1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-03-15 13:08:21 +00:00
Commit graph

57 commits

Author SHA1 Message Date
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
2024-11-17 06:19:41 +00:00
thomaslepoix
f21c31dadf Emit plain file when key is empty
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
2024-11-06 05:57:58 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set.
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2024-10-23 07:38:42 +00:00
Sandro Jäckel
26642e8f19 Add some missing literalExpression 2024-10-22 09:03:27 +00:00
r-vdp
d9d781523a Support userborn 2024-09-05 12:42:46 +00:00
Jörg Thalheim
ab2d1ffeb5 {nixos,home-manager}: shell escape age key paths 2024-08-12 09:20:04 +00:00
the-furry-hubofeverything
74f03c1a51 Refuse age keyfile paths that are in the nix store 2024-04-18 08:17:46 +00:00
Joachim Ernst
cc535d07cb
remove all uses of lib.mdDoc (#532) 2024-04-15 11:55:09 +02:00
Jörg Thalheim
fa8035c073 use gnupg binary also now for ssh rsa keys
With the last sops bump, our gpg keys are no longer detected by sops without it
2024-03-14 15:47:03 +01:00
Luflosi
7f015eeff1 modules/sops: fix typo
The assertion below states: "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set".
2024-03-14 12:52:12 +01:00
Jörg Thalheim
695275c349 make sops-install-secrets work with sysusers 2024-02-12 15:30:32 +01:00
Jörg Thalheim
00071af896 move secrets-fo-users to it's own module
This preparation to support sysusers.
No behavior change.
2024-02-08 12:26:52 +00:00
Jörg Thalheim
4d284ca58c nixos: fix typo in assertion message when no key source is configured 2023-09-18 19:13:37 +02:00
Maximilian Bosch
f81e73cf9a
modules/sops: fix description of useTmpfs (#385)
It's supposed to be mdDoc rather than mkDoc.
2023-08-15 20:23:48 +01:00
Mic92
339a559402 Add configuration option to use tmpfs in place of ramfs (#355)
allow use of tmpfs via option configuration

* Tabs vs Spaces

* Update modules/sops/default.nix

* Update modules/sops/default.nix
2023-08-12 09:45:08 +01:00
ajs124
3b26d8f58b literalDocBook -> literalMD 2023-06-20 15:08:13 +02:00
mlatus
c4c39450b1 add sops.templates 2023-03-13 23:56:19 +08:00
Janne Heß
acaf36a1bf Implement home-manager support
Closes #62
Closes #163
2023-02-02 11:38:03 +01:00
lucasew
eb09a61dc9 format type: add dotenv and ini
Signed-off-by: lucasew <lucas59356@gmail.com>
2023-01-17 10:55:52 -03:00
Naïm Camille Favier
de37ae4b4a
module: add defaultText to validationPackage
Makes flake-info succeed
2022-07-21 09:04:38 +02:00
dramforever
fc2b603a9b Add validationPackage option for cross-compilation 2022-07-12 09:39:40 +08:00
Jos van Bakel
5ae679b566
Add package option to module 2022-04-23 16:58:11 +02:00
Janne Heß
5e2f743edd
Re-add service restarts
We also have service reloads now, so add them as well
2022-03-14 17:30:56 +01:00
Naïm Favier
4e887466a1
Add defaultText to some options to make flake-info succeed 2022-02-26 16:20:19 +01:00
Jörg Thalheim
95b4393147
Revert "allow to disable sops"
This reverts commit 43f44540b8.

This commit was not intended for master
2022-02-07 14:34:38 +01:00
Jörg Thalheim
43f44540b8
allow to disable sops 2022-02-07 14:34:18 +01:00
Naïm Favier
d5d9e67dea
Allow paths in sops.environment
Useful for things like `sops.environment.SOPS_GPG_EXEC = pkgs.writeShellScript ...`
2022-01-23 13:39:26 +01:00
Jörg Thalheim
ea297c304d module: no conditionals when exposing manifests 2022-01-04 16:32:08 +01:00
Janne Heß
168346e17e
module: Expose manifests
We are planning to use this in our CI pipeline
2022-01-04 00:42:40 +01:00
Jörg Thalheim
3ef112ec72 ignore ssh keys deployed with sops 2021-12-29 15:11:48 +01:00
Janne Heß
bac2a891b7
Fix user passwords disappearing
Also add a test case for this.
Closes #137
2021-11-13 14:17:51 +01:00
Janne Heß
80eb349cc8
Support arbitrary environment variables
Should hopefully fix #23
2021-11-09 23:33:49 +01:00
Janne Heß
af29ac4d84
Prune old secrets generations
Closes #128
2021-11-09 23:17:55 +01:00
Janne Heß
bac08f6919
Allow setting user passwords 2021-11-07 13:53:16 +01:00
Janne Heß
9683d128bd
Add support for restarting/reloading units 2021-11-07 12:37:57 +01:00
Jörg Thalheim
e0e57da497 fix documentation and assertions for age.keyFile 2021-09-30 21:10:08 +02:00
Janne Heß
4cebc08062
Fix age key generation and test it 2021-09-30 15:28:39 +02:00
Janne Heß
5db02f2939
Import age keyfile and ssh keys at the same time 2021-09-30 15:07:30 +02:00
Janne Heß
4568162629
Import age ssh keys by default 2021-09-24 12:09:53 +02:00
Janne Heß
44d91e885e
Add review suggestions 2021-09-24 12:09:53 +02:00
Janne Heß
db8fcb50a3
Add support for ssh-generated age keys 2021-09-24 12:09:52 +02:00
Janne Heß
b21c0ce3a8
Group gnupg and age in the module 2021-09-24 12:09:52 +02:00
Janne Heß
f5a2ba217b
Add age support 2021-09-24 12:09:52 +02:00
Jörg Thalheim
f3deaae52f
Merge branch 'master' into master-specialfs 2021-08-26 19:53:56 +01:00
Jörg Thalheim
ce5e734b26 sops-nix: fix build 2021-08-26 20:01:22 +02:00
0x4A6F
f89c1a5bf1
modules/sops: activation after specialfs
* ensure mounted /run before running setup-secrets
2021-08-22 23:28:48 +02:00
Maximilian Bosch
df2d4bbbfc
modules/sops: fix manual
* Since 0d957142b6 the manual doesn't
  build since `<name>` is interpreted by docbook as (unmatched) XML-tag.
  I decided to use `<xref linkend` as this provides proper linking to
  the referenced option.

* Also, if the module is included on a machine where `sops` isn't used,
  but `documentation.nixos.includeAllModules = true;` is set, the module
  wouldn't evaluate because `config.sopsFile` is referenced in a
  `default`-tag. This is generally an issue since every change to this
  option would trigger a rebuild of the manual anyways.

  See also 94fd200305 for that.
2021-07-10 16:11:31 +02:00
Nick Cao
0d957142b6
add readonly option sopsFileHash 2021-07-04 14:01:37 +08:00
Maximilian Bosch
94fd200305
module: Don't set option-value as option-default
When using `documentation.nixos.includeAllModules = true;`, I'd
otherwise have to rebuild the manual on each change since I have my
`defaultSopsFile` in a git-repo with all my other configs.
2021-03-28 22:58:13 +02:00