mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00
Code Activity
874 commits 14 branches 1 tag 2.8 MiB
Commit graph

151 commits

Author SHA1 Message Date
Jeremy Fleischman
60e1bce199 Add support for restartUnits and reloadUnits for templates 
This fixes https://github.com/Mic92/sops-nix/issues/634
 2024-11-08 06:34:20 +00:00
Jeremy Fleischman
c9f6b151cc fix: create template.path symlink 
This fixes https://github.com/Mic92/sops-nix/issues/653.

Note: `main.go` has been slowly accumulating shared logic between vanilla
"secrets" and "templates". It feels to me like we could DRY up some of
the logic in here by creating some shared "interface" that they both
implement. I opted not to try to tackle that here, though.
 2024-11-08 06:07:13 +00:00
Jeremy Fleischman
fe63071416 Improve activation messages about rendered templates 
This fixes https://github.com/Mic92/sops-nix/issues/652
 2024-11-07 19:49:39 +00:00
Jeremy Fleischman
33f18b404e Rework restart-and-reload to assert more strictly on the activation output 
I've reworked the test to assert on the entire output. This allows us to
detect unexpected output without having to write weird "i expect this
random string to *not* show up assertions", which aren't great at
preventing regressions.

I did have to change the code under test a little bit to make it
behavior deterministically (by sorting the files it outputs).

tl;dr: this demonstrates <https://github.com/Mic92/sops-nix/issues/652>
but does not fix it. I will fix it in a subsequent commit.
 2024-11-07 19:49:39 +00:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set. 
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-10-23 07:38:42 +00:00
Jörg Thalheim
2750ed784e nixos-tests: enable system switch again 2024-10-06 16:02:18 +00:00
r-vdp
d9d781523a Support userborn 2024-09-05 12:42:46 +00:00
Ramses
5db5921e40
Reuse the existing nixpkgs instance for the tests instead of re-importing it (#611) 
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
 2024-09-01 14:30:42 +00:00
Janne Heß
b549832718 darwin: Mount hfs+ case-sensitive 
sops-nix assumes this is the case since it's the default on linux
 2024-05-22 17:51:40 +00:00
Kaede Akino
0cd7cac744 sops-install-secrets: add mount options for darwin 2024-05-22 17:51:40 +00:00
Jörg Thalheim
b94c6edbb8 fix symlink directory not existing 2024-04-18 18:17:04 +02:00
Jörg Thalheim
6b259336bd
Lint fixes (#539) 
* fix various additional linter errors

* extend golangci checks
 2024-04-18 16:19:26 +02:00
the-furry-hubofeverything
74f03c1a51 Refuse age keyfile paths that are in the nix store 2024-04-18 08:17:46 +00:00
Jörg Thalheim
85d13d5aa4 sops-install-secrets: also write out pubring to make gnupg happy 2024-03-14 15:47:03 +01:00
Jörg Thalheim
a2d9145e98 fix build with new ssh-to-age library 2024-03-14 15:47:03 +01:00
Janik H.
eb7e7f0842 sops-install-secrets: change sops url 
downgrade go-crypto again
 2024-03-14 15:47:03 +01:00
Jörg Thalheim
695275c349 make sops-install-secrets work with sysusers 2024-02-12 15:30:32 +01:00
Jörg Thalheim
2168851d58 nixos-tests: drop < 23.11 compat code 2024-02-08 13:05:11 +00:00
Jörg Thalheim
c0b3a5af90 fix wrong error message in ssh key import 2024-01-10 18:37:54 +01:00
Jörg Thalheim
020dcff707 allow ssh key import to fail 
We import ssh keys by default if openssh is enabled.
However if users are using age keys while using sops to deploy ssh keys we have
a catch-22.
While users could use lib.mkForce to empty the list, this is not intuitive
 2024-01-10 17:59:57 +01:00
Sandro Jäckel
0e3a94167d sops-install-secrets: don't trigger a rebuild when flake.lock changes 
When you have a follow in your flake inputs, sops-install-secrets is
rebuild everytime the flake.lock changes despite that being a noop. When
filtering src this can be avoided.
 2023-11-14 08:42:18 +00:00
pizmovc
0a9d5e41f6 fixup! Rename passwordFile to hashedPasswordFile 2023-11-06 06:36:07 +00:00
pizmovc
4e3f66f703 Rename passwordFile to hashedPasswordFile 
This follows the rename that was done in nixpkgs.

Reference PR https://github.com/NixOS/nixpkgs/pull/254080
 2023-11-06 06:36:07 +00:00
Jörg Thalheim
275b28593e sops-install-secrets: check that both uid & gid are correct on mountpoints 2023-11-03 15:23:39 +01:00
Jörg Thalheim
c59da7ac29 reformat with gofumpt 2023-11-03 14:49:21 +01:00
Jörg Thalheim
cc2cfe5630 don't chown mountpoint if already correct 
This avoids issues where directory might be bind mounted.
 2023-11-03 14:49:21 +01:00
Shyim
1b7b3a32d6 Update pkgs/sops-install-secrets/darwin.go 
Co-authored-by: Leo Pang <34628052+allthatjazzleo@users.noreply.github.com>
 2023-08-22 19:24:38 +01:00
Shyim
fce0c8ce93 fix: add missing argument for MountSecretFs on darwin 2023-08-22 19:24:38 +01:00
Mic92
339a559402 Add configuration option to use tmpfs in place of ramfs (#355) 
allow use of tmpfs via option configuration

* Tabs vs Spaces

* Update modules/sops/default.nix

* Update modules/sops/default.nix
 2023-08-12 09:45:08 +01:00
Jörg Thalheim
62a7c95c8c vendorHash: make it overridable 2023-07-15 06:49:20 +00:00
Roman Gonzalez
2ff6973350 fix(darwin): RuntimeDir trailing slash 
In later versions of macOS (e.g. Ventura), the command used to get a
runtime directory (e.g. `getconf DARWIN_USER_TEMP_DIR`) returns a
trailing slash.

When using a configuration like:

```
sops.defaultSecretsMountPoint = "%r/secrets.d";
```

The final path is going to contain a double slash in the suffix of the
path, an example:

```
/var/<random>/<hash>//secrets.d
```

This commit ensures that the runtime dir will get the trailing '/'
character removed.
 2023-06-22 01:49:29 +00:00
Roman Gonzalez
4ce3cc3428 fix(darwin): use chown only on non user mode 
On the latest version of macOS (Ventura 13.4 as of this date), this
change ownership will always fail with the error:

> Failed to mount filesystem for secrets: Cannot change owner/group of '.../secrets.d' to 0/0: chown .../secrets.d: operation not permitted
 2023-06-22 01:49:29 +00:00
Jörg Thalheim
2e77ca66d8
Merge pull request #326 from Mic92/deprecation-stuff 
fix makeSetupHook deprecations
 2023-05-08 05:58:13 +01:00
Jörg Thalheim
b84b3177a1 fix makeSetupHook's also for older nixos release 2023-05-08 06:48:56 +02:00
mlatus
4de4d820ba fix scope in sops.templates; add relevant test 2023-04-18 12:47:12 +08:00
mlatus
bae4d46397 add test for sops.templates 2023-03-23 23:06:04 +08:00
Tomas Zaluckij
bea992ff5e
fix makeSetupHook deprecations 2023-03-17 21:03:25 +00:00
Jörg Thalheim
4e50640bac go: drop deprecated ioutil 2023-02-28 09:44:31 +01:00
Pogobanane
716ccf8147 sops-install-secrets: disable unittest for darwin 
because $unittest is undefined on darwin and breaks the build/test
 2023-02-02 12:07:00 +01:00
Pogobanane
466d039190 darwin/home-manager: %r dir 2023-02-02 12:07:00 +01:00
Pogobanane
98834d958b darwin: impl MountSecretFs 2023-02-02 12:07:00 +01:00
Pogobanane
58ceff1f7b darwin: workaround missing user 2023-02-02 12:07:00 +01:00
Pogobanane
e6ccc740d8 darwin: impl SecureSymlinkChown 2023-02-02 12:07:00 +01:00
Pogobanane
783af739d2 fix go tests for darwin 2023-02-02 12:07:00 +01:00
Pogobanane
4f3d45c058 go files for darwin 
fixup
 2023-02-02 11:38:33 +01:00
Janne Heß
7f38c98162 More review fixups 2023-02-02 11:38:03 +01:00
Janne Heß
3afa9ca553 Fixup review comments 2023-02-02 11:38:03 +01:00