mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity
904 commits 14 branches 1 tag 2.8 MiB
Commit graph

904 commits

This branch
This branch
All branches
Author SHA1 Message Date
dependabot[bot]
2d73fc6ac4 update vendorHash 2024-12-12 01:05:52 +00:00
dependabot[bot]
5803825c93 build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-12 01:05:52 +00:00
dependabot[bot]
a80af89297 update vendorHash 2024-12-09 23:02:24 +00:00
dependabot[bot]
1bb029c84f build(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/crypto/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-09 23:02:24 +00:00
dependabot[bot]
1d0c71cbf5 update vendorHash 2024-12-09 22:55:12 +00:00
dependabot[bot]
84d8bf5ba8 build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.27.0 to 0.28.0.
- [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-09 22:55:12 +00:00
Jörg Thalheim
c6134b6fff fix queuing conditions 2024-12-02 09:29:15 +01:00
Jörg Thalheim
fb055f309d {darwin,home-manager}: add example template 2024-12-02 09:29:15 +01:00
jobs62
8d13626351 try fixing templates on home-manager 
Update pkgs/sops-install-secrets/main.go
 2024-12-02 09:29:15 +01:00
dependabot[bot]
3433ea14fb update vendorHash 2024-11-25 23:03:45 +00:00
dependabot[bot]
6ecde343ef build(deps): bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 
Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.2 to 1.1.3.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.2...v1.1.3)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-25 23:03:45 +00:00
Mergify
53c853fb1a ci(mergify): upgrade configuration to current format 2024-11-21 11:49:09 +01:00
Jared Baur
e39947d0ee allow for missing switch-to-configuration directory 
NixOS' switch-to-configuration program creates the /run/nixos directory,
which may not be present if `system.switch.enable` is `false`.
 2024-11-18 18:23:53 +00:00
Jörg Thalheim
472741cf3f
fix eval of tests (#674) 2024-11-17 16:51:52 +00:00
Jörg Thalheim
0ec0d5d3c5 remove obsolete sops-pgp-hook alias 2024-11-17 15:33:42 +01:00
Jörg Thalheim
799b572ef1 move checks out of pkgs 2024-11-17 15:33:42 +01:00
Jörg Thalheim
420737291e load devshell from flake 2024-11-17 15:33:42 +01:00
Jörg Thalheim
793c07f331 nix-darwin: fix shellcheck warning of activation script 2024-11-17 14:41:25 +01:00
Jörg Thalheim
1c75c1c13a fix darwin evaluation 2024-11-17 14:41:25 +01:00
Jörg Thalheim
fe6a1bb922 add home-manager and sops-nix to ci 2024-11-17 14:41:25 +01:00
Jörg Thalheim
dfcebb55c8 only export nixos tests on Linux 2024-11-17 13:20:58 +01:00
Jörg Thalheim
5f3869dfd2 update github action to also update private flake 2024-11-17 13:20:58 +01:00
Jörg Thalheim
7769727634 move nixpkgs-stable to private flake inputs 
now with home-manager and nix-darwin tests, we don't want to increase
the number of dependencies a user has to override in their flake.lock.
 2024-11-17 13:20:58 +01:00
Jörg Thalheim
d76a2f002f nix-darwin: remove unused variable 2024-11-17 13:20:58 +01:00
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jörg Thalheim
b05bdb2650 nix-darwin: fix evaluation with templates 2024-11-17 11:10:46 +00:00
Jörg Thalheim
a7b8f0feb7 define templates for home-manager 2024-11-17 11:06:56 +00:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets 
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
 2024-11-17 06:19:41 +00:00
sops-nix-bot
47fc1d8c72
flake.lock: Update (#658) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53?narHash=sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z%2Bw%3D' (2024-10-30)
  → 'github:NixOS/nixpkgs/c69a9bffbecde46b4b939465422ddc59493d3e4d?narHash=sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk%3D' (2024-11-16)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c?narHash=sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY%3D' (2024-11-03)
  → 'github:NixOS/nixpkgs/e8c38b73aeb218e27163376a2d617e61a2ad9b59?narHash=sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g%3D' (2024-11-16)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-11-17 03:30:39 +00:00
Ian
d2bd7f433b Implement darwin module for sops-nix 2024-11-16 09:09:49 +00:00
dependabot[bot]
4c91d52db1
build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#663) 
* build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.29.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:38:28 +00:00
dependabot[bot]
e4f36d56eb
build(deps): bump github.com/ProtonMail/go-crypto from 1.1.0-beta.0-proton to 1.1.2 (#662) 
* build(deps): bump github.com/ProtonMail/go-crypto

Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.0-beta.0-proton to 1.1.2.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.0-beta.0-proton...v1.1.2)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:28:15 +00:00
dependabot[bot]
58f41afcc7
build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0 (#661) 
* build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.26.0 to 0.27.0.
- [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:13:55 +00:00
Wael Nasreddine
f1675e3b0e
home-manager: Add support for Split GPG on Qubes OS (#657) 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-11-10 05:32:29 +01:00
Jeremy Fleischman
60e1bce199 Add support for restartUnits and reloadUnits for templates 
This fixes https://github.com/Mic92/sops-nix/issues/634
 2024-11-08 06:34:20 +00:00
Jeremy Fleischman
c9f6b151cc fix: create template.path symlink 
This fixes https://github.com/Mic92/sops-nix/issues/653.

Note: `main.go` has been slowly accumulating shared logic between vanilla
"secrets" and "templates". It feels to me like we could DRY up some of
the logic in here by creating some shared "interface" that they both
implement. I opted not to try to tackle that here, though.
 2024-11-08 06:07:13 +00:00
Jeremy Fleischman
fe63071416 Improve activation messages about rendered templates 
This fixes https://github.com/Mic92/sops-nix/issues/652
 2024-11-07 19:49:39 +00:00
Jeremy Fleischman
33f18b404e Rework restart-and-reload to assert more strictly on the activation output 
I've reworked the test to assert on the entire output. This allows us to
detect unexpected output without having to write weird "i expect this
random string to *not* show up assertions", which aren't great at
preventing regressions.

I did have to change the code under test a little bit to make it
behavior deterministically (by sorting the files it outputs).

tl;dr: this demonstrates <https://github.com/Mic92/sops-nix/issues/652>
but does not fix it. I will fix it in a subsequent commit.
 2024-11-07 19:49:39 +00:00
liyangau
c5ae1e214f fix missing lib in mkOption 2024-11-06 09:50:27 +01:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Sandro Jäckel
59d6988329 Fix module declarations 2024-11-04 18:49:22 +00:00
sops-nix-bot
e9b5eef9b5
flake.lock: Update (#646) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4e0eec54db79d4d0909f45a88037210ff8eaffee?narHash=sha256-bpb6r3GjzhNW8l%2BmWtRtLNg5PhJIae041sPyqcFNGb4%3D' (2024-10-26)
  → 'github:NixOS/nixpkgs/2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53?narHash=sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z%2Bw%3D' (2024-10-30)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c?narHash=sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY%3D' (2024-11-03)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-11-03 03:49:44 +00:00
sops-nix-bot
1666d16426
flake.lock: Update (#644) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ccc0c2126893dd20963580b6478d1a10a4512185?narHash=sha256-4HQI%2B6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo%3D' (2024-10-18)
  → 'github:NixOS/nixpkgs/4e0eec54db79d4d0909f45a88037210ff8eaffee?narHash=sha256-bpb6r3GjzhNW8l%2BmWtRtLNg5PhJIae041sPyqcFNGb4%3D' (2024-10-26)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22?narHash=sha256-66RHecx%2BzohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4%3D' (2024-10-19)
  → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-10-27 03:28:01 +00:00
Sizhe Zhao
b2211d1a53 fix(home-manager/sops): fix setting unit env 
The Environment option should be set in Service section.
 2024-10-26 08:38:45 +00:00
Sizhe Zhao
78a0e634fc fix(home-manager/sops): fix setting systemd unit environment 2024-10-24 13:07:55 +00:00
Mark Sisson
d089e742fb feat(home-manager/sops): add environment variable configuration 
Added support for configuring environment variables before calling
`sops-install-secrets`. Introduced a new `environment` option which
allows specifying environment variables. Modified systemd service
and launchd agent to use the specified environment variables.
 2024-10-23 14:55:20 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set. 
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-10-23 07:38:42 +00:00
Sandro Jäckel
26642e8f19 Add some missing literalExpression 2024-10-22 09:03:27 +00:00