mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-05 16:17:47 +00:00
Code Activity

Fixup review comments

Browse source
This commit is contained in:
Janne Heß 2022-07-04 20:34:57 +02:00 committed by Pogobanane
parent acaf36a1bf
commit 3afa9ca553
2 changed files with 46 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
README.md
View file

@ -61,7 +61,7 @@ If you use experimental nix flakes support:
inputs.sops-nix.url = github:Mic92/sops-nix; inputs.sops-nix.url = github:Mic92/sops-nix;
# optional, not necessary for the module # optional, not necessary for the module
#inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs"; #inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, sops-nix }: { outputs = { self, nixpkgs, sops-nix }: {
# change `yourhostname` to your actual hostname # change `yourhostname` to your actual hostname
nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem { nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {
@ -714,7 +714,7 @@ $ head krb5.keytab
"mac": "ENC[AES256_GCM,data:ISjUzaw/5mNiwypmUrOk2DAZnlkbnhURHmTTYA3705NmRsSyUh1PyQvCuwglmaHscwl4GrsnIz4rglvwx1zYa+UUwanR0+VeBqntHwzSNiWhh7qMAQwdUXmdCNiOyeGy6jcSDsXUeQmyIWH6yibr7hhzoQFkZEB7Wbvcw6Sossk=,iv:UilxNvfHN6WkEvfY8ZIJCWijSSpLk7fqSCWh6n8+7lk=,tag:HUTgyL01qfVTCNWCTBfqXw==,type:str]", "mac": "ENC[AES256_GCM,data:ISjUzaw/5mNiwypmUrOk2DAZnlkbnhURHmTTYA3705NmRsSyUh1PyQvCuwglmaHscwl4GrsnIz4rglvwx1zYa+UUwanR0+VeBqntHwzSNiWhh7qMAQwdUXmdCNiOyeGy6jcSDsXUeQmyIWH6yibr7hhzoQFkZEB7Wbvcw6Sossk=,iv:UilxNvfHN6WkEvfY8ZIJCWijSSpLk7fqSCWh6n8+7lk=,tag:HUTgyL01qfVTCNWCTBfqXw==,type:str]",
"pgp": [ "pgp": [
{ {
``` ```
It can be decrypted again like this: It can be decrypted again like this:
@ -741,31 +741,51 @@ This module provides a subset of features provided by the system-wide sops-nix s
Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`. Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`.
And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`. And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`.
**Since the secrets are decryted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` if your distribution does not do that.**
Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way.
This example show the `channel` approach from the usage example above for simplicity, but all other methods work as well.
Usage example:
```nix ```nix
{ {
# NixOS home-manager configuration # NixOS system-wide home-manager configuration
home-manager.sharedModules = [ home-manager.sharedModules = [
/path/to/sops-nix/modules/home-manager/sops.nix <sops-nix/modules/home-manager/sops.nix>
]; ];
}
```
```nix
{
# Configuration via home.nix # Configuration via home.nix
imports = [ imports = [
/path/to/sops-nix/modules/home-manager/sops.nix <sops-nix/modules/home-manager/sops.nix>
]; ];
}
```
# Configuration of secrets The actual sops configuration is in the `sops` namespace in your home.nix (or in the `home-manager.users.<name>` namespace when using home-manager system-wide):
```nix
{
sops = { sops = {
age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ]; # must have no password! age.keyFile = "/home/user/.age-key.txt" ]; # must have no password!
# It's alos possible to use a ssh key, but only when it has no password:
#age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ];
sops.secrets.test = { sops.secrets.test = {
sopsFile = ./secrets.yml.enc; sopsFile = ./secrets.yml.enc;
path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR, use %% to specify a '%' sign
}; };
}; };
} }
``` ```
The secrets are decrypted in a systemd user service called `sops-nix`, so other services needing secrets must order after it:
```nix
{
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
}
```
## Use with GPG instead of SSH keys ## Use with GPG instead of SSH keys
If you prefer having a separate GPG key, sops-nix also comes with a helper tool, `sops-init-gpg-key`: If you prefer having a separate GPG key, sops-nix also comes with a helper tool, `sops-init-gpg-key`:

21
pkgs/sops-install-secrets/main.go
View file

@ -907,6 +907,19 @@ func parseFlags(args []string) (*options, error) {
return &opts, nil return &opts, nil
} }
func replaceRuntimeDir(path, rundir string) (ret string) {
parts := strings.Split(path, "%%")
first := true
for _, part := range parts {
if !first {
ret += "%"
}
first = false
ret += strings.ReplaceAll(part, "%r", rundir)
}
return
}
func installSecrets(args []string) error { func installSecrets(args []string) error {
opts, err := parseFlags(args) opts, err := parseFlags(args)
if err != nil { if err != nil {
@ -921,13 +934,13 @@ func installSecrets(args []string) error {
if manifest.UserMode { if manifest.UserMode {
rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR") rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
if !ok { if !ok {
rundir = fmt.Sprintf("/run/user/%d", os.Getuid()) return fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
} }
manifest.SecretsMountPoint = strings.ReplaceAll(manifest.SecretsMountPoint, "%r", rundir) manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)
manifest.SymlinkPath = strings.ReplaceAll(manifest.SymlinkPath, "%r", rundir) manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir)
var newSecrets []secret var newSecrets []secret
for _, secret := range manifest.Secrets { for _, secret := range manifest.Secrets {
secret.Path = strings.ReplaceAll(secret.Path, "%r", rundir) secret.Path = replaceRuntimeDir(secret.Path, rundir)
newSecrets = append(newSecrets, secret) newSecrets = append(newSecrets, secret)
} }
manifest.Secrets = newSecrets manifest.Secrets = newSecrets