mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

move checks out of pkgs

Browse source
This commit is contained in:
Jörg Thalheim 2024-11-17 15:08:13 +01:00 committed by Jörg Thalheim
parent 420737291e
commit 799b572ef1
3 changed files with 34 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
pkgs/sops-install-secrets/nixos-test.nix → checks/nixos-test.nix
View file

@ -1,5 +1,7 @@
{ lib, testers }:
let
testAssets = ../pkgs/sops-install-secrets/test-assets;
userPasswordTest =
name: extraConfig:
testers.runNixOSTest {
@ -8,12 +10,12 @@ let
{ config, lib, ... }:
{
imports = [
../../modules/sops
../modules/sops
extraConfig
];
sops = {
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key.neededForUsers = true;
secrets."nested/test/file".owner = "example-user";
};
@ -58,16 +60,16 @@ in
nodes.server =
{ ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
services.openssh.enable = true;
services.openssh.hostKeys = [
{
type = "rsa";
bits = 4096;
path = ./test-assets/ssh-key;
path = testAssets + "/ssh-key";
}
];
sops.defaultSopsFile = ./test-assets/secrets.yaml;
sops.defaultSopsFile = testAssets + "/secrets.yaml";
sops.secrets.test_key = { };
};
@ -82,17 +84,17 @@ in
nodes.machine =
{ lib, ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
sops = {
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { };
keepGenerations = lib.mkDefault 0;
};
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
@ -128,10 +130,10 @@ in
nodes.machine =
{ config, ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
sops = {
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets = {
test_key = { };
@ -166,7 +168,7 @@ in
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
};
@ -196,17 +198,17 @@ in
age-ssh-keys = testers.runNixOSTest {
name = "sops-age-ssh-keys";
nodes.machine = {
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
services.openssh.enable = true;
services.openssh.hostKeys = [
{
type = "ed25519";
path = ./test-assets/ssh-ed25519-key;
path = testAssets + "/ssh-ed25519-key";
}
];
sops = {
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { };
# Generate a key and append it to make sure it appending doesn't break anything
age = {
@ -227,7 +229,7 @@ in
nodes.server =
{ lib, config, ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
users.users.someuser = {
isSystemUser = true;
@ -235,7 +237,7 @@ in
};
sops.gnupg.home = "/run/gpghome";
sops.defaultSopsFile = ./test-assets/secrets.yaml;
sops.defaultSopsFile = testAssets + "/secrets.yaml";
sops.secrets.test_key.owner = config.users.users.someuser.name;
sops.secrets."nested/test/file".owner = config.users.users.someuser.name;
sops.secrets.existing-file = {
@ -244,7 +246,7 @@ in
};
# must run before sops
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
cp -r ${./test-assets/gnupghome} /run/gpghome
cp -r ${testAssets + "/gnupghome"} /run/gpghome
chmod -R 700 /run/gpghome
touch /run/existing-file
@ -254,7 +256,7 @@ in
#environment.variables = {
# GNUPGHOME = "/run/gpghome";
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
# SOPSFILE = "${./test-assets/secrets.yaml}";
# SOPSFILE = "${testAssets + "/secrets.yaml"}";
#};
};
testScript = ''
@ -282,10 +284,10 @@ in
nodes.machine =
{ config, ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
sops = {
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = { };
# Verify that things work even with `neededForUsers` secrets. See
@ -295,7 +297,7 @@ in
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
@ -361,11 +363,11 @@ in
nodes.machine =
{ config, ... }:
{
imports = [ ../../modules/sops ];
imports = [ ../modules/sops ];
sops = {
age.keyFile = "/run/age-keys.txt";
defaultSopsFile = ./test-assets/secrets.yaml;
defaultSopsFile = testAssets + "/secrets.yaml";
secrets.test_key = {
restartUnits = [
"restart-unit.service"
@ -390,7 +392,7 @@ in
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
@ -551,7 +553,7 @@ in
user-passwords = userPasswordTest "sops-user-passwords" {
# must run before sops sets up keys
boot.initrd.postDeviceCommands = ''
cp -r ${./test-assets/age-keys.txt} /run/age-keys.txt
cp -r ${testAssets + "/age-keys.txt"} /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
};
@ -568,7 +570,7 @@ in
# must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
printf '${builtins.readFile (testAssets + "/age-keys.txt")}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
}
@ -586,7 +588,7 @@ in
# must run before sops sets up keys
systemd.services."sops-install-secrets-for-users".preStart = ''
printf '${builtins.readFile ./test-assets/age-keys.txt}' > /run/age-keys.txt
printf '${builtins.readFile testAssets + "/age-keys.txt"}' > /run/age-keys.txt
chmod -R 700 /run/age-keys.txt
'';
}

8
flake.nix
View file

@ -80,11 +80,14 @@
checks = eachSystem (
{ pkgs, system, ... }:
let
tests = self.packages.${system}.sops-install-secrets.tests;
packages-stable = import ./default.nix {
pkgs = privateInputs.nixpkgs-stable.legacyPackages.${system};
};
tests-stable = packages-stable.sops-install-secrets.tests;
dropOverride = attrs: nixpkgs.lib.removeAttrs attrs [ "override" ];
tests = dropOverride (pkgs.callPackage ./checks/nixos-test.nix { });
tests-stable = dropOverride (
privateInputs.nixpkgs-stable.legacyPackages.${system}.callPackage ./checks/nixos-test.nix { }
);
suffix-version =
version: attrs:
nixpkgs.lib.mapAttrs' (name: value: nixpkgs.lib.nameValuePair (name + version) value) attrs;
@ -105,7 +108,6 @@
darwinConfigurations.sops-arm64 = privateInputs.nix-darwin.lib.darwinSystem {
modules = [
./checks/darwin.nix
#{ nixpkgs.pkgs = nixpkgs.legacyPackages.aarch64-darwin; }
{ nixpkgs.hostPlatform = "aarch64-darwin"; }
];
};

5
pkgs/sops-install-secrets/default.nix
View file

@ -4,7 +4,6 @@
stdenv,
vendorHash,
go,
callPackages,
}:
buildGoModule {
pname = "sops-install-secrets";
@ -21,10 +20,6 @@ buildGoModule {
# requires root privileges for tests
doCheck = false;
passthru = {
tests = lib.optionalAttrs stdenv.isLinux (callPackages ./nixos-test.nix { });
};
outputs = [ "out" ] ++ lib.lists.optionals (stdenv.isLinux) [ "unittest" ];
postInstall =