This fixes https://github.com/Mic92/sops-nix/issues/659
In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:
1. When rendering `neededForUsers` secrets (if there are any
`neededForUsers` secrets).
2. When decrypting "regular" secrets.
This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:
1. When rendering `neededForUsers` secrets, we'd generate templates in
`/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
`/run/secrets/rendered`, which is not inside of the
`/run/secrets-for-users` directory we're dealing with, so we'd
generate a symlink from `/run/secrets/rendered/<foo>` to
`/run/secrets-for-users/rendered/<foo>`, which required making
the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
exist, or is a symlink, and you get the symptoms described in
<https://github.com/Mic92/sops-nix/issues/659>.
Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.
Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
Added support for configuring environment variables before calling
`sops-install-secrets`. Introduced a new `environment` option which
allows specifying environment variables. Modified systemd service
and launchd agent to use the specified environment variables.
This reverts commit 7711514b85.
With db82bcafd4, we no longer need to
ensure that the pair list only contains utf-8 text, as long as users
don't reference non-utf-8 data in template content.
FixesMic92/sops-nix#439.
Adds an extra check to determine if the placeholder ocurrs in template
content before actually reading the corresponding secret file.
In terms of performance, this adds an extra string search, but removes
possibly unneceassary file reading if the secret is not used in the
template, though both of them should be negligible in most cases.
FixesMic92/sops-nix#496.
Correct a bug where 'KeepAlive' in the launchd service
'org.nix-community.home.sops-nix.plist'
re-runs 'sops-nix-user' every few seconds.
This should run:
- once at boot
- once at home-manager profile activation
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
When using `documentation.nixos.includeAllModules = true;` this fails
for me with
error: attribute 'users' missing
at /nix/store/30jax2y4q3d1xyf8ha3cwilw3kdz4pn8-source/modules/sops/templates/default.nix:8:11:
7| secretsForUsers = lib.filterAttrs (_: v: v.neededForUsers) cfg.secrets;
8| users = config.users.users;
| ^
9| in {
(use '--show-trace' to show detailed location information)
Not depending on `config` when building the manual fixes the issue.
