nix/3.agenix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
349 commits 1 branch 0 tags 348 KiB
Commit graph

70 commits

Author SHA1 Message Date
Ryan Mulligan
890be82dac
Merge pull request #338 from Lillecarl/escape 
Escape literalExpression at all/properly
 2025-08-04 08:46:02 -07:00
oluceps
d80d1febd3 fix: take userborn into consideration 2025-08-04 08:35:55 -07:00
oluceps
caab0435e1 feat: works with sysuser 
fix: darwin compatible

chore: reformat

fix: infrec

chore: clean logic

Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
Co-authored-by: Ilan Joselevich <personal@ilanjoselevich.com>
 2025-08-04 08:35:55 -07:00
Carl Andersson
25b74cafe8 Escape literalExpression at all/properly 2025-07-03 09:30:55 +02:00
Arnout Engelen
531beac616
Improve age.identityPaths must be set error (#335) 
This error can be puzzling if you're not already aware of how this
works, pointing users in the direction of openssh (which I suspect is
the most common way to populate `identityPaths`) while also keeping the
original message seems instructive.
 2025-06-17 08:14:20 -07:00
codgician
96b7e4f9eb
contrib: improve readability of age.identityPaths default value 2025-01-13 11:59:48 +08:00
codgician
cce0ff472c
fix: bad age.identityPaths default value on darwin 2025-01-12 22:19:38 +08:00
Jacob Hrbek
e3413992fb age-home: Use curly-brackets for XDG_RUNTIME_DIR 
To avoid having to do 4fd99eae63/nixos/secrets.nix (L25C9-L29C116) while using agenix in user services.
 2024-08-10 05:05:53 +02:00
oddlama
08ed896eb6
fix: always treat link destinations as files to ensure error when destination is a directory. 
This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
 2024-05-21 15:08:15 +02:00
Ryan Mulligan
5c1198a352 feat: switch from rage to age 
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139

What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
 2023-12-23 14:09:16 -08:00
Nicolas Lenz
fe4f564f13
fix(home): shellcheck failure for fixed secretsDir 2023-09-09 16:46:53 +02:00
Lin Jian
6e8a48c2dc
doc: fix nixos option format in descriptions 2023-06-27 00:06:58 +08:00
Lin Jian
0d94960783
doc: fix defaultText by adding literalExpression 
I also remove an unnecessary defaultText and fix a typo.
 2023-06-27 00:06:39 +08:00
Sefa Eyeoglu
758cdc98f4
Disable shellcheck warning about impossible comparison 
This shellcheck warning occurs when setting a path for a secret using
the home-manager module.

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
 2023-05-12 20:15:30 +02:00
Bruno BELANYI
9274b82816 Add home-manager module 
This is to update and fix the issues I saw in [1] and [2].

Using a service definition instead of an activation script should
resolve the issue about the secrets disappearing after rebooting.

Removed the `user` and `group` option as they do not make sense to me
for a home-manager module, which should target a single user. They can
always be added back if somebody comes screaming.

This is somewhat modeled after sops-nix's own module [3].

[1]: https://github.com/ryantm/agenix/pull/58/
[2]: https://github.com/ryantm/agenix/pull/109
[3]: https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
 2023-05-06 14:18:17 +01:00
Ryan Mulligan
b67873854d
Revert "fix: disallow Nix store paths in age.identityPaths option" 2023-02-26 15:11:56 -08:00
Ryan Mulligan
1141c36c26 fix: disallow Nix store paths in age.identityPaths option 2023-02-26 09:03:17 -08:00
Ryan Mulligan
2c0ae7d44f contrib: stop packaging rage 
We don't need to package rage anymore, since all the latest maintained
versions of Nix have versions higher than what we need.
 2023-02-21 20:33:19 -08:00
Matthias Putz
ec66ebe0ee Make isDarwin check more robust 2023-02-20 13:47:48 +01:00
Nathan Henrie
37c7297956 Skip missing or unreadable keys 2023-02-11 07:34:06 -07:00
Nathan Henrie
d7fd31756e Remove activation scripts again 2023-01-30 15:52:05 -07:00
Nathan Henrie
6ec0b0f7c7 Revert to hdiutil for older macos compatibility, be explicit about the weird number after ram:// 2023-01-30 15:51:52 -07:00
Nathan Henrie
9779a98f1e Testing for CI -- revert "Remove activation scripts" 
This reverts commit 4c315d9683.
 2023-01-30 15:33:50 -07:00
Nathan Henrie
4b2b6fa111 Simplify removal of trailing spaces 2023-01-30 14:37:15 -07:00
Nathan Henrie
4c315d9683 Remove activation scripts 2023-01-30 14:21:49 -07:00
Nathan Henrie
9b94b43971 format 2023-01-30 14:21:42 -07:00
Nathan Henrie
c69689da58 Use diskutil for more convenient sizes, strip trailing tabs 2023-01-30 14:21:33 -07:00
Nathan Henrie
b818ac2e7d fmt 2023-01-30 09:18:56 -07:00
Nathan Henrie
019784cb7e Give volume a name 2023-01-30 09:06:59 -07:00
Nathan Henrie
8867c12d72 Cleanup, improve readability 2023-01-30 09:06:39 -07:00
Nathan Henrie
4532604741 Silence output 2023-01-30 09:06:03 -07:00
Nathan Henrie
351e874918 Try to add nix-darwin support to agenix 
Merges work by @montchr, @cmhamill, and @rtimush and rebases on main.

- fixes https://github.com/ryantm/agenix/issues/60
- fixes https://github.com/ryantm/agenix/issues/120
- closes https://github.com/ryantm/agenix/pull/107
 2023-01-29 16:41:49 -07:00
Ryan Mulligan
16bef569f4 contrib: format Nix code with Alejandra 2023-01-29 10:57:51 -08:00
Ryan Mulligan
f86b56229b feature: combine root and nonroot secret install; delay chowning 2022-07-10 11:47:58 -07:00
Jeroen Simonetti
fe206b4306
[module] change operation order 
Change the order of operations to:

1. create new generation
2. decrypt secrets into new generation
3. symlink and remove old generation/secrets

Signed-off-by: Jeroen Simonetti <jeroen@simonetti.nl>
 2022-07-10 19:12:55 +02:00
Ryan Mulligan
1a4643b779 feature: warn about missing files 
rage itself does not have good error messages when files are missing,
so add some of our own checks and warnings.
 2022-03-08 08:00:43 -08:00
Parthiv Seetharaman
85bd9d01ad modules/age: add option for secrets directory 2022-02-21 15:20:05 -08:00
Jan Tojnar
35ecba5704 Do not try to create /run/agenix in when installing secrets 
That is a job for agenixMountSecrets, which should have already
created a symlink there so the directory creation attempt would
fail anyway.
 2022-01-06 22:55:10 +01:00
Jan Tojnar
26edd03a5a Ensure /run is created before mounting secrets 
Otherwise /run/agenix might disappear if specialfs is toposorted
between agenixMountSecrets and agenixRoot.

Fixes: https://github.com/ryantm/agenix/issues/92
 2022-01-06 22:50:56 +01:00
Ryan Mulligan
dfb2e7e591 feature: rename age.sshKeyPaths to age.identityPaths 
implements #66
 2021-12-05 16:05:06 -08:00
Chuang Zhu
c2f6bd077c
allow customizing ageBin 2021-12-06 07:08:18 +08:00
sohalt
ed0d9ef01a update option descriptions 2021-11-24 18:00:28 +01:00
Ryan Mulligan
5ff75b48b4 fix: make non-root secrets accessible again 
fixes #69
 2021-11-20 12:19:52 -08:00
Cole Helbling
7bb0b5d7f1 modules/age: add option to disable symlinking 
There are some cases where it may be better or even required to have the
secret be a file that is not a symlink. Setting

    age.secrets.some-secret.symlink = false;

will disable the default functionality of symlinking secrets and instead
just forcibly move them to their `path`.
 2021-11-15 21:39:32 -08:00
Cole Helbling
e538664435 modules/age: /run/secrets -> /run/agenix 2021-11-15 21:39:32 -08:00
Cole Helbling
111754b894 modules/age: remove old secrets generations 2021-11-15 21:39:32 -08:00
Cole Helbling
f816a0d5df modules/age: symlink files into place 
This follows sops-nix's implementation, where it creates a
`/run/secrets.d` ramfs mountpoint and a "generation" each time
the activation script runs, and then symlinks `/run/secrets` to
`/run/secrets.d/[generation]`.
 2021-11-15 21:39:32 -08:00
Ryan Mulligan
6d9fdcbd70 fix: remove workaround for #54 
https://github.com/NixOS/nixpkgs/pull/137508 should remove the need
for this.
 2021-09-16 15:39:38 -07:00
Ryan Mulligan
375a33cd97 fix: workaround for #54 2021-09-10 16:30:05 -07:00
Kazutoshi Noguchi
8bad14fe08 run activation scripts after /run mount 2021-07-01 14:13:44 +09:00