Merge pull request #888 from Mic92/FabrizioRomanoGenovese-master

gnupg: add package option to allow custom gnupg versions
2026-01-13 18:17:54 +08:00 · 2026-01-10 08:53:55 +01:00 · 2026-01-10 08:53:55 +01:00 · d7593b87b0
commit d7593b87b0
parent 57e2d9ef84 45115f12ae
6 changed files with 52 additions and 29 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -12,7 +12,11 @@ jobs:
    steps:
    - uses: actions/checkout@v6
    - uses: cachix/install-nix-action@v31
+      with:
+        extra_nix_config: |
+          extra-substituters = https://cache.thalheim.io
+          extra-trusted-public-keys = cache.thalheim.io-1:R7msbosLEZKrxk/lKxf9BTjOOH7Ax3H0Qj0/6wiHOgc=
    - name: Add keys group (needed for go tests)
      run: sudo groupadd keys
    - name: Run unit tests
-      run: nix develop .#unit-tests --command "true"
+      run: nix run .#unit-tests
--- a/flake.nix
+++ b/flake.nix
@ -147,13 +147,16 @@
                nix --extra-experimental-features "nix-command flakes" hash path ./dev/private | tr -d '\n' > ./dev/private.narHash
              ''}";
            };
+            unit-tests = {
+              type = "app";
+              program = "${pkgs.callPackage ./pkgs/unit-tests.nix { }}/bin/unit-tests";
+            };
          }
        );

        devShells = eachSystem (
          { pkgs, ... }:
          {
-            unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { };
            default = pkgs.callPackage ./shell.nix { };
          }
        );
--- a/modules/home-manager/sops.nix
+++ b/modules/home-manager/sops.nix
@ -269,6 +269,15 @@ in
    };

    gnupg = {
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
      home = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = null;
@ -341,7 +350,7 @@ in
    sops.environment = {
      SOPS_GPG_EXEC = lib.mkMerge [
        (lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-          lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+          lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
        ))
        (lib.mkIf cfg.gnupg.qubes-split-gpg.enable (
          lib.mkDefault config.home.sessionVariables.SOPS_GPG_EXEC
--- a/modules/nix-darwin/default.nix
+++ b/modules/nix-darwin/default.nix
@ -320,6 +320,15 @@ in
        '';
      };

+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
      sshKeyPaths = lib.mkOption {
        type = lib.types.listOf lib.types.path;
        default = defaultImportKeys "rsa";
@ -384,7 +393,7 @@ in

    {
      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
      );
    }
  ];
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -381,6 +381,16 @@ in
          This option must be explicitly unset if <literal>config.sops.gnupg.home</literal> is set.
        '';
      };
+
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.gnupg;
+        defaultText = lib.literalExpression "pkgs.gnupg";
+        description = ''
+          The gnupg package to use for sops operations.
+        '';
+      };
+
    };
  };
  imports = [
@ -442,7 +452,7 @@ in
        );

      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
-        lib.mkDefault "${pkgs.gnupg}/bin/gpg"
+        lib.mkDefault "${cfg.gnupg.package}/bin/gpg"
      );

      # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
--- a/pkgs/unit-tests.nix
+++ b/pkgs/unit-tests.nix
@ -4,30 +4,18 @@
 let
  sopsPkgs = import ../. { inherit pkgs; };
 in
-pkgs.stdenv.mkDerivation {
-  name = "env";
-  nativeBuildInputs =
-    with pkgs;
-    [
-      bashInteractive
-      gnupg
-      util-linux
-      nix
-      sopsPkgs.sops-pgp-hook-test
-    ]
-    ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
-  # allow to prefetch shell dependencies in build phase
-  dontUnpack = true;
-  installPhase = ''
-    echo $nativeBuildInputs > $out
-  '';
-  shellHook = ''
-    set -x
-    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
-      sops-pgp-hook.test
-    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
-      sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
-        unshare --mount --fork sops-install-secrets.test
+pkgs.writeShellApplication {
+  name = "unit-tests";
+  runtimeInputs = [
+    pkgs.gnupg
+    pkgs.nix
+  ] ++ pkgs.lib.optionals pkgs.stdenv.isLinux [
+    pkgs.util-linux
+  ];
+  text = ''
+    NIX_PATH=nixpkgs=${pkgs.path} TEST_ASSETS="$PWD/pkgs/sops-pgp-hook/test-assets" ${sopsPkgs.sops-pgp-hook-test}/bin/sops-pgp-hook.test -test.v
+    ${pkgs.lib.optionalString pkgs.stdenv.isLinux ''
+      sudo TEST_ASSETS="$PWD/pkgs/sops-install-secrets/test-assets" unshare --mount --fork ${sopsPkgs.sops-install-secrets.unittest}/bin/sops-install-secrets.test -test.v
    ''}
  '';
 }