draft:
|
||||
permissions:
|
||||
# write permission is required to create a github release
|
||||
contents: write
|
||||
# write permission is required for autolabeler
|
||||
# otherwise, read permission is required at least
|
||||
pull-requests: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
# Drafts your next Release notes as Pull Requests are merged into "main"
|
||||
- uses: release-drafter/release-drafter@v5
|
||||
continue-on-error: true
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
16
README.md
16
README.md
|
@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
|
|||
|
||||
## Notices
|
||||
|
||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
|
||||
## Installation
|
||||
|
||||
|
@ -205,7 +205,7 @@ You can run the CLI tool ad-hoc without installing it:
|
|||
nix run github:ryantm/agenix -- --help
|
||||
```
|
||||
|
||||
But you can also add it permanently into a [NixOS module](https://nixos.wiki/wiki/NixOS_modules)
|
||||
But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules)
|
||||
(replace system "x86_64-linux" with your system):
|
||||
|
||||
```nix
|
||||
|
@ -273,7 +273,7 @@ e.g. inside your `flake.nix` file:
|
|||
* your local computer usually in `~/.ssh`, e.g. `~/.ssh/id_ed25519.pub`.
|
||||
* from a running target machine with `ssh-keyscan`:
|
||||
```ShellSession
|
||||
$ ssh-keyscan <user>@<ip-address>
|
||||
$ ssh-keyscan <ip-address>
|
||||
... ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1
|
||||
...
|
||||
```
|
||||
|
@ -445,7 +445,7 @@ Example:
|
|||
#### `age.secrets.<name>.symlink`
|
||||
|
||||
`age.secrets.<name>.symlink` is a boolean. If true (the default),
|
||||
secrets are symlinked to `age.secrets.<name>.path`. If false, secerts
|
||||
secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
|
||||
are copied to `age.secrets.<name>.path`. Usually, you want to keep
|
||||
this as true, because it secure cleanup of secrets no longer
|
||||
used. (The symlink will still be there, but it will be broken.) If
|
||||
|
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
|
|||
#### `age.ageBin`
|
||||
|
||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||
don't need to change this. Defaults to `rage/bin/rage`.
|
||||
don't need to change this. Defaults to `age/bin/age`.
|
||||
|
||||
Overriding `age.ageBin` example:
|
||||
|
||||
|
@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
|
|||
|
||||
#### Overriding age binary
|
||||
|
||||
The agenix CLI uses `rage` by default as its age implemenation, you
|
||||
can use the reference implementation `age` with Flakes like this:
|
||||
The agenix CLI uses `age` by default as its age implemenation, you
|
||||
can use the `rage` implementation with Flakes like this:
|
||||
|
||||
```nix
|
||||
{pkgs,agenix,...}:{
|
||||
environment.systemPackages = [
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
|
||||
];
|
||||
}
|
||||
```
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# Notices {#notices}
|
||||
|
||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# Overriding age binary {#overriding-age-binary}
|
||||
|
||||
The agenix CLI uses `rage` by default as its age implemenation, you
|
||||
can use the reference implementation `age` with Flakes like this:
|
||||
The agenix CLI uses `age` by default as its age implemenation, you
|
||||
can use the `rage` implementation with Flakes like this:
|
||||
|
||||
```nix
|
||||
{pkgs,agenix,...}:{
|
||||
environment.systemPackages = [
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
|
||||
];
|
||||
}
|
||||
```
|
||||
|
|
|
@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
|
|||
### `age.ageBin`
|
||||
|
||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||
don't need to change this. Defaults to `rage/bin/rage`.
|
||||
don't need to change this. Defaults to `age/bin/age`.
|
||||
|
||||
Overriding `age.ageBin` example:
|
||||
|
||||
|
|
36
flake.lock
36
flake.lock
|
@ -7,11 +7,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1673295039,
|
||||
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||
"lastModified": 1700795494,
|
||||
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -28,11 +28,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682203081,
|
||||
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
||||
"lastModified": 1703113217,
|
||||
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
||||
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -43,11 +43,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1677676435,
|
||||
"narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
|
||||
"lastModified": 1703013332,
|
||||
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
|
||||
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -61,7 +61,23 @@
|
|||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"systems": "systems"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
39
flake.nix
39
flake.nix
|
@ -11,6 +11,7 @@
|
|||
url = "github:nix-community/home-manager";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
systems.url = "github:nix-systems/default";
|
||||
};
|
||||
|
||||
outputs = {
|
||||
|
@ -18,9 +19,9 @@
|
|||
nixpkgs,
|
||||
darwin,
|
||||
home-manager,
|
||||
systems,
|
||||
}: let
|
||||
agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
|
||||
doc = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {};
|
||||
eachSystem = nixpkgs.lib.genAttrs (import systems);
|
||||
in {
|
||||
nixosModules.age = import ./modules/age.nix;
|
||||
nixosModules.default = self.nixosModules.age;
|
||||
|
@ -33,30 +34,13 @@
|
|||
|
||||
overlays.default = import ./overlay.nix;
|
||||
|
||||
formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra;
|
||||
packages.x86_64-darwin.agenix = agenix "x86_64-darwin";
|
||||
packages.x86_64-darwin.doc = doc "x86_64-darwin";
|
||||
packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix;
|
||||
formatter = eachSystem (system: nixpkgs.legacyPackages.${system}.alejandra);
|
||||
|
||||
formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra;
|
||||
packages.aarch64-darwin.agenix = agenix "aarch64-darwin";
|
||||
packages.aarch64-darwin.doc = doc "aarch64-darwin";
|
||||
packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix;
|
||||
|
||||
formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra;
|
||||
packages.aarch64-linux.agenix = agenix "aarch64-linux";
|
||||
packages.aarch64-linux.doc = doc "aarch64-linux";
|
||||
packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
|
||||
|
||||
formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra;
|
||||
packages.i686-linux.agenix = agenix "i686-linux";
|
||||
packages.i686-linux.doc = doc "i686-linux";
|
||||
packages.i686-linux.default = self.packages.i686-linux.agenix;
|
||||
|
||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
|
||||
packages.x86_64-linux.agenix = agenix "x86_64-linux";
|
||||
packages.x86_64-linux.default = self.packages.x86_64-linux.agenix;
|
||||
packages.x86_64-linux.doc = doc "x86_64-linux";
|
||||
packages = eachSystem (system: {
|
||||
agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
|
||||
doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;};
|
||||
default = self.packages.${system}.agenix;
|
||||
});
|
||||
|
||||
checks =
|
||||
nixpkgs.lib.genAttrs ["aarch64-darwin" "x86_64-darwin"] (system: {
|
||||
|
@ -65,7 +49,10 @@
|
|||
inherit system;
|
||||
modules = [
|
||||
./test/integration_darwin.nix
|
||||
"${darwin.outPath}/pkgs/darwin-installer/installer.nix"
|
||||
|
||||
# Allow new-style nix commands in CI
|
||||
{nix.extraOptions = "experimental-features = nix-command flakes";}
|
||||
|
||||
home-manager.darwinModules.home-manager
|
||||
{
|
||||
home-manager = {
|
||||
|
|
|
@ -48,7 +48,7 @@ with lib; let
|
|||
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
|
||||
|
||||
mkdir -p "$(dirname "$_truePath")"
|
||||
# shellcheck disable=SC2193
|
||||
# shellcheck disable=SC2193,SC2050
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
|
||||
(
|
||||
umask u=r,g=,o=
|
||||
|
@ -60,7 +60,7 @@ with lib; let
|
|||
mv -f "$TMP_FILE" "$_truePath"
|
||||
|
||||
${optionalString secretType.symlink ''
|
||||
# shellcheck disable=SC2193
|
||||
# shellcheck disable=SC2193,SC2050
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
''}
|
||||
'';
|
||||
|
@ -155,7 +155,7 @@ with lib; let
|
|||
'';
|
||||
in {
|
||||
options.age = {
|
||||
package = mkPackageOption pkgs "rage" {};
|
||||
package = mkPackageOption pkgs "age" {};
|
||||
|
||||
secrets = mkOption {
|
||||
type = types.attrsOf secretType;
|
||||
|
|
|
@ -69,6 +69,7 @@ with lib; let
|
|||
IDENTITIES=()
|
||||
for identity in ${toString cfg.identityPaths}; do
|
||||
test -r "$identity" || continue
|
||||
test -s "$identity" || continue
|
||||
IDENTITIES+=(-i)
|
||||
IDENTITIES+=("$identity")
|
||||
done
|
||||
|
@ -189,9 +190,9 @@ in {
|
|||
options.age = {
|
||||
ageBin = mkOption {
|
||||
type = types.str;
|
||||
default = "${pkgs.rage}/bin/rage";
|
||||
default = "${pkgs.age}/bin/age";
|
||||
defaultText = literalExpression ''
|
||||
"''${pkgs.rage}/bin/rage"
|
||||
"''${pkgs.age}/bin/age"
|
||||
'';
|
||||
description = ''
|
||||
The age executable to use.
|
||||
|
|
|
@ -1,37 +1,62 @@
|
|||
{
|
||||
lib,
|
||||
stdenv,
|
||||
rage,
|
||||
gnused,
|
||||
age,
|
||||
jq,
|
||||
nix,
|
||||
mktemp,
|
||||
diffutils,
|
||||
substituteAll,
|
||||
ageBin ? "${rage}/bin/rage",
|
||||
ageBin ? "${age}/bin/age",
|
||||
shellcheck,
|
||||
}:
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "agenix";
|
||||
version = "0.14.0";
|
||||
src = substituteAll {
|
||||
inherit ageBin version;
|
||||
sedBin = "${gnused}/bin/sed";
|
||||
nixInstantiate = "${nix}/bin/nix-instantiate";
|
||||
mktempBin = "${mktemp}/bin/mktemp";
|
||||
diffBin = "${diffutils}/bin/diff";
|
||||
src = ./agenix.sh;
|
||||
};
|
||||
dontUnpack = true;
|
||||
}: let
|
||||
bin = "${placeholder "out"}/bin/agenix";
|
||||
in
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "agenix";
|
||||
version = "0.15.0";
|
||||
src = substituteAll {
|
||||
inherit ageBin version;
|
||||
jqBin = "${jq}/bin/jq";
|
||||
nixInstantiate = "${nix}/bin/nix-instantiate";
|
||||
mktempBin = "${mktemp}/bin/mktemp";
|
||||
diffBin = "${diffutils}/bin/diff";
|
||||
src = ./agenix.sh;
|
||||
};
|
||||
dontUnpack = true;
|
||||
doInstallCheck = true;
|
||||
installCheckInputs = [shellcheck];
|
||||
postInstallCheck = ''
|
||||
shellcheck ${bin}
|
||||
${bin} -h | grep ${version}
|
||||
|
||||
doCheck = true;
|
||||
checkInputs = [shellcheck];
|
||||
postCheck = ''
|
||||
shellcheck $src
|
||||
'';
|
||||
HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
|
||||
function cleanup {
|
||||
rm -rf $HOME
|
||||
}
|
||||
trap "cleanup" 0 2 3 15
|
||||
|
||||
installPhase = ''
|
||||
install -D $src ${placeholder "out"}/bin/agenix
|
||||
'';
|
||||
mkdir -p $HOME/.ssh
|
||||
cp -r "${../example}" $HOME/secrets
|
||||
chmod -R u+rw $HOME/secrets
|
||||
(
|
||||
umask u=rw,g=r,o=r
|
||||
cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
|
||||
chown $UID $HOME/.ssh/id_ed25519.pub
|
||||
)
|
||||
(
|
||||
umask u=rw,g=,o=
|
||||
cp ${../example_keys/user1} $HOME/.ssh/id_ed25519
|
||||
chown $UID $HOME/.ssh/id_ed25519
|
||||
)
|
||||
|
||||
meta.description = "age-encrypted secrets for NixOS";
|
||||
}
|
||||
cd $HOME/secrets
|
||||
test $(${bin} -d secret1.age) = "hello"
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
install -D $src ${bin}
|
||||
'';
|
||||
|
||||
meta.description = "age-encrypted secrets for NixOS";
|
||||
}
|
||||
|
|
|
@ -115,7 +115,7 @@ function cleanup {
|
|||
trap "cleanup" 0 2 3 15
|
||||
|
||||
function keys {
|
||||
(@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$1\".publicKeys)" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') | @sedBin@ '/^$/d' || exit 1
|
||||
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
|
||||
}
|
||||
|
||||
function decrypt {
|
||||
|
@ -155,7 +155,7 @@ function edit {
|
|||
|
||||
decrypt "$FILE" "$KEYS" || exit 1
|
||||
|
||||
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||
[ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||
|
||||
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
||||
|
||||
|
@ -171,7 +171,9 @@ function edit {
|
|||
ENCRYPT=()
|
||||
while IFS= read -r key
|
||||
do
|
||||
ENCRYPT+=(--recipient "$key")
|
||||
if [ -n "$key" ]; then
|
||||
ENCRYPT+=(--recipient "$key")
|
||||
fi
|
||||
done <<< "$KEYS"
|
||||
|
||||
REENCRYPTED_DIR=$(@mktempBin@ -d)
|
||||
|
@ -181,11 +183,13 @@ function edit {
|
|||
|
||||
@ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
|
||||
|
||||
mv -f "$REENCRYPTED_FILE" "$1"
|
||||
mkdir -p "$(dirname "$FILE")"
|
||||
|
||||
mv -f "$REENCRYPTED_FILE" "$FILE"
|
||||
}
|
||||
|
||||
function rekey {
|
||||
FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
|
||||
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
|
||||
|
||||
for FILE in $FILES
|
||||
do
|
||||
|
|
Loading…
Reference in New Issue