1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Commit graph

158 commits

Author SHA1 Message Date
Pogobanane
98834d958b darwin: impl MountSecretFs 2023-02-02 12:07:00 +01:00
Pogobanane
58ceff1f7b darwin: workaround missing user 2023-02-02 12:07:00 +01:00
Pogobanane
e6ccc740d8 darwin: impl SecureSymlinkChown 2023-02-02 12:07:00 +01:00
Pogobanane
783af739d2 fix go tests for darwin 2023-02-02 12:07:00 +01:00
Pogobanane
4f3d45c058 go files for darwin
fixup
2023-02-02 11:38:33 +01:00
Janne Heß
7f38c98162 More review fixups 2023-02-02 11:38:03 +01:00
Janne Heß
3afa9ca553 Fixup review comments 2023-02-02 11:38:03 +01:00
Janne Heß
acaf36a1bf Implement home-manager support
Closes #62
Closes #163
2023-02-02 11:38:03 +01:00
Jörg Thalheim
f234b0c865
TestIsValidFormat: don't use deprecated golang function 2023-02-01 22:08:03 +01:00
Jörg Thalheim
415302126e
Merge pull request #262 from lucasew/feat/type-dotenv
format type: add dotenv and ini
2023-02-01 21:54:15 +01:00
Nick Cao
a88f9dd22d
Fix build of sops-install-secrets after https://github.com/NixOS/nixpkgs/pull/212800 2023-02-01 13:16:38 +08:00
lucasew
eb09a61dc9 format type: add dotenv and ini
Signed-off-by: lucasew <lucas59356@gmail.com>
2023-01-17 10:55:52 -03:00
Jörg Kütemeier
7e0e679050
Update pkgs/sops-init-gpg-key/sops-init-gpg-key
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2023-01-11 10:00:33 +01:00
Jörg Kütemeier
0ef86b61ee
Update pkgs/sops-init-gpg-key/sops-init-gpg-key
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2023-01-11 10:00:25 +01:00
Jörg Kütemeier
965743c678
Add optional generation of Curve25519 type GPG keys 2023-01-05 22:51:58 +01:00
Sandro
a7a614f429
Remove unused code 2022-11-02 17:09:40 +01:00
Jörg Thalheim
9a381e3b2d no longer use out-dated aliases 2022-09-26 16:28:23 +02:00
Janne Heß
f0dddc1486
Fix lookup of users/groups in dry activation
This fails otherwise as the users snippet was not executed and the
user/group does not exist.

Closes #222
2022-08-25 16:14:10 +02:00
Jörg Thalheim
2c898a6d76
Merge pull request #205 from Mic92/fix/test-indentation
Fix test indentation once and for all
2022-07-10 19:28:03 +02:00
Janne Heß
8f8e4e7cdd
Fix test indentation once and for all 2022-07-09 00:07:09 +02:00
Janne Heß
cb4c79633d
Also print imported age keys 2022-07-09 00:04:54 +02:00
Janne Heß
a94c4a7d40
Remove the 21.11 version 2022-07-04 20:23:46 +02:00
Jörg Thalheim
5d69dafb8d
no longer use deprecated .machine attribute in nixos tests 2022-05-25 08:55:27 +02:00
Jörg Thalheim
150afcb240
move all nix expressions to pkgs 2022-05-15 08:19:33 +02:00
Janne Heß
5e2f743edd
Re-add service restarts
We also have service reloads now, so add them as well
2022-03-14 17:30:56 +01:00
Janne Heß
8677dd6909
Replace separator for nested keys for consistency 2021-11-29 12:20:25 +01:00
Janne Heß
23259ded2c Remove restart logic from README and test
The required code in nixpkgs was reverted so we should not advertise a
feature that does not work. We can revert this commit if the feature is
re-merged into 22.05 with the proper version in it.
2021-11-29 10:24:45 +01:00
Janne Heß
edb3913e10
Remove debug text 2021-11-23 22:32:41 +01:00
Janne Heß
bac2a891b7
Fix user passwords disappearing
Also add a test case for this.
Closes #137
2021-11-13 14:17:51 +01:00
Janne Heß
af29ac4d84
Prune old secrets generations
Closes #128
2021-11-09 23:17:55 +01:00
Janne Heß
bac08f6919
Allow setting user passwords 2021-11-07 13:53:16 +01:00
Janne Heß
79706f6748
Fix secrets mount point and remove default 2021-11-07 13:00:05 +01:00
Janne Heß
9683d128bd
Add support for restarting/reloading units 2021-11-07 12:37:57 +01:00
Janne Heß
2b9a0815ca
Implement nested secrets 2021-09-30 21:49:47 +02:00
Jörg Thalheim
c5e0f55d8d nixos-tests: fix identations 2021-09-30 21:09:26 +02:00
Janne Heß
4cebc08062
Fix age key generation and test it 2021-09-30 15:28:39 +02:00
Janne Heß
5db02f2939
Import age keyfile and ssh keys at the same time 2021-09-30 15:07:30 +02:00
Janne Heß
9083e64fb9
Swap order of age ssh keys and the key file
It makes more sense to import the key when we have one and ignore the
SSH keys instead of only importing the key when we have no SSH keys.
This is because we import all SSH keys by default in the module and
using a key file means the use has to explicitly unset the SSH keys.
2021-09-30 14:05:38 +02:00
Jörg Thalheim
a38ba56ca2 import ssh keys both for gpg and age 2021-09-28 14:07:26 +02:00
Janne Heß
77d0fa5920
Simplify age logic in sops-install-secrets 2021-09-24 12:09:54 +02:00
Janne Heß
f636296aff
Switch the libs to now external ones 2021-09-24 12:09:53 +02:00
Janne Heß
6c916c1f57
Add a converter from private ssh keys to age 2021-09-24 12:09:53 +02:00
Janne Heß
4568162629
Import age ssh keys by default 2021-09-24 12:09:53 +02:00
Janne Heß
c980f2547e
Add sops-ssh-to-age tool 2021-09-24 12:09:52 +02:00
Janne Heß
db8fcb50a3
Add support for ssh-generated age keys 2021-09-24 12:09:52 +02:00
Janne Heß
b21c0ce3a8
Group gnupg and age in the module 2021-09-24 12:09:52 +02:00
Janne Heß
f5a2ba217b
Add age support 2021-09-24 12:09:52 +02:00
Janne Heß
ebfa120b52
Fix pipeline on unstable 2021-09-17 21:08:34 +02:00
Jörg Thalheim
3e2aefbc61 switch to maintained openpgp library 2021-08-29 15:24:07 +02:00
Jörg Thalheim
34a650555e
fix nixos-test
We no longer require membership in keys group.
2021-07-03 08:20:27 +02:00
Jörg Thalheim
73e19bf11b
Replace sops-gpg-hook with sops-import-keys-hook 2021-07-03 08:08:38 +02:00
Jörg Thalheim
351c716739
allow non-key group users to access /run/secrets
This does not significantly decrease security while making it a lot more
convinient.  There are also services, where it is not possible to set
the keys group i.e. if a daemon unsets all groups.  Processes still
won't be able to list other secrets if they are not in the secret group.

fixes #86
2021-06-05 17:59:22 +02:00
Jörg Thalheim
f540b74ced
remove ssh-to-pgp from sops-nix 2021-02-22 06:49:46 +01:00
Nicolas Berbiche
a3b53c6087
Fix sops-pgp-hook erroring in a strict shell 2021-02-08 15:49:30 -05:00
Jörg Thalheim
d665aecd88
fix 32-bit build 2021-02-01 13:50:17 +01:00
Bernardo Meurer
dd7dfdcb6a
pkgs: don't reference deprecated stdenv.lib
`stdenv.lib` has been deprecated in favor of using `lib` directly.
2021-01-31 18:02:23 -08:00
Jörg Thalheim
4de7358a2b
only mount ramfs once 2021-01-28 22:36:12 +01:00
Jörg Thalheim
47a99b6957
Merge branch 'master' into lists 2021-01-27 06:23:50 +00:00
Jörg Thalheim
80ad73c347
fix sops files that contains lists
fixes #68
2021-01-27 07:22:56 +01:00
Eduard Bopp
0be44e088b Fix impurity in test invocation
The system must be specified, as its default is
`builtins.currentSystem`, which is disallowed as an impure function
during flake evaluation.
2021-01-26 15:48:56 +01:00
Martin Potier
40f42e95b6
Keep the original shellHook if it is set 2021-01-07 16:24:18 +02:00
Jörg Thalheim
9b65d30bad
ssh-to-pgp: fix tests 2020-12-15 04:05:56 +01:00
Jörg Thalheim
378fe484f9
fix sops-install-secrets with nixpkgs unstable 2020-11-18 16:08:59 +01:00
Jörg Thalheim
c7826f534e
parallelize CI 2020-11-13 12:54:33 +01:00
Cole Mickens
24fd158fe6
sops-install-secrets: symlinkSecret: set uid/gid (with Fchownat) (#32)
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2020-08-24 09:24:43 +01:00
Jörg Thalheim
7d2b22a18d
sops-install-secrets: disable tests 2020-08-10 18:22:59 +01:00
Jörg Thalheim
32c42617e4
sshkeys: use %w in fmt.Errorf calls 2020-07-30 16:22:43 +01:00
Jörg Thalheim
df86cc4e71
ssh-to-pgp: use %w for fmt.Errorf calls 2020-07-30 16:21:47 +01:00
Jörg Thalheim
01e4038c9a
don't print full executable path logging key import 2020-07-30 16:19:51 +01:00
Jörg Thalheim
9cd8bb080f
sops-install-secrets: use %w for fmt.Errorf calls 2020-07-30 16:19:14 +01:00
Jörg Thalheim
59e6df1acf
sops-init-gpg-key: include hostname on darwin 2020-07-23 08:45:32 +01:00
Jörg Thalheim
98afd85ef8
sops-ini-gpg-key: add install check 2020-07-23 08:20:08 +01:00
Jörg Thalheim
b8d91d61ac
restrict sops-install-secrets to linux
ramfs is not available elswhere.
2020-07-22 23:46:05 +01:00
Jörg Thalheim
4a41039ab3
mark sops-install-secrets as Linux only 2020-07-22 23:12:13 +01:00
Jörg Thalheim
5e95616f0f
use a shorter tempdir on macOS
By default macOS does something like this:

/var/folders/08/j4g_jn953lngpvgmyg8dygk00000gn/T/

breaking unix socket paths of gnupg.
2020-07-22 23:10:22 +01:00
Andreas Fuchs
1279274ddc
Use /tmp as the temporary dir for ssh-to-gpg
This isn't great: but it might prevent the agent from complaining.
2020-07-22 23:10:22 +01:00
Andreas Fuchs
0d885b439f
Create a temporary GNUPGHOME dir
This should prevent the paths from getting unwieldy, we'll see.
2020-07-22 23:10:22 +01:00
Jörg Thalheim
3095053dd4 darwin fixes 2020-07-22 22:29:01 +01:00
Jörg Thalheim
66393a1c82
sops-pgp-hook: ignore subkeys
fixes #17
2020-07-22 15:07:51 +01:00
Jörg Thalheim
0729c15de3
sops-pgp-hook: make test robust against file order
There is no guarantee that keys will be returned in a certain order
2020-07-22 14:32:08 +01:00
Jörg Thalheim
fd28d45f10
make golangci-lint happy 2020-07-19 23:30:28 +01:00
Jörg Thalheim
bffb0afb48
fix replace existing files 2020-07-19 23:23:38 +01:00
Jörg Thalheim
59803f7530
fix user manifest validation in sandbox
we should not lookup users there
2020-07-19 21:04:58 +01:00
Jörg Thalheim
30c6879b42
add validation mode 2020-07-19 17:09:27 +01:00
Jörg Thalheim
4224ec9ede
add validate flag 2020-07-19 11:32:59 +01:00
Jörg Thalheim
b1131e035d
sops-install-secrets: improve error message 2020-07-14 13:49:54 +01:00
Jörg Thalheim
6508df75b6
sops-install-secrets: include newline in log 2020-07-14 13:48:30 +01:00
Jörg Thalheim
cf34042dc2
sops-install-secrets: log gpg fingerprint 2020-07-14 13:42:32 +01:00
Jörg Thalheim
8cdca9dd6d
secring: open with more secure umask 2020-07-14 13:41:03 +01:00
Jörg Thalheim
4eda6711ba
fix /etc/secrets.d permissions 2020-07-14 13:21:07 +01:00
Jörg Thalheim
fe7f6360e8
add integration test for sops-pgp-hook 2020-07-14 11:26:54 +01:00
Jörg Thalheim
7c6f438d05
rework sops-pgp-hook and document it. 2020-07-13 09:51:53 +01:00
Jörg Thalheim
6286c5cc75
fix public gpg key import 2020-07-13 09:12:47 +01:00
Jörg Thalheim
71976f5a55
ssh-to-pgp: make armor encoding the default 2020-07-13 08:05:03 +01:00
Jörg Thalheim
bdfd4c3389
sops-init-gpg-key: print fingerprint 2020-07-13 07:25:08 +01:00
Jörg Thalheim
d8e505804a
ssh-to-pgp: print fingerprint 2020-07-13 07:24:51 +01:00
Jörg Thalheim
ec604e56c6
sops-shell-hook: look for both .asc/.gpg 2020-07-13 07:17:18 +01:00
Jörg Thalheim
81ab902811
don't panic when ssh key is encrypted 2020-07-13 06:26:45 +01:00
Jörg Thalheim
dfedaea239
avoid partial writes with ascii armor
Sill not perfect because it still prints the header
2020-07-13 06:26:41 +01:00
Jörg Thalheim
7bd84011ef
fix sops nixos module 2020-07-12 17:52:03 +01:00