Merge pull request #123 from Mic92/feat/import-age-keyfile-and-ssh

Import age keyfile and ssh keys at the same time

modules/sops/default.nix

@@ -140,7 +140,6 @@ in {
         example = "/var/lib/sops-nix/key.txt";
         description = ''
           Path to age key file used for sops decryption.
-          Setting this to a non-null value causes the ssh keys to be ignored.
         '';
       };
 
@@ -159,7 +158,6 @@ in {
         default = if config.services.openssh.enable then map (e: e.path) (lib.filter (e: e.type == "ed25519") config.services.openssh.hostKeys) else [];
         description = ''
           Paths to ssh keys added as age keys during sops description.
-          This setting is ignored when the keyFile is set to a non-null value.
         '';
       };
     };
@@ -214,7 +212,7 @@ in {
     '';
 
     system.activationScripts.generate-age-key = (mkIf cfg.age.generateKey) (stringAfter [] ''
-      if [[ ! -f "${cfg.age.keyFile}" ]]; then;
+      if [[ ! -f '${cfg.age.keyFile}' ]]; then
         echo generating machine-specific age key...
         mkdir -p $(dirname ${cfg.age.keyFile})
         # age-keygen sets 0600 by default, no need to chmod.

pkgs/sops-install-secrets/main.go

@@ -519,14 +519,7 @@ func importSSHKeys(keyPaths []string, gpgHome string) error {
 	return nil
 }
 
-func importAgeSSHKeys(keyPaths []string, ageFilePath string) error {
-	ageFile, err := os.OpenFile(ageFilePath, os.O_WRONLY|os.O_CREATE, 0600)
-	if err != nil {
-		return fmt.Errorf("Cannot create '%s': %w", ageFilePath, err)
-	}
-	defer ageFile.Close()
-	fmt.Fprintf(ageFile, "# generated by sops-nix at %s\n", time.Now().Format(time.RFC3339))
-
+func importAgeSSHKeys(keyPaths []string, ageFile os.File) error {
 	for _, p := range keyPaths {
 		// Read the key
 		sshKey, err := ioutil.ReadFile(p)
@@ -645,15 +638,38 @@ func installSecrets(args []string) error {
 		os.Setenv("GNUPGHOME", manifest.GnupgHome)
 	}
 
-	if manifest.AgeKeyFile != "" {
-		os.Setenv("SOPS_AGE_KEY_FILE", manifest.AgeKeyFile)
-	} else if len(manifest.AgeSshKeyPaths) != 0 {
+	// Import age keys
+	if len(manifest.AgeSshKeyPaths) != 0 || manifest.AgeKeyFile != "" {
 		keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
-		err = importAgeSSHKeys(manifest.AgeSshKeyPaths, keyfile)
-		if err != nil {
-			return err
-		}
 		os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
+		// Create the keyfile
+		ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+		if err != nil {
+			return fmt.Errorf("Cannot create '%s': %w", keyfile, err)
+		}
+		defer ageFile.Close()
+		fmt.Fprintf(ageFile, "# generated by sops-nix at %s\n", time.Now().Format(time.RFC3339))
+
+		// Import SSH keys
+		if len(manifest.AgeSshKeyPaths) != 0 {
+			err = importAgeSSHKeys(manifest.AgeSshKeyPaths, *ageFile)
+			if err != nil {
+				return err
+			}
+		}
+		// Import the keyfile
+		if manifest.AgeKeyFile != "" {
+			// Read the keyfile
+			contents, err := ioutil.ReadFile(manifest.AgeKeyFile)
+			if err != nil {
+				return fmt.Errorf("Cannot read keyfile '%s': %w", manifest.AgeKeyFile, err)
+			}
+			// Append it to the file
+			_, err = ageFile.WriteString(string(contents) + "\n")
+			if err != nil {
+				return fmt.Errorf("Cannot write key to age file: %w", err)
+			}
+		}
 	}
 
 	if err := decryptSecrets(manifest.Secrets); err != nil {

pkgs/sops-install-secrets/nixos-test.nix

@@ -55,6 +55,11 @@
     sops = {
       defaultSopsFile = ./test-assets/secrets.yaml;
       secrets.test_key = {};
+      # Generate a key and append it to make sure it appending doesn't break anything
+      age = {
+        keyFile = "/tmp/testkey";
+        generateKey = true;
+      };
     };
   };