mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

Refuse age keyfile paths that are in the nix store

Browse source
This commit is contained in:
the-furry-hubofeverything 2024-04-16 17:07:24 -07:00 committed by mergify[bot]
parent 7f49111254
commit 74f03c1a51
3 changed files with 62 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
modules/home-manager/sops.nix
View file

@ -62,6 +62,14 @@ let
};
});
pathNotInStore = lib.mkOptionType {
name = "pathNotInStore";
description = "path not in the Nix store";
descriptionClass = "noun";
check = x: !lib.path.hasStorePathPrefix x;
merge = lib.mergeEqualOption;
};
manifestFor = suffix: secrets: pkgs.writeTextFile {
name = "manifest${suffix}.json";
text = builtins.toJSON {
@ -166,7 +174,7 @@ in {
age = {
keyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
type = lib.types.nullOr pathNotInStore;
default = null;
example = "/home/someuser/.age-key.txt";
description = ''

10
modules/sops/default.nix
View file

@ -10,6 +10,14 @@ let
};
manifest = manifestFor "" regularSecrets {};
pathNotInStore = lib.mkOptionType {
name = "pathNotInStore";
description = "path not in the Nix store";
descriptionClass = "noun";
check = x: !lib.path.hasStorePathPrefix (/. + x);
merge = lib.mergeEqualOption;
};
regularSecrets = lib.filterAttrs (_: v: !v.neededForUsers) cfg.secrets;
sysusersEnabled = options.systemd ? sysusers && config.systemd.sysusers.enable;
@ -237,7 +245,7 @@ in {
age = {
keyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
type = lib.types.nullOr pathNotInStore;
default = null;
example = "/var/lib/sops-nix/key.txt";
description = ''

52
pkgs/sops-install-secrets/nixos-test.nix
View file

@ -9,7 +9,7 @@ let
extraConfig
];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key.neededForUsers = true;
secrets."nested/test/file".owner = "example-user";
@ -70,12 +70,18 @@ in {
nodes.machine = { lib, ... }: {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = { };
keepGenerations = lib.mkDefault 0;
};
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
specialisation.pruning.configuration.sops.keepGenerations = 10;
};
@ -108,13 +114,19 @@ in {
age-keys = makeTest {
name = "sops-age-keys";
nodes.machine = {
nodes.machine = { lib, ... }: {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = { };
};
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
};
testScript = ''
@ -213,14 +225,20 @@ in {
templates = makeTest {
name = "sops-templates";
nodes.machine = { config, ... }: {
nodes.machine = { config, lib, ... }: {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = { };
};
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
sops.templates.test_template = {
content = ''
This line is not modified.
@ -275,7 +293,7 @@ in {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
secrets.test_key = {
restartUnits = [ "restart-unit.service" "reload-unit.service" ];
@ -283,6 +301,12 @@ in {
};
};
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
systemd.services."restart-unit" = {
description = "Restart unit";
# not started on boot
@ -380,7 +404,13 @@ in {
inherit (pkgs) system;
};
user-passwords = userPasswordTest "sops-user-passwords" {};
user-passwords = userPasswordTest "sops-user-passwords" {
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
};
} // pkgs.lib.optionalAttrs (pkgs.lib.versionAtLeast (pkgs.lib.versions.majorMinor pkgs.lib.version) "24.05") {
user-passwords-sysusers = userPasswordTest "sops-user-passwords-sysusers" {
systemd.sysusers.enable = true;
@ -388,5 +418,11 @@ in {
system.etc.overlay.enable = true;
boot.initrd.systemd.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
};
}