From c5e0f55d8d4270cde86fdbd0a5a3d33927c75e73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 30 Sep 2021 21:08:38 +0200 Subject: [PATCH 1/2] nixos-tests: fix identations --- pkgs/sops-install-secrets/nixos-test.nix | 58 ++++++++++++------------ 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix index 7e801eb..2e9a95d 100644 --- a/pkgs/sops-install-secrets/nixos-test.nix +++ b/pkgs/sops-install-secrets/nixos-test.nix @@ -1,43 +1,43 @@ { makeTest ? import , pkgs ? import }: { ssh-keys = makeTest { - name = "sops-ssh-keys"; - nodes.server = { ... }: { - imports = [ ../../modules/sops ]; - services.openssh.enable = true; - services.openssh.hostKeys = [{ - type = "rsa"; - bits = 4096; - path = ./test-assets/ssh-key; - }]; - sops.defaultSopsFile = ./test-assets/secrets.yaml; - sops.secrets.test_key = {}; - }; + name = "sops-ssh-keys"; + nodes.server = { ... }: { + imports = [ ../../modules/sops ]; + services.openssh.enable = true; + services.openssh.hostKeys = [{ + type = "rsa"; + bits = 4096; + path = ./test-assets/ssh-key; + }]; + sops.defaultSopsFile = ./test-assets/secrets.yaml; + sops.secrets.test_key = {}; + }; - testScript = '' - start_all() - server.succeed("cat /run/secrets/test_key | grep -q test_value") - ''; + testScript = '' + start_all() + server.succeed("cat /run/secrets/test_key | grep -q test_value") + ''; } { inherit pkgs; inherit (pkgs) system; }; age-keys = makeTest { - name = "sops-age-keys"; - machine = { - imports = [ ../../modules/sops ]; - sops = { - age.keyFile = ./test-assets/age-keys.txt; - defaultSopsFile = ./test-assets/secrets.yaml; - secrets.test_key = {}; - }; - }; + name = "sops-age-keys"; + machine = { + imports = [ ../../modules/sops ]; + sops = { + age.keyFile = ./test-assets/age-keys.txt; + defaultSopsFile = ./test-assets/secrets.yaml; + secrets.test_key = {}; + }; + }; - testScript = '' - start_all() - machine.succeed("cat /run/secrets/test_key | grep -q test_value") - ''; + testScript = '' + start_all() + machine.succeed("cat /run/secrets/test_key | grep -q test_value") + ''; } { inherit pkgs; inherit (pkgs) system; From e0e57da4973a37b946ddeb5f6dcbf7f06f56e0e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 30 Sep 2021 06:59:08 +0200 Subject: [PATCH 2/2] fix documentation and assertions for age.keyFile --- modules/sops/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/sops/default.nix b/modules/sops/default.nix index eabc1ec..727813b 100644 --- a/modules/sops/default.nix +++ b/modules/sops/default.nix @@ -190,8 +190,11 @@ in { ]; config = mkIf (cfg.secrets != {}) { assertions = [{ - assertion = (cfg.age.keyFile == null && cfg.age.sshKeyPaths == []) -> (cfg.gnupg.home == null) != (cfg.gnupg.sshKeyPaths == []); - message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set for gnupg mode"; + assertion = cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [] || cfg.age.keyFile != null || cfg.age.sshKeyPaths != []; + message = "No key source configurated for sops"; + } { + assertion = !(cfg.gnupg.home != null && cfg.gnupg.sshKeyPaths != []); + message = "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set"; }] ++ optionals cfg.validateSopsFiles ( concatLists (mapAttrsToList (name: secret: [{ assertion = builtins.pathExists secret.sopsFile;