Merge pull request #259 from hansemschnokeloch/patch-1

Fix typo
2024-05-09 15:32:35 -06:00 · 2024-05-09 22:25:29 +02:00 · 2024-05-07 10:12:37 -07:00 · 2024-04-26 05:59:12 -07:00 · 2024-04-12 17:50:07 -04:00 · 2024-04-02 10:31:00 -07:00
13 changed files with 204 additions and 93 deletions
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@ -0,0 +1,35 @@
+
+name-template: '$RESOLVED_VERSION'
+tag-template: '$RESOLVED_VERSION'
+categories:
+  - title: '🚀 Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+  - title: '🐛 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 Development'
+    label: 'dev'
+  - title: '🤖 Dependencies'
+    label: 'dependencies'
+  - title: '🔒 Security'
+    label: 'security'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  ## Changes
+  $CHANGES
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -7,29 +7,39 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v18
+    - uses: cachix/install-nix-action@v22
      with:
-        extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
+        extra_nix_config: |
+          system-features = nixos-test recursive-nix benchmark big-parallel kvm
+          extra-experimental-features = recursive-nix nix-command flakes
    - run: nix build
    - run: nix build .#doc
    - run: nix fmt . -- --check
    - run: nix flake check
  tests-darwin:
-    runs-on: macos-11
+    runs-on: macos-12
    steps:
    - uses: actions/checkout@v3
-    - uses: cachix/install-nix-action@v18
+    - uses: cachix/install-nix-action@v24
      with:
-        extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
+        extra_nix_config: |
+          system-features = nixos-test recursive-nix benchmark big-parallel kvm
+          extra-experimental-features = recursive-nix nix-command flakes
    - run: nix build
    - run: nix build .#doc
    - run: nix fmt . -- --check
    - run: nix flake check
    - name: "Install nix-darwin module"
      run: |
-        system=$(nix build --no-link --print-out-paths .#checks.x86_64-darwin.integration)
-        ${system}/activate-user
-        sudo ${system}/activate
+        # https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
+
+        sudo mv /etc/nix/nix.conf{,.bak}
+        nix \
+          --extra-experimental-features 'nix-command flakes' \
+          build .#checks.x86_64-darwin.integration
+
+        ./result/activate-user
+        sudo ./result/activate
    - name: "Test nix-darwin module"
      run: |
        sudo /run/current-system/sw/bin/agenix-integration
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@ -0,0 +1,33 @@
+name: Release Drafter
+
+on:
+  push:
+    # branches to consider in the event; optional, defaults to all
+    branches:
+      - main
+  # pull_request event is required only for autolabeler
+  pull_request:
+    # Only following types are handled by the action, but one can default to all as well
+    types: [opened, reopened, synchronize]
+  # pull_request_target event is required for autolabeler to support PRs from forks
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  update_release_draft:
+    permissions:
+      # write permission is required to create a github release
+      contents: write
+      # write permission is required for autolabeler
+      # otherwise, read permission is required at least
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      # Drafts your next Release notes as Pull Requests are merged into "main"
+      - uses: release-drafter/release-drafter@v5
+        continue-on-error: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/README.md
+++ b/README.md
@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita

 ## Notices

-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.

 ## Installation

@ -205,7 +205,7 @@ You can run the CLI tool ad-hoc without installing it:
 nix run github:ryantm/agenix -- --help
 ```

-But you can also add it permanently into a [NixOS module](https://nixos.wiki/wiki/NixOS_modules) 
+But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules)
 (replace system "x86_64-linux" with your system):

 ```nix
@ -273,7 +273,7 @@ e.g. inside your `flake.nix` file:
   * your local computer usually in `~/.ssh`, e.g. `~/.ssh/id_ed25519.pub`.
   * from a running target machine with `ssh-keyscan`:
     ```ShellSession
-     $ ssh-keyscan <user>@<ip-address>
+     $ ssh-keyscan <ip-address>
     ... ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzxQgondgEYcLpcPdJLrTdNgZ2gznOHCAxMdaceTUT1
     ...
     ```
@ -445,7 +445,7 @@ Example:
 #### `age.secrets.<name>.symlink`

 `age.secrets.<name>.symlink` is a boolean. If true (the default),
-secrets are symlinked to `age.secrets.<name>.path`. If false, secerts
+secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
 are copied to `age.secrets.<name>.path`. Usually, you want to keep
 this as true, because it secure cleanup of secrets no longer
 used. (The symlink will still be there, but it will be broken.) If
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
 #### `age.ageBin`

 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.

 Overriding `age.ageBin` example:

@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)

 #### Overriding age binary

-The agenix CLI uses `rage` by default as its age implemenation, you
-can use the reference implementation `age` with Flakes like this:
+The agenix CLI uses `age` by default as its age implemenation, you
+can use the `rage` implementation with Flakes like this:

 ```nix
 {pkgs,agenix,...}:{
  environment.systemPackages = [
-    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
  ];
 }
 ```
--- a/doc/notices.md
+++ b/doc/notices.md
@ -1,3 +1,3 @@
 # Notices {#notices}

-* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
+* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
--- a/doc/overriding-age-binary.md
+++ b/doc/overriding-age-binary.md
@ -1,12 +1,12 @@
 # Overriding age binary {#overriding-age-binary}

-The agenix CLI uses `rage` by default as its age implemenation, you
-can use the reference implementation `age` with Flakes like this:
+The agenix CLI uses `age` by default as its age implemenation, you
+can use the `rage` implementation with Flakes like this:

 ```nix
 {pkgs,agenix,...}:{
  environment.systemPackages = [
-    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
+    (agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
  ];
 }
 ```
--- a/doc/reference.md
+++ b/doc/reference.md
@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
 ### `age.ageBin`

 `age.ageBin` the string of the path to the `age` binary. Usually, you
-don't need to change this. Defaults to `rage/bin/rage`.
+don't need to change this. Defaults to `age/bin/age`.

 Overriding `age.ageBin` example:

--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
        "type": "github"
      },
      "original": {
@ -28,11 +28,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
        "type": "github"
      },
      "original": {
@ -43,11 +43,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1677676435,
-        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "lastModified": 1703013332,
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
        "type": "github"
      },
      "original": {
@ -61,7 +61,23 @@
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,7 @@
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    systems.url = "github:nix-systems/default";
  };

  outputs = {
@ -18,9 +19,9 @@
    nixpkgs,
    darwin,
    home-manager,
+    systems,
  }: let
-    agenix = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
-    doc = system: nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {};
+    eachSystem = nixpkgs.lib.genAttrs (import systems);
  in {
    nixosModules.age = import ./modules/age.nix;
    nixosModules.default = self.nixosModules.age;
@ -33,30 +34,13 @@

    overlays.default = import ./overlay.nix;

-    formatter.x86_64-darwin = nixpkgs.legacyPackages.x86_64-darwin.alejandra;
-    packages.x86_64-darwin.agenix = agenix "x86_64-darwin";
-    packages.x86_64-darwin.doc = doc "x86_64-darwin";
-    packages.x86_64-darwin.default = self.packages.x86_64-darwin.agenix;
+    formatter = eachSystem (system: nixpkgs.legacyPackages.${system}.alejandra);

-    formatter.aarch64-darwin = nixpkgs.legacyPackages.aarch64-darwin.alejandra;
-    packages.aarch64-darwin.agenix = agenix "aarch64-darwin";
-    packages.aarch64-darwin.doc = doc "aarch64-darwin";
-    packages.aarch64-darwin.default = self.packages.aarch64-darwin.agenix;
-
-    formatter.aarch64-linux = nixpkgs.legacyPackages.aarch64-linux.alejandra;
-    packages.aarch64-linux.agenix = agenix "aarch64-linux";
-    packages.aarch64-linux.doc = doc "aarch64-linux";
-    packages.aarch64-linux.default = self.packages.aarch64-linux.agenix;
-
-    formatter.i686-linux = nixpkgs.legacyPackages.i686-linux.alejandra;
-    packages.i686-linux.agenix = agenix "i686-linux";
-    packages.i686-linux.doc = doc "i686-linux";
-    packages.i686-linux.default = self.packages.i686-linux.agenix;
-
-    formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra;
-    packages.x86_64-linux.agenix = agenix "x86_64-linux";
-    packages.x86_64-linux.default = self.packages.x86_64-linux.agenix;
-    packages.x86_64-linux.doc = doc "x86_64-linux";
+    packages = eachSystem (system: {
+      agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
+      doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;};
+      default = self.packages.${system}.agenix;
+    });

    checks =
      nixpkgs.lib.genAttrs ["aarch64-darwin" "x86_64-darwin"] (system: {
@ -65,7 +49,10 @@
            inherit system;
            modules = [
              ./test/integration_darwin.nix
-              "${darwin.outPath}/pkgs/darwin-installer/installer.nix"
+
+              # Allow new-style nix commands in CI
+              {nix.extraOptions = "experimental-features = nix-command flakes";}
+
              home-manager.darwinModules.home-manager
              {
                home-manager = {
--- a/modules/age-home.nix
+++ b/modules/age-home.nix
@ -48,7 +48,7 @@ with lib; let
    test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"

    mkdir -p "$(dirname "$_truePath")"
-    # shellcheck disable=SC2193
+    # shellcheck disable=SC2193,SC2050
    [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
    (
      umask u=r,g=,o=
@ -60,7 +60,7 @@ with lib; let
    mv -f "$TMP_FILE" "$_truePath"

    ${optionalString secretType.symlink ''
-      # shellcheck disable=SC2193
+      # shellcheck disable=SC2193,SC2050
      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
    ''}
  '';
@ -155,7 +155,7 @@ with lib; let
    '';
 in {
  options.age = {
-    package = mkPackageOption pkgs "rage" {};
+    package = mkPackageOption pkgs "age" {};

    secrets = mkOption {
      type = types.attrsOf secretType;
--- a/modules/age.nix
+++ b/modules/age.nix
@ -69,6 +69,7 @@ with lib; let
    IDENTITIES=()
    for identity in ${toString cfg.identityPaths}; do
      test -r "$identity" || continue
+      test -s "$identity" || continue
      IDENTITIES+=(-i)
      IDENTITIES+=("$identity")
    done
@ -189,9 +190,9 @@ in {
  options.age = {
    ageBin = mkOption {
      type = types.str;
-      default = "${pkgs.rage}/bin/rage";
+      default = "${pkgs.age}/bin/age";
      defaultText = literalExpression ''
-        "''${pkgs.rage}/bin/rage"
+        "''${pkgs.age}/bin/age"
      '';
      description = ''
        The age executable to use.
--- a/pkgs/agenix.nix
+++ b/pkgs/agenix.nix
@ -1,37 +1,62 @@
 {
  lib,
  stdenv,
-  rage,
-  gnused,
+  age,
+  jq,
  nix,
  mktemp,
  diffutils,
  substituteAll,
-  ageBin ? "${rage}/bin/rage",
+  ageBin ? "${age}/bin/age",
  shellcheck,
-}:
-stdenv.mkDerivation rec {
-  pname = "agenix";
-  version = "0.14.0";
-  src = substituteAll {
-    inherit ageBin version;
-    sedBin = "${gnused}/bin/sed";
-    nixInstantiate = "${nix}/bin/nix-instantiate";
-    mktempBin = "${mktemp}/bin/mktemp";
-    diffBin = "${diffutils}/bin/diff";
-    src = ./agenix.sh;
-  };
-  dontUnpack = true;
+}: let
+  bin = "${placeholder "out"}/bin/agenix";
+in
+  stdenv.mkDerivation rec {
+    pname = "agenix";
+    version = "0.15.0";
+    src = substituteAll {
+      inherit ageBin version;
+      jqBin = "${jq}/bin/jq";
+      nixInstantiate = "${nix}/bin/nix-instantiate";
+      mktempBin = "${mktemp}/bin/mktemp";
+      diffBin = "${diffutils}/bin/diff";
+      src = ./agenix.sh;
+    };
+    dontUnpack = true;
+    doInstallCheck = true;
+    installCheckInputs = [shellcheck];
+    postInstallCheck = ''
+      shellcheck ${bin}
+      ${bin} -h | grep ${version}

-  doCheck = true;
-  checkInputs = [shellcheck];
-  postCheck = ''
-    shellcheck $src
-  '';
+      HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+      function cleanup {
+        rm -rf $HOME
+      }
+      trap "cleanup" 0 2 3 15

-  installPhase = ''
-    install -D $src ${placeholder "out"}/bin/agenix
-  '';
+      mkdir -p $HOME/.ssh
+      cp -r "${../example}" $HOME/secrets
+      chmod -R u+rw $HOME/secrets
+      (
+      umask u=rw,g=r,o=r
+      cp ${../example_keys/user1.pub} $HOME/.ssh/id_ed25519.pub
+      chown $UID $HOME/.ssh/id_ed25519.pub
+      )
+      (
+      umask u=rw,g=,o=
+      cp ${../example_keys/user1} $HOME/.ssh/id_ed25519
+      chown $UID $HOME/.ssh/id_ed25519
+      )

-  meta.description = "age-encrypted secrets for NixOS";
-}
+      cd $HOME/secrets
+      test $(${bin} -d secret1.age) = "hello"
+    '';
+
+    installPhase = ''
+      install -D $src ${bin}
+    '';
+
+    meta.description = "age-encrypted secrets for NixOS";
+  }
--- a/pkgs/agenix.sh
+++ b/pkgs/agenix.sh
@ -115,7 +115,7 @@ function cleanup {
 trap "cleanup" 0 2 3 15

 function keys {
-    (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$1\".publicKeys)" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') | @sedBin@ '/^$/d' || exit 1
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
 }

 function decrypt {
@ -155,7 +155,7 @@ function edit {

    decrypt "$FILE" "$KEYS" || exit 1

-    cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+    [ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"

    [ -t 0 ] || EDITOR='cp /dev/stdin'

@ -171,7 +171,9 @@ function edit {
    ENCRYPT=()
    while IFS= read -r key
    do
-        ENCRYPT+=(--recipient "$key")
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
    done <<< "$KEYS"

    REENCRYPTED_DIR=$(@mktempBin@ -d)
@ -181,11 +183,13 @@ function edit {

    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1

-    mv -f "$REENCRYPTED_FILE" "$1"
+    mkdir -p "$(dirname "$FILE")"
+
+    mv -f "$REENCRYPTED_FILE" "$FILE"
 }

 function rekey {
-    FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))"  | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)

    for FILE in $FILES
    do
Author	SHA1	Message	Date
Nathan Henrie	8d37c5bdea	Merge pull request #259 from hansemschnokeloch/patch-1 Fix typo	2024-05-09 15:32:35 -06:00
hansemschnokeloch	63a57d8dfb	Fix typo	2024-05-09 22:25:29 +02:00
Jörg Thalheim	07479c2e73	update link to nixos wiki (#258 )	2024-05-07 10:12:37 -07:00
Ryan Mulligan	24a7ea3905	Merge pull request #256 from spectre256/main fix: allow for newlines in keys	2024-04-26 05:59:12 -07:00
Ellis Gibbons	2c1d1fb134	fix: allow for newlines in keys	2024-04-12 17:50:07 -04:00
Cole Helbling	1381a759b2	Merge pull request #254 from oluceps/fix-doc doc: fix wrong `ssh-keyscan` usage	2024-04-02 10:31:00 -07:00
oluceps	3fd98a2c3b	doc: fix wrong ssh-keyscan usage	2024-04-03 01:00:02 +08:00
Ryan Mulligan	8cb01a0e71	Merge pull request #244 from kraem/fix/rage_to_age_docs fix: update docs for `5c1198a`	2024-02-13 05:27:47 -08:00
kraem	1f62cef426	fix: update docs for `5c1198a`	2024-02-07 08:48:49 +01:00
Ryan Mulligan	417caa847f	Merge pull request #232 from ryantm/rtm-12-23-test dev: reland add direct tests for agenix	2023-12-24 08:04:03 -08:00
Ryan Mulligan	a23aa271be	dev: reland add direct tests for agenix Why === * We'd like some tests for the CLI * Last time we tried it failed on macos What changed === * This time, we try to create the temp diretory in a way that works with macos too	2023-12-23 14:47:15 -08:00
Ryan Mulligan	bc24f2e510	Revert "Revert "contrib: add direct tests for agenix "" This reverts commit `08dc5068e6`.	2023-12-23 14:43:03 -08:00
Ryan Mulligan	457669db42	Merge pull request #230 from ryantm/rtm-12-20-age feat: switch from rage to age	2023-12-23 14:40:41 -08:00
Nathan Henrie	6ce42cc768	Fix CI for darwin nix-darwin is detecting `/etc/nix/nix.conf` from the cachix/install-nix-action and refusing to overwrite it, failing the nix-darwin activation and therefore the rest of CI. This commit `mv`s the existing `nix.conf` to avoid the above, and then adds support for new-style nix commands and flakes to the nix-darwin configuration to allow their subsequent use in CI. It also removes the nix config from the `cachix/install-nix-action` step, which was duplicated effort since we are blowing it away with nix-darwin anyway. Relevant: - https://github.com/LnL7/nix-darwin/issues/149	2023-12-23 14:10:44 -08:00
Ryan Mulligan	23d4d5d291	maybe this fixes darwin checks?	2023-12-23 14:10:06 -08:00
Ryan Mulligan	b6aa6180db	test removing installer	2023-12-23 14:10:06 -08:00
Ryan Mulligan	58017c0c93	update inputs	2023-12-23 14:10:06 -08:00
Ryan Mulligan	bd86c06961	fix doc build	2023-12-23 14:10:02 -08:00
Ryan Mulligan	eb3b5cf4fd	update nixpkgs	2023-12-23 14:09:16 -08:00
Ryan Mulligan	5c1198a352	feat: switch from rage to age Why === * Someone said age works better with password protected keys, requiring entering the password less often. * We switched to rage from age in `07ce686870` because it was limiting recipients to 20. This was fixed https://github.com/FiloSottile/age/issues/139 What changed === * Switch from rage back to age (the reference implementation) in all the spots * Update the docs to show how to switch back to Rage * Skip keys that are empty files, which fixes the integration test.	2023-12-23 14:09:16 -08:00
Ryan Mulligan	9bc80dc4ce	Merge pull request #229 from ryantm/rtm-12-20-flake dev: remove i686 support; simplify flake	2023-12-23 14:08:24 -08:00
Ryan Mulligan	d0d4ad5be6	Merge pull request #231 from ryantm/revert-163-rtm-2-21-recursive-nix Revert "contrib: add direct tests for agenix "	2023-12-22 07:48:36 -08:00
Ryan Mulligan	08dc5068e6	Revert "contrib: add direct tests for agenix "	2023-12-22 07:48:06 -08:00
Ryan Mulligan	17090d105a	Merge pull request #163 from ryantm/rtm-2-21-recursive-nix contrib: add direct tests for agenix	2023-12-20 13:19:59 -08:00
Ryan Mulligan	097aa18b59	contrib: add direct tests for agenix These tests are MUCH faster than the NixOS tests.	2023-12-20 13:06:57 -08:00
Ryan Mulligan	344f985526	dev: remove i686 support; simplify flake Why === * flake.nix had a lot of almost redundant lines in it. * i686 support is probably being dropped soon in nixpkgs https://github.com/NixOS/nixpkgs/pull/266164 What changed == * Add new input nix-systems/default which represents the default systems typically used in the Nix community * Define and use an eachSystem function that simplifies the flake.nix file	2023-12-20 08:56:05 -08:00
Ryan Mulligan	564595d0ad	version 0.15.0	2023-12-20 08:33:16 -08:00
Ryan Mulligan	b7e0494b10	Merge pull request #224 from SamueleFacenda/SamueleFacenda-change-keys-functions Update keys functions in agenix.sh	2023-12-20 08:17:38 -08:00
Samuele Facenda	9d3b37a117	fix: update keys functions in agenix.sh The functions was always called with `$FILE` as first argument, but inside the argument is ignored. This change doesn' have any impact, but can solve problems caused by the keys function called with an argument different from `$FILE`	2023-12-20 08:08:56 -08:00
Ryan Mulligan	93cec0ce6e	dev: add security label category	2023-12-20 08:03:06 -08:00
Ryan Mulligan	221a1f22e5	dev: add release-drafter	2023-12-20 07:52:23 -08:00
Ryan Mulligan	6cb7cd66c2	Merge pull request #221 from CobaltCause/edit-mkdir-p create leading directories if they don't exist	2023-12-20 07:42:34 -08:00
Ryan Mulligan	13ac9ac6d6	Merge pull request #176 from shivak/patch-1 only backup cleartext file if it exists	2023-11-28 16:08:36 -08:00
Shiva Kaul	4c48606094	only backup cleartext file if it exists Avoids complaints from `cp` about nonexistent files.	2023-11-28 16:05:48 -08:00
Charles Hall	65fe5959c3	create leading directories if they don't exist This works for files without directories too because `dirname` prints `.` in that case.	2023-11-03 15:25:24 -07:00
Charles Hall	05591973d7	use named variable instead of numbered one	2023-11-03 14:53:33 -07:00
Ryan Mulligan	daf42cb35b	Merge pull request #208 from ryantm/revert-206-feature/remove-trailing-newlines-from-keys Revert "feat: remove empty newlines from jq query"	2023-10-08 07:32:09 -07:00
Ryan Mulligan	dbc533ddc2	Revert "feat: remove empty newlines from jq query"	2023-10-08 07:31:54 -07:00
Ryan Mulligan	e2f339274d	Merge pull request #206 from timhae/feature/remove-trailing-newlines-from-keys feat: remove empty newlines from jq query	2023-10-08 05:25:24 -07:00
Tim Häring	b5fa96a90e	feat: remove empty newlines from jq query When you do not have your pubkeys in your `secrets.nix` verbatim as string but read them from file like this: `desktop1 = builtins.readFile ./desktop1.pub;`, you will end up with empty newlines in the resulting list of keys, which will add `--recipient=''` arguments to your age call, failing the call.	2023-10-08 14:18:54 +02:00
Ryan Mulligan	1f677b3e16	Merge pull request #202 from WillPower3309/main fix: add --strict nix-instantiate to support builtins.readFile	2023-09-22 05:13:16 -07:00
William McKinnon	115e561054	fix: add --strict nix-instantiate to support builtins.readFile	2023-09-22 01:32:46 -04:00
Ryan Mulligan	7f9dfa309f	Merge pull request #148 from n8henrie/sed_vs_jq contrib: use jq instead of sed	2023-09-21 16:33:52 -07:00
Nathan Henrie	da763b2c4b	Don't need concatStringSep if using jq to parse json arrays	2023-09-15 16:22:30 -06:00
Nathan Henrie	eb1386f3b2	Use jq instead of sed	2023-09-15 11:56:22 -06:00
Ryan Mulligan	572baca9b0	Merge pull request #199 from n8henrie/fix-darwin-ci fix: update cachix installer to fix darwin CI	2023-09-15 09:02:43 -07:00
Nathan Henrie	b76899f4c1	Update nix installer Fixes https://github.com/ryantm/agenix/issues/198	2023-09-15 08:26:02 -06:00
Nathan Henrie	7f30f9b4b3	Revert "dev: try switching to determinate systems installer action" This reverts commit `2ed2dc7582`.	2023-09-15 07:53:36 -06:00
Nathan Henrie	da5d6f05f9	Merge pull request #195 from Eisfunke/fix-home-shellcheck fix(home): shellcheck failure for fixed secretsDir	2023-09-15 07:40:28 -06:00
Ryan Mulligan	20deb735cc	Merge pull request #197 from ryantm/rtm-9-14-try-to-fix-ci dev: try switching to determinate systems installer action	2023-09-14 16:42:44 -07:00
Ryan Mulligan	2ed2dc7582	dev: try switching to determinate systems installer action	2023-09-14 16:37:58 -07:00
Nicolas Lenz	fe4f564f13	fix(home): shellcheck failure for fixed secretsDir	2023-09-09 16:46:53 +02:00