mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

move checks out of pkgs

Browse source
This commit is contained in:
Jörg Thalheim 2024-11-17 15:08:13 +01:00 committed by Jörg Thalheim
parent 420737291e
commit 799b572ef1
3 changed files with 34 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
pkgs/sops-install-secrets/nixos-test.nix → checks/nixos-test.nix
View file

@ -1,5 +1,7 @@
{ lib, testers }: { lib, testers }:
let let
testAssets = ../pkgs/sops-install-secrets/test-assets;
userPasswordTest = userPasswordTest =
name: extraConfig: name: extraConfig:
testers.runNixOSTest { testers.runNixOSTest {
@ -8,12 +10,12 @@ let
{ config, lib, ... }: { config, lib, ... }:
{ {
imports = [ imports = [
../../modules/sops ../modules/sops
extraConfig extraConfig
]; ];
sops = { sops = {
age.keyFile = "/run/age-keys.txt"; age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key.neededForUsers = true; secrets.test_key.neededForUsers = true;
secrets."nested/test/file".owner = "example-user"; secrets."nested/test/file".owner = "example-user";
}; };
@ -58,16 +60,16 @@ in
nodes.server = nodes.server =
{ ... }: { ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.hostKeys = [ services.openssh.hostKeys = [
{ {
type = "rsa"; type = "rsa";
bits = 4096; bits = 4096;
path = ./test-assets/ssh-key; path = testAssets + "/ssh-key";
} }
]; ];
sops.defaultSopsFile = ./test-assets/secrets.yaml; sops.defaultSopsFile = testAssets + "/secrets.yaml";
sops.secrets.test_key = { }; sops.secrets.test_key = { };
}; };
@ -82,17 +84,17 @@ in
nodes.machine = nodes.machine =
{ lib, ... }: { lib, ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
sops = { sops = {
age.keyFile = "/run/age-keys.txt"; age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { }; secrets.test_key = { };
keepGenerations = lib.mkDefault 0; keepGenerations = lib.mkDefault 0;
}; };
# must run before sops sets up keys # must run before sops sets up keys
boot.initrd.postDeviceCommands = '' boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
@ -128,10 +130,10 @@ in
nodes.machine = nodes.machine =
{ config, ... }: { config, ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
sops = { sops = {
age.keyFile = "/run/age-keys.txt"; age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets = { secrets = {
test_key = { }; test_key = { };
@ -166,7 +168,7 @@ in
# must run before sops sets up keys # must run before sops sets up keys
boot.initrd.postDeviceCommands = '' boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
}; };
@ -196,17 +198,17 @@ in
age-ssh-keys = testers.runNixOSTest { age-ssh-keys = testers.runNixOSTest {
name = "sops-age-ssh-keys"; name = "sops-age-ssh-keys";
nodes.machine = { nodes.machine = {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.hostKeys = [ services.openssh.hostKeys = [
{ {
type = "ed25519"; type = "ed25519";
path = ./test-assets/ssh-ed25519-key; path = testAssets + "/ssh-ed25519-key";
} }
]; ];
sops = { sops = {
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { }; secrets.test_key = { };
# Generate a key and append it to make sure it appending doesn't break anything # Generate a key and append it to make sure it appending doesn't break anything
age = { age = {
@ -227,7 +229,7 @@ in
nodes.server = nodes.server =
{ lib, config, ... }: { lib, config, ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
users.users.someuser = { users.users.someuser = {
isSystemUser = true; isSystemUser = true;
@ -235,7 +237,7 @@ in
}; };
sops.gnupg.home = "/run/gpghome"; sops.gnupg.home = "/run/gpghome";
sops.defaultSopsFile = ./test-assets/secrets.yaml; sops.defaultSopsFile = testAssets + "/secrets.yaml";
sops.secrets.test_key.owner = config.users.users.someuser.name; sops.secrets.test_key.owner = config.users.users.someuser.name;
sops.secrets."nested/test/file".owner = config.users.users.someuser.name; sops.secrets."nested/test/file".owner = config.users.users.someuser.name;
sops.secrets.existing-file = { sops.secrets.existing-file = {
@ -244,7 +246,7 @@ in
}; };
# must run before sops # must run before sops
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] '' system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
cp -r ${./test-assets/gnupghome} /run/gpghome cp -r ${testAssets + "/gnupghome"} /run/gpghome
chmod -R 700 /run/gpghome chmod -R 700 /run/gpghome
touch /run/existing-file touch /run/existing-file
@ -254,7 +256,7 @@ in
#environment.variables = { #environment.variables = {
# GNUPGHOME = "/run/gpghome"; # GNUPGHOME = "/run/gpghome";
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg"; # SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
# SOPSFILE = "${./test-assets/secrets.yaml}"; # SOPSFILE = "${testAssets + "/secrets.yaml"}";
#}; #};
}; };
testScript = '' testScript = ''
@ -282,10 +284,10 @@ in
nodes.machine = nodes.machine =
{ config, ... }: { config, ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
sops = { sops = {
age.keyFile = "/run/age-keys.txt"; age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { }; secrets.test_key = { };
# Verify that things work even with `neededForUsers` secrets. See # Verify that things work even with `neededForUsers` secrets. See
@ -295,7 +297,7 @@ in
# must run before sops sets up keys # must run before sops sets up keys
boot.initrd.postDeviceCommands = '' boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
@ -361,11 +363,11 @@ in
nodes.machine = nodes.machine =
{ config, ... }: { config, ... }:
{ {
imports = [ ../../modules/sops ]; imports = [ ../modules/sops ];
sops = { sops = {
age.keyFile = "/run/age-keys.txt"; age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml; defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { secrets.test_key = {
restartUnits = [ restartUnits = [
"restart-unit.service" "restart-unit.service"
@ -390,7 +392,7 @@ in
# must run before sops sets up keys # must run before sops sets up keys
boot.initrd.postDeviceCommands = '' boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
@ -551,7 +553,7 @@ in
user-passwords = userPasswordTest "sops-user-passwords" { user-passwords = userPasswordTest "sops-user-passwords" {
# must run before sops sets up keys # must run before sops sets up keys
boot.initrd.postDeviceCommands = '' boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
}; };
@ -568,7 +570,7 @@ in
# must run before sops sets up keys # must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = '' systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt printf '${builtins.readFile (testAssets + "/age-keys.txt")}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
} }
@ -586,7 +588,7 @@ in
# must run before sops sets up keys # must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = '' systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt printf '${builtins.readFile testAssets + "/age-keys.txt"}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt chmod -R 700 /run/age-keys.txt
''; '';
} }

8
flake.nix
View file

@ -80,11 +80,14 @@
checks = eachSystem ( checks = eachSystem (
{ pkgs, system, ... }: { pkgs, system, ... }:
let let
tests = self.packages.${system}.sops-install-secrets.tests;
packages-stable = import ./default.nix { packages-stable = import ./default.nix {
pkgs = privateInputs.nixpkgs-stable.legacyPackages.${system}; pkgs = privateInputs.nixpkgs-stable.legacyPackages.${system};
}; };
tests-stable = packages-stable.sops-install-secrets.tests; dropOverride = attrs: nixpkgs.lib.removeAttrs attrs [ "override" ];
tests = dropOverride (pkgs.callPackage ./checks/nixos-test.nix { });
tests-stable = dropOverride (
privateInputs.nixpkgs-stable.legacyPackages.${system}.callPackage ./checks/nixos-test.nix { }
);
suffix-version = suffix-version =
version: attrs: version: attrs:
nixpkgs.lib.mapAttrs' (name: value: nixpkgs.lib.nameValuePair (name + version) value) attrs; nixpkgs.lib.mapAttrs' (name: value: nixpkgs.lib.nameValuePair (name + version) value) attrs;
@ -105,7 +108,6 @@
darwinConfigurations.sops-arm64 = privateInputs.nix-darwin.lib.darwinSystem { darwinConfigurations.sops-arm64 = privateInputs.nix-darwin.lib.darwinSystem {
modules = [ modules = [
./checks/darwin.nix ./checks/darwin.nix
#{ nixpkgs.pkgs = nixpkgs.legacyPackages.aarch64-darwin; }
{ nixpkgs.hostPlatform = "aarch64-darwin"; } { nixpkgs.hostPlatform = "aarch64-darwin"; }
]; ];
}; };

5
pkgs/sops-install-secrets/default.nix
View file

@ -4,7 +4,6 @@
stdenv, stdenv,
vendorHash, vendorHash,
go, go,
callPackages,
}: }:
buildGoModule { buildGoModule {
pname = "sops-install-secrets"; pname = "sops-install-secrets";
@ -21,10 +20,6 @@ buildGoModule {
# requires root privileges for tests # requires root privileges for tests
doCheck = false; doCheck = false;
passthru = {
tests = lib.optionalAttrs stdenv.isLinux (callPackages ./nixos-test.nix { });
};
outputs = [ "out" ] ++ lib.lists.optionals (stdenv.isLinux) [ "unittest" ]; outputs = [ "out" ] ++ lib.lists.optionals (stdenv.isLinux) [ "unittest" ];
postInstall = postInstall =