Jörg Thalheim
85d13d5aa4
sops-install-secrets: also write out pubring to make gnupg happy
2024-03-14 15:47:03 +01:00
Jörg Thalheim
a2d9145e98
fix build with new ssh-to-age library
2024-03-14 15:47:03 +01:00
Janik H.
833bd28f8f
.gitignore: add nix build result
2024-03-14 15:47:03 +01:00
Janik H.
eb7e7f0842
sops-install-secrets: change sops url
...
downgrade go-crypto again
2024-03-14 15:47:03 +01:00
dependabot[bot]
804157eb75
update vendorHash
2024-03-14 12:52:31 +01:00
dependabot[bot]
1385b12fb3
build(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0
...
Bumps [golang.org/x/crypto](https://github.com/golang/crypto ) from 0.20.0 to 0.21.0.
- [Commits](https://github.com/golang/crypto/compare/v0.20.0...v0.21.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-03-14 12:52:31 +01:00
Luflosi
7f015eeff1
modules/sops: fix typo
...
The assertion below states: "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set".
2024-03-14 12:52:12 +01:00
dependabot[bot]
e52d8117b3
build(deps): bump cachix/install-nix-action from 25 to 26
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 25 to 26.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](https://github.com/cachix/install-nix-action/compare/v25...v26 )
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-03-11 22:13:14 +00:00
github-actions[bot]
f8d5c8baa8
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/458b097d81f90275b3fdf03796f0563844926708' (2024-03-02)
→ 'github:NixOS/nixpkgs/0e7f98a5f30166cbed344569426850b21e4091d4' (2024-03-09)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03)
→ 'github:NixOS/nixpkgs/b17375d3bb7c79ffc52f3538028b2ec06eb79ef8' (2024-03-10)
2024-03-10 03:03:26 +00:00
dependabot[bot]
25dd60fdd0
update vendorHash
2024-03-06 07:44:51 +00:00
dependabot[bot]
e3b396f42f
build(deps): bump golang.org/x/sys from 0.17.0 to 0.18.0
...
Bumps [golang.org/x/sys](https://github.com/golang/sys ) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/sys/compare/v0.17.0...v0.18.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/sys
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-03-06 07:44:51 +00:00
dependabot[bot]
291aad29b5
build(deps): bump DeterminateSystems/update-flake-lock from 20 to 21
...
Bumps [DeterminateSystems/update-flake-lock](https://github.com/determinatesystems/update-flake-lock ) from 20 to 21.
- [Release notes](https://github.com/determinatesystems/update-flake-lock/releases )
- [Commits](https://github.com/determinatesystems/update-flake-lock/compare/v20...v21 )
---
updated-dependencies:
- dependency-name: DeterminateSystems/update-flake-lock
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-03-04 22:39:56 +00:00
github-actions[bot]
075df9d85e
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/f63ce824cd2f036216eb5f637dfef31e1a03ee89' (2024-02-24)
→ 'github:NixOS/nixpkgs/458b097d81f90275b3fdf03796f0563844926708' (2024-03-02)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea' (2024-02-25)
→ 'github:NixOS/nixpkgs/66d65cb00b82ffa04ee03347595aa20e41fe3555' (2024-03-03)
2024-03-03 03:01:51 +00:00
dependabot[bot]
a1c8de14f6
update vendorHash
2024-02-26 22:51:07 +00:00
dependabot[bot]
e386e52abe
build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0
...
Bumps [golang.org/x/crypto](https://github.com/golang/crypto ) from 0.19.0 to 0.20.0.
- [Commits](https://github.com/golang/crypto/compare/v0.19.0...v0.20.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 22:51:07 +00:00
github-actions[bot]
2874fbbe4a
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/6e2f00c83911461438301db0dba5281197fe4b3a' (2024-02-17)
→ 'github:NixOS/nixpkgs/f63ce824cd2f036216eb5f637dfef31e1a03ee89' (2024-02-24)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/69405156cffbdf2be50153f13cbdf9a0bea38e49' (2024-02-17)
→ 'github:NixOS/nixpkgs/89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea' (2024-02-25)
2024-02-25 03:01:16 +00:00
Quentin Smith
f6b80ab6cd
Address review comments
2024-02-21 07:24:54 +00:00
Quentin Smith
fbec55367f
modules/sops/templates: Support custom files as secret templates
...
This exposes the `file` option, which can be used with `pkgs.formats` to write additional configuration formats.
2024-02-21 07:24:54 +00:00
dependabot[bot]
acfcce2a36
update vendorHash
2024-02-20 19:09:21 +00:00
dependabot[bot]
a13fc353ca
build(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0
...
Bumps [golang.org/x/crypto](https://github.com/golang/crypto ) from 0.18.0 to 0.19.0.
- [Commits](https://github.com/golang/crypto/compare/v0.18.0...v0.19.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-20 19:09:21 +00:00
dependabot[bot]
a5932c85e1
update vendorHash
2024-02-20 18:18:50 +00:00
dependabot[bot]
203f3fd655
build(deps): bump golang.org/x/sys from 0.16.0 to 0.17.0
...
Bumps [golang.org/x/sys](https://github.com/golang/sys ) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/sys/compare/v0.16.0...v0.17.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/sys
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-02-20 18:18:50 +00:00
w4tsn
5611ba15f1
add nix config snippet to restart sops-nix service
...
As home-manager does not restart the `sops-nix` unit automatically
a snippet to instruct home-manager to do so is added.
Home-manager could be instructed to restart the user service from the
sops-nix home-manager module instead. Usually home-manager restarts
units which changed. Since the sops-nix unit does not change when
secrets change this does not trigger automatically.
There are two options:
- let sops-nix home-manager module compute a chained hash over all
secrets and place it inside the unit file, so it changes every time
the secrets change
- use X-SwitchMethod and X-Restart-Triggers
See nix-community/home-manager#3865
2024-02-20 18:04:56 +00:00
DDoSolitary
f88661c9a9
Revert "don't substitute binaries"
...
This reverts commit 7711514b85
.
With db82bcafd4
, we no longer need to
ensure that the pair list only contains utf-8 text, as long as users
don't reference non-utf-8 data in template content.
Fixes Mic92/sops-nix#439 .
2024-02-20 16:46:05 +00:00
DDoSolitary
f805f3061a
template rendering should only read referenced secrets
...
Adds an extra check to determine if the placeholder ocurrs in template
content before actually reading the corresponding secret file.
In terms of performance, this adds an extra string search, but removes
possibly unneceassary file reading if the secret is not used in the
template, though both of them should be negligible in most cases.
Fixes Mic92/sops-nix#496 .
2024-02-20 16:46:05 +00:00
github-actions[bot]
ffed177a9d
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/442d407992384ed9c0e6d352de75b69079904e4e' (2024-02-09)
→ 'github:NixOS/nixpkgs/6e2f00c83911461438301db0dba5281197fe4b3a' (2024-02-17)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/d8cd80616c8800feec0cab64331d7c3d5a1a6d98' (2024-02-10)
→ 'github:NixOS/nixpkgs/69405156cffbdf2be50153f13cbdf9a0bea38e49' (2024-02-17)
2024-02-18 03:02:23 +00:00
Sirio Balmelli
48afd3264e
home-manager/darwin: run sops-nix-user _once_ on login or activation
...
Correct a bug where 'KeepAlive' in the launchd service
'org.nix-community.home.sops-nix.plist'
re-runs 'sops-nix-user' every few seconds.
This should run:
- once at boot
- once at home-manager profile activation
Signed-off-by: Sirio Balmelli <sirio@b-ad.ch>
2024-02-13 17:36:42 +01:00
Jörg Thalheim
695275c349
make sops-install-secrets work with sysusers
2024-02-12 15:30:32 +01:00
github-actions[bot]
2eb7c4ba3a
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/f8e2ebd66d097614d51a56a755450d4ae1632df1' (2024-02-07)
→ 'github:NixOS/nixpkgs/442d407992384ed9c0e6d352de75b69079904e4e' (2024-02-09)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/bc6cb3d59b7aab88e967264254f8c1aa4c0284e9' (2024-02-08)
→ 'github:NixOS/nixpkgs/d8cd80616c8800feec0cab64331d7c3d5a1a6d98' (2024-02-10)
2024-02-11 03:03:34 +00:00
Jörg Thalheim
2168851d58
nixos-tests: drop < 23.11 compat code
2024-02-08 13:05:11 +00:00
Jörg Thalheim
98aa76b72e
bump nixos-stable release
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/79a13f1437e149dc7be2d1290c74d378dad60814' (2024-02-03)
→ 'github:NixOS/nixpkgs/f8e2ebd66d097614d51a56a755450d4ae1632df1' (2024-02-07)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/9a333eaa80901efe01df07eade2c16d183761fa3' (2024-01-22)
→ 'github:NixOS/nixpkgs/bc6cb3d59b7aab88e967264254f8c1aa4c0284e9' (2024-02-08)
2024-02-08 12:26:52 +00:00
Jörg Thalheim
00071af896
move secrets-fo-users to it's own module
...
This preparation to support sysusers.
No behavior change.
2024-02-08 12:26:52 +00:00
github-actions[bot]
23f61b897c
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/4fddc9be4eaf195d631333908f2a454b03628ee5' (2024-01-25)
→ 'github:NixOS/nixpkgs/79a13f1437e149dc7be2d1290c74d378dad60814' (2024-02-03)
2024-02-04 02:59:07 +00:00
github-actions[bot]
73bf36912e
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/e5d1c87f5813afde2dda384ac807c57a105721cc' (2024-01-19)
→ 'github:NixOS/nixpkgs/4fddc9be4eaf195d631333908f2a454b03628ee5' (2024-01-25)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12)
→ 'github:NixOS/nixpkgs/9a333eaa80901efe01df07eade2c16d183761fa3' (2024-01-22)
2024-01-28 03:00:21 +00:00
Haru02w
4606d9b159
Add info about hash passwords
2024-01-24 22:06:12 +01:00
github-actions[bot]
ae171b54e7
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/eabe8d3eface69f5bb16c18f8662a702f50c20d5' (2024-01-09)
→ 'github:NixOS/nixpkgs/e5d1c87f5813afde2dda384ac807c57a105721cc' (2024-01-19)
2024-01-21 02:59:43 +00:00
dependabot[bot]
8775533158
build(deps): bump cachix/install-nix-action from 24 to 25
...
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action ) from 24 to 25.
- [Release notes](https://github.com/cachix/install-nix-action/releases )
- [Commits](https://github.com/cachix/install-nix-action/compare/v24...v25 )
---
updated-dependencies:
- dependency-name: cachix/install-nix-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 22:14:37 +00:00
github-actions[bot]
70dd0d521f
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/63143ac2c9186be6d9da6035fa22620018c85932' (2024-01-02)
→ 'github:NixOS/nixpkgs/eabe8d3eface69f5bb16c18f8662a702f50c20d5' (2024-01-09)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03)
→ 'github:NixOS/nixpkgs/a1982c92d8980a0114372973cbdfe0a307f1bdea' (2024-01-12)
2024-01-14 02:59:13 +00:00
Jörg Thalheim
c0b3a5af90
fix wrong error message in ssh key import
2024-01-10 18:37:54 +01:00
Jörg Thalheim
020dcff707
allow ssh key import to fail
...
We import ssh keys by default if openssh is enabled.
However if users are using age keys while using sops to deploy ssh keys we have
a catch-22.
While users could use lib.mkForce to empty the list, this is not intuitive
2024-01-10 17:59:57 +01:00
Jörg Thalheim
5bd3f71f07
Update README.md
2024-01-10 16:58:27 +00:00
EmergentMind
4cf467173b
Update README.md
...
Add home-manager usage example that is inline with current recommended sops-nix installation approach. The required import path is substantially different than that of the other example, which has been retained.
2024-01-10 16:58:27 +00:00
Enno Richter
6db9bd9ace
fix typo in README.md
2024-01-10 16:53:11 +00:00
dependabot[bot]
0ded574120
update vendorHash
2024-01-08 22:35:04 +00:00
dependabot[bot]
6a5082dcc2
build(deps): bump golang.org/x/crypto from 0.17.0 to 0.18.0
...
Bumps [golang.org/x/crypto](https://github.com/golang/crypto ) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/crypto/compare/v0.17.0...v0.18.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 22:35:04 +00:00
github-actions[bot]
f5fbcc0f50
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870' (2023-12-25)
→ 'github:NixOS/nixpkgs/63143ac2c9186be6d9da6035fa22620018c85932' (2024-01-02)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/0aad9113182747452dbfc68b93c86e168811fa6c' (2023-12-30)
→ 'github:NixOS/nixpkgs/70bdadeb94ffc8806c0570eb5c2695ad29f0e421' (2024-01-03)
2024-01-07 03:01:50 +00:00
github-actions[bot]
cfdbaf68d0
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/d6863cbcbbb80e71cecfc03356db1cda38919523' (2023-12-21)
→ 'github:NixOS/nixpkgs/e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870' (2023-12-25)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/7790e078f8979a9fcd543f9a47427eeaba38f268' (2023-12-23)
→ 'github:NixOS/nixpkgs/0aad9113182747452dbfc68b93c86e168811fa6c' (2023-12-30)
2023-12-31 03:01:57 +00:00
github-actions[bot]
e523e89763
flake.lock: Update
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/aa9d4729cbc99dabacb50e3994dcefb3ea0f7447' (2023-12-14)
→ 'github:NixOS/nixpkgs/d6863cbcbbb80e71cecfc03356db1cda38919523' (2023-12-21)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/a19a71d1ee93226fd71984359552affbc1cd3dc3' (2023-12-17)
→ 'github:NixOS/nixpkgs/7790e078f8979a9fcd543f9a47427eeaba38f268' (2023-12-23)
2023-12-24 03:11:42 +00:00
dependabot[bot]
f7db64b88d
update vendorHash
2023-12-18 22:12:47 +00:00
dependabot[bot]
87bacb8118
build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0
...
Bumps [golang.org/x/crypto](https://github.com/golang/crypto ) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/crypto/compare/v0.16.0...v0.17.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 22:12:47 +00:00