mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-15 17:50:51 +00:00
Code Activity

Import age keyfile and ssh keys at the same time

Browse source
This commit is contained in:
Janne Heß 2021-09-30 15:06:06 +02:00
parent a3e3dc7710
commit 5db02f2939
No known key found for this signature in database
GPG key ID: 69165158F05265DF
2 changed files with 31 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
modules/sops/default.nix
View file

@ -140,7 +140,6 @@ in {
example = "/var/lib/sops-nix/key.txt"; example = "/var/lib/sops-nix/key.txt";
description = '' description = ''
Path to age key file used for sops decryption. Path to age key file used for sops decryption.
Setting this to a non-null value causes the ssh keys to be ignored.
''; '';
}; };
@ -159,7 +158,6 @@ in {
default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else []; default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
description = '' description = ''
Paths to ssh keys added as age keys during sops description. Paths to ssh keys added as age keys during sops description.
This setting is ignored when the keyFile is set to a non-null value.
''; '';
}; };
}; };

46
pkgs/sops-install-secrets/main.go
View file

@ -519,14 +519,7 @@ func importSSHKeys(keyPaths []string, gpgHome string) error {
return nil return nil
} }
func importAgeSSHKeys(keyPaths []string, ageFilePath string) error { func importAgeSSHKeys(keyPaths []string, ageFile os.File) error {
ageFile, err := os.OpenFile(ageFilePath, os.O_WRONLY|os.O_CREATE, 0600)
if err != nil {
return fmt.Errorf("Cannot create '%s': %w", ageFilePath, err)
}
defer ageFile.Close()
fmt.Fprintf(ageFile, "# generated by sops-nix at %s\n", time.Now().Format(time.RFC3339))
for _, p := range keyPaths { for _, p := range keyPaths {
// Read the key // Read the key
sshKey, err := ioutil.ReadFile(p) sshKey, err := ioutil.ReadFile(p)
@ -645,15 +638,38 @@ func installSecrets(args []string) error {
os.Setenv("GNUPGHOME", manifest.GnupgHome) os.Setenv("GNUPGHOME", manifest.GnupgHome)
} }
if manifest.AgeKeyFile != "" { // Import age keys
os.Setenv("SOPS_AGE_KEY_FILE", manifest.AgeKeyFile) if len(manifest.AgeSshKeyPaths) != 0 || manifest.AgeKeyFile != "" {
} else if len(manifest.AgeSshKeyPaths) != 0 {
keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt") keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
err = importAgeSSHKeys(manifest.AgeSshKeyPaths, keyfile)
if err != nil {
return err
}
os.Setenv("SOPS_AGE_KEY_FILE", keyfile) os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
// Create the keyfile
ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("Cannot create '%s': %w", keyfile, err)
}
defer ageFile.Close()
fmt.Fprintf(ageFile, "# generated by sops-nix at %s\n", time.Now().Format(time.RFC3339))
// Import SSH keys
if len(manifest.AgeSshKeyPaths) != 0 {
err = importAgeSSHKeys(manifest.AgeSshKeyPaths, *ageFile)
if err != nil {
return err
}
}
// Import the keyfile
if manifest.AgeKeyFile != "" {
// Read the keyfile
contents, err := ioutil.ReadFile(manifest.AgeKeyFile)
if err != nil {
return fmt.Errorf("Cannot read keyfile '%s': %w", manifest.AgeKeyFile, err)
}
// Append it to the file
_, err = ageFile.WriteString(string(contents) + "\n")
if err != nil {
return fmt.Errorf("Cannot write key to age file: %w", err)
}
}
} }
if err := decryptSecrets(manifest.Secrets); err != nil { if err := decryptSecrets(manifest.Secrets); err != nil {