mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-05 16:17:47 +00:00
Code Activity

Import age ssh keys by default

Browse source
This commit is contained in:
Janne Heß 2021-08-28 12:37:10 +02:00
parent 44d91e885e
commit 4568162629
No known key found for this signature in database
GPG key ID: 69165158F05265DF
2 changed files with 9 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
modules/sops/default.nix
View file

@ -140,7 +140,7 @@ in {
example = "/var/lib/sops-nix/key.txt"; example = "/var/lib/sops-nix/key.txt";
description = '' description = ''
Path to age key file used for sops decryption. Path to age key file used for sops decryption.
Setting this to a non-null value causes age to be used instead of gnupg. Setting this to a non-null value causes the ssh keys to be ignored.
''; '';
}; };
@ -156,12 +156,10 @@ in {
sshKeyPaths = mkOption { sshKeyPaths = mkOption {
type = types.listOf types.path; type = types.listOf types.path;
default = []; # If we set this like the gnupg option, we would use ed25519 by default default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
description = '' description = ''
Path to ssh keys added as age keys during sops description. Paths to ssh keys added as age keys during sops description.
This option must be explicitly unset if <literal>config.sops.age.keyFile</literal> is set. This setting is ignored when the keyFile is set to a non-null value.
Setting this to a non-empty list causes age to be used instead of gnupg.
''; '';
}; };
}; };
@ -196,9 +194,6 @@ in {
assertions = [{ assertions = [{
assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []); assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []);
message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode"; message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode";
} {
assertion = (cfg.age.keyFile != null || cfg.age.sshKeyPaths != []) -> (cfg.age.sshKeyPaths != []) != (cfg.age.keyFile != null);
message = "sops.age.keyFile is mutually exclusive with sops.age.sshKeyPaths";
}] ++ optionals cfg.validateSopsFiles ( }] ++ optionals cfg.validateSopsFiles (
concatLists (mapAttrsToList (name: secret: [{ concatLists (mapAttrsToList (name: secret: [{
assertion = builtins.pathExists secret.sopsFile; assertion = builtins.pathExists secret.sopsFile;

6
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -47,8 +47,12 @@
name = "sops-age-ssh-keys"; name = "sops-age-ssh-keys";
machine = { machine = {
imports = [ ../../modules/sops ]; imports = [ ../../modules/sops ];
services.openssh.enable = true;
services.openssh.hostKeys = [{
type = "ed25519";
path = ./test-assets/ssh-ed25519-key;
}];
sops = { sops = {
age.sshKeyPaths = [ ./test-assets/ssh-ed25519-key ];
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {}; secrets.test_key = {};
}; };