pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-02-23 05:15:28 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
1119 commits 17 branches 1 tag 3.1 MiB
Commit graph

1119 commits

This branch
This branch
All branches
Author SHA1 Message Date
Ryota
31f9f6cdb4
feat(nixos): add YubiKey/FIDO2 age plugin support options 
Add new options under sops.age for hardware key plugin support:

- activationScriptDeps: custom activation script dependencies
- systemdDeps: custom systemd unit dependencies  
- requirePcscd: convenience option that auto-configures pcscd

When requirePcscd is enabled:
- Adds pcscd.socket as systemd dependency (systemd activation mode)
- Creates setupPcscdForSops activation script (traditional mode)
- Validates that services.pcscd.enable is set

This addresses GitHub issue #377 for YubiKey-hosted age keys.
 2026-01-17 02:14:42 +00:00
Jörg Thalheim
e085e303df
Merge pull request #895 from Mic92/SuperSandro2000-patch-2
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update key option description
 2026-01-15 13:48:11 +01:00
Sandro
5abd6a4f04
Update key option description 2026-01-15 13:36:35 +01:00
github-actions[bot]
691b8b6713
Merge pull request #894 from Mic92/dependabot/go_modules/gopkg.in/ini.v1-1.67.1
Some checks failed
Test / tests (push) Has been cancelled
Details 
Bump gopkg.in/ini.v1 from 1.67.0 to 1.67.1
 2026-01-13 02:35:04 +00:00
dependabot[bot]
241456f395 update vendorHash 2026-01-13 02:29:36 +00:00
dependabot[bot]
48cd0a425d
Bump gopkg.in/ini.v1 from 1.67.0 to 1.67.1 
Bumps gopkg.in/ini.v1 from 1.67.0 to 1.67.1.

---
updated-dependencies:
- dependency-name: gopkg.in/ini.v1
  dependency-version: 1.67.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2026-01-13 02:28:21 +00:00
github-actions[bot]
94f9cbd20f
Merge pull request #889 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2026-01-11 04:07:51 +00:00
Mic92
452dcb736a [create-pull-request] automated change 2026-01-11 04:04:44 +00:00
Jörg Thalheim
a8cfe238b9
Merge pull request #781 from NovaViper/age-plugin
Some checks are pending
Test / tests (push) Waiting to run
Details 
feat: add age plugin support, take 2
 2026-01-10 09:06:29 +01:00
NovaViper
899e202643 feat: add age plugin and fido2 hmac support 
Co-authored-by: brianmcgee <brian@41north.dev>
 2026-01-10 09:04:48 +01:00
Jörg Thalheim
d7593b87b0
Merge pull request #888 from Mic92/FabrizioRomanoGenovese-master 
gnupg: add package option to allow custom gnupg versions
 2026-01-10 08:53:55 +01:00
Jörg Thalheim
45115f12ae add cache.thalheim.io in ci 2026-01-10 08:53:08 +01:00
Jörg Thalheim
0809aa0ae7 unit-test: convert to shell app 
I saw the exit status in ci was actually ignored.
 2026-01-10 08:53:08 +01:00
Fabrizio Romano Genovese
39c667d73c gnupg: add package option to allow custom gnupg versions 
Add sops.gnupg.package option to NixOS, home-manager, and nix-darwin
modules, allowing users to specify a custom gnupg package instead of
the default pkgs.gnupg.

This enables use of bleeding-edge GPG versions with post-quantum
encryption algorithms like Kyber, addressing "store now, decrypt
later" threat models.
 2026-01-10 08:53:08 +01:00
Jörg Thalheim
57e2d9ef84
Merge pull request #882 from nazarewk/push-qqvmsowmnqtx 
sops-install-secrets: create /run/secrets link before chowning it
 2026-01-10 08:40:03 +01:00
Krzysztof Nazarewski
2dd505705c sops-install-secrets: create /run/secrets link before chowning it 
fixes https://github.com/Mic92/sops-nix/issues/881
 2026-01-10 08:34:57 +01:00
Jörg Thalheim
ea3adcb6d2
Merge pull request #886 from Mic92/SuperSandro2000-patch-2
Some checks failed
Test / tests (push) Has been cancelled
Details 
Remove plain annoying toolchain directive
 2026-01-07 22:54:51 +00:00
Sandro
cadaac2e78
Remove plain annoying toolchain directive 2026-01-07 23:35:01 +01:00
github-actions[bot]
ecc4150594
Merge pull request #884 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2026-01-04 04:10:57 +00:00
Mic92
ba5820559b [create-pull-request] automated change 2026-01-04 04:05:17 +00:00
github-actions[bot]
61b39c7b65
Merge pull request #880 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-12-28 04:08:25 +00:00
Mic92
cce6d82405 [create-pull-request] automated change 2025-12-28 04:01:59 +00:00
github-actions[bot]
9836912e37
Merge pull request #878 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-12-21 03:59:35 +00:00
Mic92
1a65e3368e [create-pull-request] automated change 2025-12-21 03:52:39 +00:00
github-actions[bot]
443a7f2e7e
Merge pull request #875 from Mic92/dependabot/github_actions/peter-evans/create-pull-request-8
Some checks failed
Test / tests (push) Has been cancelled
Details 
Bump peter-evans/create-pull-request from 7 to 8
 2025-12-15 22:02:53 +00:00
dependabot[bot]
e5eee58ef0
Bump peter-evans/create-pull-request from 7 to 8 
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 7 to 8.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases)
- [Commits](https://github.com/peter-evans/create-pull-request/compare/v7...v8)

---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
  dependency-version: '8'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-15 22:00:55 +00:00
github-actions[bot]
94d8af61d8
Merge pull request #873 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-12-14 04:00:37 +00:00
Mic92
a46c7caf5f [create-pull-request] automated change 2025-12-14 03:52:04 +00:00
Jörg Thalheim
496a6f625f
Merge pull request #866 from gumball76/master
Some checks failed
Test / tests (push) Has been cancelled
Details 
README: fix Home Manager Systemd unit configuration
 2025-12-12 16:27:06 +01:00
gumball76
207df45fb4 README: fix Home Manager Systemd unit configuration 
Since Home Manager relies on the naming scheme used by Systemd, the
current way to set a dependent service defined in the README fails as
Systemd doesn't support it.
 2025-12-12 16:23:57 +01:00
Jörg Thalheim
5745e46834
Merge pull request #871 from Ma27/fix-systemd-service-ordering 
modules/sops: re-run sops-install-secrets.service at sysinit-reactivation.target
 2025-12-12 16:23:38 +01:00
Maximilian Bosch
645fa1c3ef
modules/sops: re-run sops-install-secrets.service at sysinit-reactivation.target 
Consider the following case: a service (`gitlab-runner.service` in this case) gets
a new secret that is installed via sops and will be reloaded on a switch. Right
now this would fail like this:

    machine | updating GRUB 2 menu...
    machine | stopping the following units: sops-install-secrets.service
    machine | activating the configuration...
    machine | setting up /etc...
    [...]
    machine | restarting sysinit-reactivation.target
    machine | reloading the following units: dbus-broker.service, gitlab-runner.service
    machine | restarting the following units: polkit.service
    machine | starting the following units: sops-install-secrets.service

Here, the reload happens _before_ running `sops-install-secrets.service`
which means that the newly added secret doesn't exist yet and thus the
reload fails.

This change makes sure the service is started when running
`sysinit-reactivation.target`, i.e. before stc-ng reloads other
services. This is what sysusers already does, so the objective of
running after sysusers is still met.

Also, added an `After=userborn.service` to make sure it's also ordered
after userborn if necessary.

Thank you WilliButz for reminding me that `sysinit-reactivation.target`
exists and is most likely the culprit of that!
 2025-12-11 11:56:01 +01:00
github-actions[bot]
7fd1416aba
Merge pull request #870 from Mic92/dependabot/go_modules/golang.org/x/crypto-0.46.0
Some checks failed
Test / tests (push) Has been cancelled
Details 
Bump golang.org/x/crypto from 0.45.0 to 0.46.0
 2025-12-08 22:08:38 +00:00
dependabot[bot]
215ba65333 update vendorHash 2025-12-08 22:02:51 +00:00
dependabot[bot]
0c1d819913
Bump golang.org/x/crypto from 0.45.0 to 0.46.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.45.0 to 0.46.0.
- [Commits](https://github.com/golang/crypto/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-08 22:01:27 +00:00
github-actions[bot]
aeb5172621
Merge pull request #869 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-12-07 03:57:10 +00:00
Mic92
5abc56e28c [create-pull-request] automated change 2025-12-07 03:49:27 +00:00
github-actions[bot]
5aca6ff672
Merge pull request #867 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-11-30 06:15:58 +00:00
Mic92
5e729c1f22 [create-pull-request] automated change 2025-11-30 03:49:33 +00:00
github-actions[bot]
c482a1c1bb
Merge pull request #865 from Mic92/dependabot/github_actions/actions/checkout-6
Some checks failed
Test / tests (push) Has been cancelled
Details 
Bump actions/checkout from 5 to 6
 2025-11-24 22:06:03 +00:00
dependabot[bot]
5d99ef8f0b
Bump actions/checkout from 5 to 6 
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-24 22:04:02 +00:00
github-actions[bot]
4e7d74d923
Merge pull request #863 from Mic92/create-pull-request/patch
Some checks failed
Test / tests (push) Has been cancelled
Details 
Update flakes
 2025-11-23 03:53:32 +00:00
Mic92
fc2dbd1ba5 [create-pull-request] automated change 2025-11-23 03:49:23 +00:00
github-actions[bot]
877bb495a6
Merge pull request #862 from Mic92/dependabot/go_modules/golang.org/x/crypto-0.45.0
Some checks failed
Test / tests (push) Has been cancelled
Details 
Bump golang.org/x/crypto from 0.44.0 to 0.45.0
 2025-11-20 03:05:16 +00:00
dependabot[bot]
3a26cd7f45 update vendorHash 2025-11-20 02:59:53 +00:00
dependabot[bot]
053a520422
Bump golang.org/x/crypto from 0.44.0 to 0.45.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.44.0 to 0.45.0.
- [Commits](https://github.com/golang/crypto/compare/v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-11-20 02:58:37 +00:00
Sandro
3ee33c0ed7
Merge pull request #861 from me-and/sops-ssh-to-age
Some checks are pending
Test / tests (push) Waiting to run
Details 
sops-ssh-to-age: remove broken ref in overlay
 2025-11-19 00:41:50 +01:00
Adam Dinwoodie
ee1132add7 sops-ssh-to-age: remove broken ref in overlay 
The overlay provided by the flake in this repository references
`sops-ssh-to-age`, but that hasn't existed since it was renamed in
6c916c1 (Add a converter from private ssh keys to age, 2021-08-28) then
removed in f636296 (Switch the libs to now external ones, 2021-09-01).
 2025-11-18 10:03:14 +00:00
github-actions[bot]
3f66a7fb96
Merge pull request #860 from Mic92/dependabot/go_modules/golang.org/x/crypto-0.44.0
Some checks are pending
Test / tests (push) Waiting to run
Details 
Bump golang.org/x/crypto from 0.43.0 to 0.44.0
 2025-11-17 22:09:08 +00:00
dependabot[bot]
a6515c5864 update vendorHash 2025-11-17 22:04:03 +00:00