From f083d6b3dbeb7d4593bf1c746425e79fd1c53983 Mon Sep 17 00:00:00 2001 From: Milan Date: Tue, 29 Dec 2020 22:07:09 +0100 Subject: [PATCH 1/8] README: fix nix-shell command --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f6926a9..f66562c 100644 --- a/README.md +++ b/README.md @@ -123,7 +123,7 @@ First generate yourself [a GPG key](https://docs.github.com/en/github/authentica conversion tool to convert an existing ssh key (we only support RSA keys right now): ``` -$ nix-shell -p ssh-to-pgp +$ nix run -f https://github.com/Mic92/sops-nix/archive/master.tar.gz ssh-to-pgp $ ssh-to-pgp -private-key -i $HOME/.ssh/id_rsa | gpg --import --quiet 2504791468b153b8a3963cc97ba53d1919c5dfd4 # This exports the public key From 97f0f6f5205a207c74b26750c02ab7d9f5f53a10 Mon Sep 17 00:00:00 2001 From: Glenn McDonald <2371316+glenn-m@users.noreply.github.com> Date: Fri, 1 Jan 2021 22:26:39 -0500 Subject: [PATCH 2/8] Fixing secrets path in README --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f66562c..e59a8e5 100644 --- a/README.md +++ b/README.md @@ -336,14 +336,14 @@ If you derived your server public key from ssh, all you need in your configurati ``` On `nixos-rebuild switch` this will make the key accessible -via `/run/secret/example-key`: +via `/run/secrets/example-key`: ```console -$ cat /run/secret/example-key +$ cat /run/secrets/example-key example-value ``` -`/run/secret` is a symlink to `/etc/secret.d/1`: +`/run/secrets` is a symlink to `/etc/secret.d/1`: ```console $ ls -la /run/secrets From 40f42e95b65e8d087ac8d2b2f1e1ecfea8aa73c7 Mon Sep 17 00:00:00 2001 From: Martin Potier Date: Thu, 7 Jan 2021 16:09:26 +0200 Subject: [PATCH 3/8] Keep the original shellHook if it is set --- pkgs/sops-pgp-hook/sops-pgp-hook.bash | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/sops-pgp-hook/sops-pgp-hook.bash b/pkgs/sops-pgp-hook/sops-pgp-hook.bash index ef862a4..104e0dd 100644 --- a/pkgs/sops-pgp-hook/sops-pgp-hook.bash +++ b/pkgs/sops-pgp-hook/sops-pgp-hook.bash @@ -27,4 +27,6 @@ sopsPGPHook() { if [ -z "${shellHook-}" ]; then shellHook=sopsPGPHook +else + shellHook="sopsPGPHook;${shellHook}" fi From 4844ac142e57d0b2a4971bb52ec792e78f791ee3 Mon Sep 17 00:00:00 2001 From: Sandro Date: Mon, 25 Jan 2021 00:13:31 +0100 Subject: [PATCH 4/8] Fix grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e59a8e5..b83f672 100644 --- a/README.md +++ b/README.md @@ -569,7 +569,7 @@ You can include it like this in your `configuration.nix`: ### Binary Unlike the other two formats for binaries one file correspond to one secret. -This format allows to encrypt arbitrary binary format that can be not put into +This format allows to encrypt an arbitrary binary format that can't be put into JSON/YAML files. To encrypt an binary file use the following command: From 3c1b9197b08894d15ca73eeb04caa728ebea39ce Mon Sep 17 00:00:00 2001 From: Eduard Bopp Date: Tue, 26 Jan 2021 13:25:51 +0100 Subject: [PATCH 5/8] Fix basic flake structure This makes at least `nix flake show` work and some of the packages. --- flake.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 3880762..e2f15af 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,9 @@ forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); in { nixosModules.sops = import ./modules/sops; - packages = forAllSystems (system: nixpkgs.legacyPackages.${system}.callPackage ./default.nix {}); + packages = forAllSystems (system: import ./default.nix { + pkgs = import nixpkgs { inherit system; }; + }); defaultPackage = forAllSystems (system: self.packages.${system}.sops-init-gpg-key); }; } From 4a534b8c6490c841e9f98432140a475717e739fa Mon Sep 17 00:00:00 2001 From: Emmanouil Kampitakis Date: Tue, 26 Jan 2021 13:58:19 +0100 Subject: [PATCH 6/8] Fix minor typo in readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b83f672..4e806c2 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Choose one of the following methods: $ niv add Mic92/sops-nix ``` - Than add the following to your configuration.nix in the `imports` list: + Then add the following to your configuration.nix in the `imports` list: ```nix { @@ -58,7 +58,7 @@ $ nix-channel --add https://github.com/Mic92/sops-nix/archive/master.tar.gz sops $ nix-channel --update ``` - Than add the following to your configuration.nix in the `imports` list: + Then add the following to your configuration.nix in the `imports` list: ```nix { From 0be44e088b464d3f23e4d25ed3a5b5376cdd5001 Mon Sep 17 00:00:00 2001 From: Eduard Bopp Date: Tue, 26 Jan 2021 14:20:27 +0100 Subject: [PATCH 7/8] Fix impurity in test invocation The system must be specified, as its default is `builtins.currentSystem`, which is disallowed as an impure function during flake evaluation. --- pkgs/sops-install-secrets/nixos-test.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index 73147fe..ed3fbce 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -20,6 +20,7 @@ ''; } { inherit pkgs; + inherit (pkgs) system; }; pgp-keys = makeTest { @@ -73,5 +74,6 @@ ''; } { inherit pkgs; + inherit (pkgs) system; }; } From 5ad42ebfb3a26997aa5741e87df607baa39336b8 Mon Sep 17 00:00:00 2001 From: Eduard Bopp Date: Tue, 26 Jan 2021 13:26:28 +0100 Subject: [PATCH 8/8] Add flake-based GitHub Actions workflow --- .github/workflows/test-flakes.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/test-flakes.yml diff --git a/.github/workflows/test-flakes.yml b/.github/workflows/test-flakes.yml new file mode 100644 index 0000000..faf1157 --- /dev/null +++ b/.github/workflows/test-flakes.yml @@ -0,0 +1,31 @@ +name: "Flake test" +on: + pull_request: + schedule: + - cron: '51 2 * * *' +jobs: + tests: + strategy: + matrix: + os: [ ubuntu-latest, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v2 + with: + # Nix Flakes doesn't work on shallow clones + fetch-depth: 0 + - uses: cachix/install-nix-action@v12 + with: + install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20201221_9fab14a/install + extra_nix_config: | + experimental-features = nix-command flakes + system-features = nixos-test benchmark big-parallel kvm + - name: Setup cachix + uses: cachix/cachix-action@v8 + with: + name: mic92 + signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}' + - name: List flake structure + run: nix flake show + - name: Run unit tests (flake) + run: nix build --no-link .#unit-tests -L