diff --git a/.github/workflows/test-flakes.yml b/.github/workflows/test-flakes.yml new file mode 100644 index 0000000..faf1157 --- /dev/null +++ b/.github/workflows/test-flakes.yml @@ -0,0 +1,31 @@ +name: "Flake test" +on: + pull_request: + schedule: + - cron: '51 2 * * *' +jobs: + tests: + strategy: + matrix: + os: [ ubuntu-latest, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v2 + with: + # Nix Flakes doesn't work on shallow clones + fetch-depth: 0 + - uses: cachix/install-nix-action@v12 + with: + install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20201221_9fab14a/install + extra_nix_config: | + experimental-features = nix-command flakes + system-features = nixos-test benchmark big-parallel kvm + - name: Setup cachix + uses: cachix/cachix-action@v8 + with: + name: mic92 + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + - name: List flake structure + run: nix flake show + - name: Run unit tests (flake) + run: nix build --no-link .#unit-tests -L diff --git a/README.md b/README.md index f6926a9..4e806c2 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Choose one of the following methods: $ niv add Mic92/sops-nix ``` - Than add the following to your configuration.nix in the `imports` list: + Then add the following to your configuration.nix in the `imports` list: ```nix { @@ -58,7 +58,7 @@ $ nix-channel --add https://github.com/Mic92/sops-nix/archive/master.tar.gz sops $ nix-channel --update ``` - Than add the following to your configuration.nix in the `imports` list: + Then add the following to your configuration.nix in the `imports` list: ```nix { @@ -123,7 +123,7 @@ First generate yourself [a GPG key](https://docs.github.com/en/github/authentica conversion tool to convert an existing ssh key (we only support RSA keys right now): ``` -$ nix-shell -p ssh-to-pgp +$ nix run -f https://github.com/Mic92/sops-nix/archive/master.tar.gz ssh-to-pgp $ ssh-to-pgp -private-key -i $HOME/.ssh/id_rsa | gpg --import --quiet 2504791468b153b8a3963cc97ba53d1919c5dfd4 # This exports the public key @@ -336,14 +336,14 @@ If you derived your server public key from ssh, all you need in your configurati ``` On `nixos-rebuild switch` this will make the key accessible -via `/run/secret/example-key`: +via `/run/secrets/example-key`: ```console -$ cat /run/secret/example-key +$ cat /run/secrets/example-key example-value ``` -`/run/secret` is a symlink to `/etc/secret.d/1`: +`/run/secrets` is a symlink to `/etc/secret.d/1`: ```console $ ls -la /run/secrets @@ -569,7 +569,7 @@ You can include it like this in your `configuration.nix`: ### Binary Unlike the other two formats for binaries one file correspond to one secret. -This format allows to encrypt arbitrary binary format that can be not put into +This format allows to encrypt an arbitrary binary format that can't be put into JSON/YAML files. To encrypt an binary file use the following command: diff --git a/flake.nix b/flake.nix index 3880762..e2f15af 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,9 @@ forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); in { nixosModules.sops = import ./modules/sops; - packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {}); + packages = forAllSystems (system: import ./default.nix { + pkgs = import nixpkgs { inherit system; }; + }); defaultPackage = forAllSystems (system: self.packages.${system}.sops-init-gpg-key); }; } diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index 73147fe..ed3fbce 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -20,6 +20,7 @@ ''; } { inherit pkgs; + inherit (pkgs) system; }; pgp-keys = makeTest { @@ -73,5 +74,6 @@ ''; } { inherit pkgs; + inherit (pkgs) system; }; } diff --git a/pkgs/sops-pgp-hook/sops-pgp-hook.bash b/pkgs/sops-pgp-hook/sops-pgp-hook.bash index ef862a4..104e0dd 100644 --- a/pkgs/sops-pgp-hook/sops-pgp-hook.bash +++ b/pkgs/sops-pgp-hook/sops-pgp-hook.bash @@ -27,4 +27,6 @@ sopsPGPHook() { if [ -z "${shellHook-}" ]; then shellHook=sopsPGPHook +else + shellHook="sopsPGPHook;${shellHook}" fi