pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 22:24:59 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
909 commits 17 branches 1 tag 2.6 MiB
Commit graph

909 commits

This branch
This branch
All branches
Author SHA1 Message Date
Jörg Thalheim
4bc1bfdec2 tests: avoid type shadowing 2024-11-24 15:39:10 +01:00
Jörg Thalheim
14753257fb tests: avoid sprint for simple string concatination 2024-11-24 15:39:10 +01:00
Jörg Thalheim
f57a556af4 apply golangci-lints 2024-11-24 15:39:10 +01:00
Jörg Thalheim
d5e0983eb9 tests: move NOBODY/NOGROUP into a constant 2024-11-24 15:39:10 +01:00
Jörg Thalheim
582b2a8300 remove space before nolint 2024-11-24 15:39:10 +01:00
Jörg Thalheim
4d5d1b7559 fix wsl lints 2024-11-24 15:39:10 +01:00
Jörg Thalheim
975c685308 unittest: set t.Helper() and t.Parallel() 2024-11-24 15:39:10 +01:00
Jörg Thalheim
ae893d14fb hook_test: fix linter errors 2024-11-24 15:39:10 +01:00
Jörg Thalheim
3ba597a5e6 remove sops-pgp-hook 2024-11-24 15:39:10 +01:00
Jörg Thalheim
9190dee408 sops-pgp-hook: set parallel and helper 2024-11-24 15:39:10 +01:00
Jörg Thalheim
15541d542b bump go version to 1.22 2024-11-24 15:39:10 +01:00
Jörg Thalheim
887d4b7322 enable gofumpt 2024-11-24 15:39:10 +01:00
Jörg Thalheim
a33e8cc43f enable shellcheck 2024-11-24 15:39:10 +01:00
Jörg Thalheim
7b60015dd5 reformat with treefmt 2024-11-24 15:39:10 +01:00
Jörg Thalheim
76aa784427 delete duplicate shell.nix 2024-11-24 15:39:10 +01:00
Jörg Thalheim
5d6bbabd23 add treefmt 2024-11-24 15:39:10 +01:00
Mergify
53c853fb1a ci(mergify): upgrade configuration to current format 2024-11-21 11:49:09 +01:00
Jared Baur
e39947d0ee allow for missing switch-to-configuration directory 
NixOS' switch-to-configuration program creates the /run/nixos directory,
which may not be present if `system.switch.enable` is `false`.
 2024-11-18 18:23:53 +00:00
Jörg Thalheim
472741cf3f
fix eval of tests (#674) 2024-11-17 16:51:52 +00:00
Jörg Thalheim
0ec0d5d3c5 remove obsolete sops-pgp-hook alias 2024-11-17 15:33:42 +01:00
Jörg Thalheim
799b572ef1 move checks out of pkgs 2024-11-17 15:33:42 +01:00
Jörg Thalheim
420737291e load devshell from flake 2024-11-17 15:33:42 +01:00
Jörg Thalheim
793c07f331 nix-darwin: fix shellcheck warning of activation script 2024-11-17 14:41:25 +01:00
Jörg Thalheim
1c75c1c13a fix darwin evaluation 2024-11-17 14:41:25 +01:00
Jörg Thalheim
fe6a1bb922 add home-manager and sops-nix to ci 2024-11-17 14:41:25 +01:00
Jörg Thalheim
dfcebb55c8 only export nixos tests on Linux 2024-11-17 13:20:58 +01:00
Jörg Thalheim
5f3869dfd2 update github action to also update private flake 2024-11-17 13:20:58 +01:00
Jörg Thalheim
7769727634 move nixpkgs-stable to private flake inputs 
now with home-manager and nix-darwin tests, we don't want to increase
the number of dependencies a user has to override in their flake.lock.
 2024-11-17 13:20:58 +01:00
Jörg Thalheim
d76a2f002f nix-darwin: remove unused variable 2024-11-17 13:20:58 +01:00
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jörg Thalheim
b05bdb2650 nix-darwin: fix evaluation with templates 2024-11-17 11:10:46 +00:00
Jörg Thalheim
a7b8f0feb7 define templates for home-manager 2024-11-17 11:06:56 +00:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets 
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
 2024-11-17 06:19:41 +00:00
sops-nix-bot
47fc1d8c72
flake.lock: Update (#658) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53?narHash=sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z%2Bw%3D' (2024-10-30)
  → 'github:NixOS/nixpkgs/c69a9bffbecde46b4b939465422ddc59493d3e4d?narHash=sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk%3D' (2024-11-16)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c?narHash=sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY%3D' (2024-11-03)
  → 'github:NixOS/nixpkgs/e8c38b73aeb218e27163376a2d617e61a2ad9b59?narHash=sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g%3D' (2024-11-16)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-11-17 03:30:39 +00:00
Ian
d2bd7f433b Implement darwin module for sops-nix 2024-11-16 09:09:49 +00:00
dependabot[bot]
4c91d52db1
build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#663) 
* build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.28.0 to 0.29.0.
- [Commits](https://github.com/golang/crypto/compare/v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:38:28 +00:00
dependabot[bot]
e4f36d56eb
build(deps): bump github.com/ProtonMail/go-crypto from 1.1.0-beta.0-proton to 1.1.2 (#662) 
* build(deps): bump github.com/ProtonMail/go-crypto

Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.0-beta.0-proton to 1.1.2.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.0-beta.0-proton...v1.1.2)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:28:15 +00:00
dependabot[bot]
58f41afcc7
build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0 (#661) 
* build(deps): bump golang.org/x/sys from 0.26.0 to 0.27.0

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.26.0 to 0.27.0.
- [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update vendorHash

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-11 22:13:55 +00:00
Wael Nasreddine
f1675e3b0e
home-manager: Add support for Split GPG on Qubes OS (#657) 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-11-10 05:32:29 +01:00
Jeremy Fleischman
60e1bce199 Add support for restartUnits and reloadUnits for templates 
This fixes https://github.com/Mic92/sops-nix/issues/634
 2024-11-08 06:34:20 +00:00
Jeremy Fleischman
c9f6b151cc fix: create template.path symlink 
This fixes https://github.com/Mic92/sops-nix/issues/653.

Note: `main.go` has been slowly accumulating shared logic between vanilla
"secrets" and "templates". It feels to me like we could DRY up some of
the logic in here by creating some shared "interface" that they both
implement. I opted not to try to tackle that here, though.
 2024-11-08 06:07:13 +00:00
Jeremy Fleischman
fe63071416 Improve activation messages about rendered templates 
This fixes https://github.com/Mic92/sops-nix/issues/652
 2024-11-07 19:49:39 +00:00
Jeremy Fleischman
33f18b404e Rework restart-and-reload to assert more strictly on the activation output 
I've reworked the test to assert on the entire output. This allows us to
detect unexpected output without having to write weird "i expect this
random string to *not* show up assertions", which aren't great at
preventing regressions.

I did have to change the code under test a little bit to make it
behavior deterministically (by sorting the files it outputs).

tl;dr: this demonstrates <https://github.com/Mic92/sops-nix/issues/652>
but does not fix it. I will fix it in a subsequent commit.
 2024-11-07 19:49:39 +00:00
liyangau
c5ae1e214f fix missing lib in mkOption 2024-11-06 09:50:27 +01:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Sandro Jäckel
59d6988329 Fix module declarations 2024-11-04 18:49:22 +00:00
sops-nix-bot
e9b5eef9b5
flake.lock: Update (#646) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/4e0eec54db79d4d0909f45a88037210ff8eaffee?narHash=sha256-bpb6r3GjzhNW8l%2BmWtRtLNg5PhJIae041sPyqcFNGb4%3D' (2024-10-26)
  → 'github:NixOS/nixpkgs/2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53?narHash=sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z%2Bw%3D' (2024-10-30)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c?narHash=sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY%3D' (2024-11-03)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-11-03 03:49:44 +00:00
sops-nix-bot
1666d16426
flake.lock: Update (#644) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ccc0c2126893dd20963580b6478d1a10a4512185?narHash=sha256-4HQI%2B6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo%3D' (2024-10-18)
  → 'github:NixOS/nixpkgs/4e0eec54db79d4d0909f45a88037210ff8eaffee?narHash=sha256-bpb6r3GjzhNW8l%2BmWtRtLNg5PhJIae041sPyqcFNGb4%3D' (2024-10-26)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22?narHash=sha256-66RHecx%2BzohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4%3D' (2024-10-19)
  → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-10-27 03:28:01 +00:00