mirrors/sops-nix
mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-05 16:17:47 +00:00
Code Activity
867 commits 17 branches 1 tag 2.1 MiB
Commit graph

60 commits

Author SHA1 Message Date
Jeremy Fleischman
33f18b404e Rework restart-and-reload to assert more strictly on the activation output 
I've reworked the test to assert on the entire output. This allows us to
detect unexpected output without having to write weird "i expect this
random string to *not* show up assertions", which aren't great at
preventing regressions.

I did have to change the code under test a little bit to make it
behavior deterministically (by sorting the files it outputs).

tl;dr: this demonstrates <https://github.com/Mic92/sops-nix/issues/652>
but does not fix it. I will fix it in a subsequent commit.
 2024-11-07 19:49:39 +00:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set. 
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-10-23 07:38:42 +00:00
Jörg Thalheim
b94c6edbb8 fix symlink directory not existing 2024-04-18 18:17:04 +02:00
Jörg Thalheim
6b259336bd
Lint fixes (#539) 
* fix various additional linter errors

* extend golangci checks
 2024-04-18 16:19:26 +02:00
Jörg Thalheim
85d13d5aa4 sops-install-secrets: also write out pubring to make gnupg happy 2024-03-14 15:47:03 +01:00
Jörg Thalheim
a2d9145e98 fix build with new ssh-to-age library 2024-03-14 15:47:03 +01:00
Janik H.
eb7e7f0842 sops-install-secrets: change sops url 
downgrade go-crypto again
 2024-03-14 15:47:03 +01:00
Jörg Thalheim
c0b3a5af90 fix wrong error message in ssh key import 2024-01-10 18:37:54 +01:00
Jörg Thalheim
020dcff707 allow ssh key import to fail 
We import ssh keys by default if openssh is enabled.
However if users are using age keys while using sops to deploy ssh keys we have
a catch-22.
While users could use lib.mkForce to empty the list, this is not intuitive
 2024-01-10 17:59:57 +01:00
Jörg Thalheim
c59da7ac29 reformat with gofumpt 2023-11-03 14:49:21 +01:00
Mic92
339a559402 Add configuration option to use tmpfs in place of ramfs (#355) 
allow use of tmpfs via option configuration

* Tabs vs Spaces

* Update modules/sops/default.nix

* Update modules/sops/default.nix
 2023-08-12 09:45:08 +01:00
Jörg Thalheim
4e50640bac go: drop deprecated ioutil 2023-02-28 09:44:31 +01:00
Pogobanane
466d039190 darwin/home-manager: %r dir 2023-02-02 12:07:00 +01:00
Pogobanane
58ceff1f7b darwin: workaround missing user 2023-02-02 12:07:00 +01:00
Pogobanane
783af739d2 fix go tests for darwin 2023-02-02 12:07:00 +01:00
Pogobanane
4f3d45c058 go files for darwin 
fixup
 2023-02-02 11:38:33 +01:00
Janne Heß
7f38c98162 More review fixups 2023-02-02 11:38:03 +01:00
Janne Heß
3afa9ca553 Fixup review comments 2023-02-02 11:38:03 +01:00
Janne Heß
acaf36a1bf Implement home-manager support 
Closes #62
Closes #163
 2023-02-02 11:38:03 +01:00
lucasew
eb09a61dc9 format type: add dotenv and ini 
Signed-off-by: lucasew <lucas59356@gmail.com>
 2023-01-17 10:55:52 -03:00
Janne Heß
f0dddc1486
Fix lookup of users/groups in dry activation 
This fails otherwise as the users snippet was not executed and the
user/group does not exist.

Closes #222
 2022-08-25 16:14:10 +02:00
Janne Heß
cb4c79633d
Also print imported age keys 2022-07-09 00:04:54 +02:00
Janne Heß
5e2f743edd
Re-add service restarts 
We also have service reloads now, so add them as well
 2022-03-14 17:30:56 +01:00
Janne Heß
8677dd6909
Replace separator for nested keys for consistency 2021-11-29 12:20:25 +01:00
Janne Heß
edb3913e10
Remove debug text 2021-11-23 22:32:41 +01:00
Janne Heß
af29ac4d84
Prune old secrets generations 
Closes #128
 2021-11-09 23:17:55 +01:00
Janne Heß
bac08f6919
Allow setting user passwords 2021-11-07 13:53:16 +01:00
Janne Heß
79706f6748
Fix secrets mount point and remove default 2021-11-07 13:00:05 +01:00
Janne Heß
9683d128bd
Add support for restarting/reloading units 2021-11-07 12:37:57 +01:00
Janne Heß
2b9a0815ca
Implement nested secrets 2021-09-30 21:49:47 +02:00
Janne Heß
5db02f2939
Import age keyfile and ssh keys at the same time 2021-09-30 15:07:30 +02:00
Janne Heß
9083e64fb9
Swap order of age ssh keys and the key file 
It makes more sense to import the key when we have one and ignore the
SSH keys instead of only importing the key when we have no SSH keys.
This is because we import all SSH keys by default in the module and
using a key file means the use has to explicitly unset the SSH keys.
 2021-09-30 14:05:38 +02:00
Jörg Thalheim
a38ba56ca2 import ssh keys both for gpg and age 2021-09-28 14:07:26 +02:00
Janne Heß
77d0fa5920
Simplify age logic in sops-install-secrets 2021-09-24 12:09:54 +02:00
Janne Heß
f636296aff
Switch the libs to now external ones 2021-09-24 12:09:53 +02:00
Janne Heß
db8fcb50a3
Add support for ssh-generated age keys 2021-09-24 12:09:52 +02:00
Janne Heß
f5a2ba217b
Add age support 2021-09-24 12:09:52 +02:00
Jörg Thalheim
351c716739
allow non-key group users to access /run/secrets 
This does not significantly decrease security while making it a lot more
convinient.  There are also services, where it is not possible to set
the keys group i.e. if a daemon unsets all groups.  Processes still
won't be able to list other secrets if they are not in the secret group.

fixes #86
 2021-06-05 17:59:22 +02:00
Jörg Thalheim
f540b74ced
remove ssh-to-pgp from sops-nix 2021-02-22 06:49:46 +01:00
Jörg Thalheim
d665aecd88
fix 32-bit build 2021-02-01 13:50:17 +01:00
Jörg Thalheim
4de7358a2b
only mount ramfs once 2021-01-28 22:36:12 +01:00
Jörg Thalheim
80ad73c347
fix sops files that contains lists 
fixes #68
 2021-01-27 07:22:56 +01:00
Cole Mickens
24fd158fe6
sops-install-secrets: symlinkSecret: set uid/gid (with Fchownat) (#32) 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2020-08-24 09:24:43 +01:00
Jörg Thalheim
01e4038c9a
don't print full executable path logging key import 2020-07-30 16:19:51 +01:00
Jörg Thalheim
9cd8bb080f
sops-install-secrets: use %w for fmt.Errorf calls 2020-07-30 16:19:14 +01:00
Jörg Thalheim
b8d91d61ac
restrict sops-install-secrets to linux 
ramfs is not available elswhere.
 2020-07-22 23:46:05 +01:00
Jörg Thalheim
bffb0afb48
fix replace existing files 2020-07-19 23:23:38 +01:00