From 7f38c981624c7c47b70beec797693b410c5ca2f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Fri, 8 Jul 2022 23:45:38 +0200 Subject: [PATCH] More review fixups --- README.md | 6 +++--- modules/home-manager/sops.nix | 6 ++---- pkgs/sops-install-secrets/main.go | 2 +- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 61bef4a..f9f8242 100644 --- a/README.md +++ b/README.md @@ -741,7 +741,7 @@ This module provides a subset of features provided by the system-wide sops-nix s Instead of running as an activation script, sops-nix runs as a systemd user service called `sops-nix.service`. And instead of decrypting to `/run/secrets`, the secrets are decrypted to `$XDG_RUNTIME_DIR/secrets`. -**Since the secrets are decryted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` if your distribution does not do that.** +**Since the secrets are decrypted there, it's highly recommended to use a tmpfs for `$XDG_RUNTIME_DIR` to avoid storing secrets in plain text on persistent storage. Linux distributions using systemd-logind do that out-of-the-box.** Depending on whether you use home-manager system-wide or using a home.nix, you have to import it in a different way. This example show the `channel` approach from the usage example above for simplicity, but all other methods work as well. @@ -768,11 +768,11 @@ The actual sops configuration is in the `sops` namespace in your home.nix (or in ```nix { sops = { - age.keyFile = "/home/user/.age-key.txt" ]; # must have no password! + age.keyFile = "/home/user/.age-key.txt"; # must have no password! # It's alos possible to use a ssh key, but only when it has no password: #age.sshKeyPaths = [ "/home/user/path-to-ssh-key" ]; sops.secrets.test = { - sopsFile = ./secrets.yml.enc; + # sopsFile = ./secrets.yml.enc; # optionally define per-secret files path = "%r/test.txt"; # %r gets replaced with your $XDG_RUNTIME_DIR, use %% to specify a '%' sign }; }; diff --git a/modules/home-manager/sops.nix b/modules/home-manager/sops.nix index fcd7225..c6df9f3 100644 --- a/modules/home-manager/sops.nix +++ b/modules/home-manager/sops.nix @@ -147,7 +147,7 @@ in { keyFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; - example = "/var/lib/sops-nix/key.txt"; + example = "/home/someuser/.age-key.txt"; description = '' Path to age key file used for sops decryption. ''; @@ -166,7 +166,6 @@ in { sshKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = []; - defaultText = lib.literalDocBook "The ed25519 keys from "; description = '' Paths to ssh keys added as age keys during sops description. ''; @@ -177,7 +176,7 @@ in { home = lib.mkOption { type = lib.types.nullOr lib.types.str; default = null; - example = "/root/.gnupg"; + example = "/home/someuser/.gnupg"; description = '' Path to gnupg database directory containing the key for decrypting the sops file. ''; @@ -186,7 +185,6 @@ in { sshKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = []; - defaultText = lib.literalDocBook "The rsa keys from "; description = '' Path to ssh keys added as GPG keys during sops description. This option must be explicitly unset if config.sops.gnupg.sshKeyPaths is set. diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go index 2e0917e..aac9f65 100644 --- a/pkgs/sops-install-secrets/main.go +++ b/pkgs/sops-install-secrets/main.go @@ -933,7 +933,7 @@ func installSecrets(args []string) error { if manifest.UserMode { rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR") - if !ok { + if opts.checkMode == Off && !ok { return fmt.Errorf("$XDG_RUNTIME_DIR is not set!") } manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)