mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

Import age ssh keys by default

Browse source
This commit is contained in:
Janne Heß 2021-08-28 12:37:10 +02:00
parent 44d91e885e
commit 4568162629
No known key found for this signature in database
GPG key ID: 69165158F05265DF
2 changed files with 9 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
modules/sops/default.nix
View file

@ -140,7 +140,7 @@ in {
example = "/var/lib/sops-nix/key.txt";
description = ''
Path to age key file used for sops decryption.
Setting this to a non-null value causes age to be used instead of gnupg.
Setting this to a non-null value causes the ssh keys to be ignored.
'';
};
@ -156,12 +156,10 @@ in {
sshKeyPaths = mkOption {
type = types.listOf types.path;
default = []; # If we set this like the gnupg option, we would use ed25519 by default
default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
description = ''
Path to ssh keys added as age keys during sops description.
This option must be explicitly unset if <literal>config.sops.age.keyFile</literal> is set.
Setting this to a non-empty list causes age to be used instead of gnupg.
Paths to ssh keys added as age keys during sops description.
This setting is ignored when the keyFile is set to a non-null value.
'';
};
};
@ -196,9 +194,6 @@ in {
assertions = [{
assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []);
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode";
} {
assertion = (cfg.age.keyFile != null || cfg.age.sshKeyPaths != []) -> (cfg.age.sshKeyPaths != []) != (cfg.age.keyFile != null);
message = "sops.age.keyFile is mutually exclusive with sops.age.sshKeyPaths";
}] ++ optionals cfg.validateSopsFiles (
concatLists (mapAttrsToList (name: secret: [{
assertion = builtins.pathExists secret.sopsFile;

6
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -47,8 +47,12 @@
name = "sops-age-ssh-keys";
machine = {
imports = [ ../../modules/sops ];
services.openssh.enable = true;
services.openssh.hostKeys = [{
type = "ed25519";
path = ./test-assets/ssh-ed25519-key;
}];
sops = {
age.sshKeyPaths = [ ./test-assets/ssh-ed25519-key ];
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {};
};