mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity

nixos: enable manifest validation

Browse source
This commit is contained in:
Jörg Thalheim 2020-07-19 19:13:48 +01:00
parent 30c6879b42
commit b395301115
No known key found for this signature in database
GPG key ID: 003F2096411B5F92
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -17,11 +17,12 @@ key management APIs such as AWS KMS, GCP KMS, Azure Key Vault or Hashicorp's vau
- Compatible with all NixOS deployment frameworks: [NixOps](https://github.com/NixOS/nixops), nixos-rebuild, [krops](https://github.com/krebs/krops/), [morph](https://github.com/DBCDK/morph), [nixus](https://github.com/Infinisil/nixus)
- Version-control friendly: Since all files are encrypted they can directly committed to version control. The format is readable in diffs and there are also ways of showing [git diffs in cleartext](https://github.com/mozilla/sops#showing-diffs-in-cleartext-in-git)
- CI friendly: Since nixops files can be added to the nix store as well without leaking secrets, machine definition can be build as a whole.
- CI friendly: Since sops files can be added to the nix store as well without leaking secrets, machine definition can be build as a whole.
- Atomic upgrades: New secrets are written to a new directory which replaces the old directory in an atomic step.
- Rollback support: If sops files are added to Nix store, old secrets can be rolled back. This is optional.
- Fast: Unlike solutions implemented by NixOps, krops and morph there is no extra step required to upload secrets
- Different storage formats: Secrets can be stored in Yaml, JSON or binary.
- Minimize configuration errors: sops files are checked against the configuration at evluation time.
## Usage example

30
modules/sops/default.nix
View file

@ -80,6 +80,13 @@ let
symlinkPath = "/run/secrets";
inherit (cfg) gnupgHome sshKeyPaths;
});
checkedManifest = pkgs.runCommandNoCC "checked-manifest.json" {
nativeBuildInputs = [ sops-install-secrets ];
} ''
sops-install-secrets -check-mode=${if cfg.validateSopsFiles then "sopsfile" else "manifest"} ${manifest}
cp ${manifest} $out
'';
in {
options.sops = {
secrets = mkOption {
@ -97,6 +104,15 @@ in {
'';
};
validateSopsFiles = mkOption {
type = types.bool;
default = true;
description = ''
Check all sops files at evaluation time.
This requires sops files to be added to the nix store.
'';
};
gnupgHome = mkOption {
type = types.nullOr types.str;
default = null;
@ -118,18 +134,22 @@ in {
};
};
config = mkIf (cfg.secrets != {}) {
assertions = [{
assertion = cfg.gnupgHome != null -> cfg.sshKeyPaths == [];
message = "config.sops.gnupgHome and config.sops.sshKeyPaths are mutual exclusive";
message = "Configuration options sops.gnupgHome and sops.sshKeyPaths cannot be set both at the same time";
} {
assertion = cfg.gnupgHome == null -> cfg.sshKeyPaths != [];
message = "Either config.sops.sshKeyPaths and config.sops.gnupgHome must be set";
}];
message = "Either sops.sshKeyPaths and sops.gnupgHome must be set";
}] ++ map (name: let
inherit (cfg.secrets.${name}) sopsFile;
in {
assertion = cfg.validateSopsFiles -> builtins.isPath sopsFile;
message = "${sopsFile} is not in the nix store. Either add it to the nix store or set `sops.validateSopsFiles` to false";
}) (builtins.attrNames cfg.secrets);
system.activationScripts.setup-secrets = stringAfter [ "users" "groups" ] ''
echo setting up secrets...
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${manifest}
${optionalString (cfg.gnupgHome != null) "SOPS_GPG_EXEC=${pkgs.gnupg}/bin/gpg"} ${sops-install-secrets}/bin/sops-install-secrets ${checkedManifest}
'';
};
}