pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 22:24:59 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
924 commits 17 branches 1 tag 2.6 MiB
Commit graph

924 commits

This branch
This branch
All branches
Author SHA1 Message Date
0x5a4
4c1251904d fix import keys hook using unbound variable 2025-01-31 09:52:54 +07:00
dependabot[bot]
015d461c16 update vendorHash 2025-01-20 22:18:28 +00:00
dependabot[bot]
1bf611bd66 build(deps): bump github.com/ProtonMail/go-crypto from 1.1.4 to 1.1.5 
Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.4 to 1.1.5.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.4...v1.1.5)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-20 22:18:28 +00:00
Nicolas Dumazet
4c4fb93f18 docs: expand a bit on user secrets + impermanence. 
See also the discussion at https://github.com/Mic92/sops-nix/issues/149
 2025-01-17 10:51:20 +01:00
dependabot[bot]
553c7cb22f update vendorHash 2025-01-13 22:47:10 +00:00
dependabot[bot]
de557bfdac build(deps): bump golang.org/x/crypto from 0.31.0 to 0.32.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.31.0 to 0.32.0.
- [Commits](https://github.com/golang/crypto/compare/v0.31.0...v0.32.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-13 22:47:10 +00:00
dependabot[bot]
26632980bf update vendorHash 2025-01-13 22:37:03 +00:00
dependabot[bot]
830847a4ad build(deps): bump golang.org/x/net from 0.26.0 to 0.33.0 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.26.0 to 0.33.0.
- [Commits](https://github.com/golang/net/compare/v0.26.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-13 22:37:03 +00:00
dependabot[bot]
644dc90f82 update vendorHash 2025-01-13 22:26:33 +00:00
dependabot[bot]
7ac4c301af build(deps): bump github.com/ProtonMail/go-crypto from 1.1.3 to 1.1.4 
Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.3 to 1.1.4.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.3...v1.1.4)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-13 22:26:33 +00:00
Lin Yinfeng
0f4744b5a9 Fix fast path in atomicSymlink 2025-01-13 15:10:42 +01:00
Jörg Thalheim
f214c1b76c handle /run/secrets more gracefully if its a directory 2025-01-10 14:28:45 +01:00
Jörg Thalheim
74b9fe5d7f test 24.11 2025-01-10 14:28:45 +01:00
dependabot[bot]
c9c88f08e3 update vendorHash 2025-01-06 22:49:01 +00:00
dependabot[bot]
e8bab8a3bc build(deps): bump golang.org/x/sys from 0.28.0 to 0.29.0 
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.28.0 to 0.29.0.
- [Commits](https://github.com/golang/sys/compare/v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-01-06 22:49:01 +00:00
zowoq
5dc08f9cc7 modules/nix-darwin/secrets-for-users: empty set instead of empty list 2025-01-05 09:13:18 +01:00
Jörg Thalheim
24d89184ad nix-darwin: fix launchd decrypt scripts 2025-01-02 20:08:15 +01:00
Thomas B
bcb8b65aa5 Fix link to "more complex .sops.yaml example" 2024-12-29 10:31:36 +00:00
dependabot[bot]
ed091321f4 update vendorHash 2024-12-18 18:34:35 +00:00
dependabot[bot]
9eb29d2bd4 build(deps): bump filippo.io/age from 1.1.1 to 1.2.1 
Bumps [filippo.io/age](https://github.com/FiloSottile/age) from 1.1.1 to 1.2.1.
- [Release notes](https://github.com/FiloSottile/age/releases)
- [Commits](https://github.com/FiloSottile/age/compare/v1.1.1...v1.2.1)

---
updated-dependencies:
- dependency-name: filippo.io/age
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-18 18:34:35 +00:00
dependabot[bot]
2d73fc6ac4 update vendorHash 2024-12-12 01:05:52 +00:00
dependabot[bot]
5803825c93 build(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/crypto/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-12 01:05:52 +00:00
dependabot[bot]
a80af89297 update vendorHash 2024-12-09 23:02:24 +00:00
dependabot[bot]
1bb029c84f build(deps): bump golang.org/x/crypto from 0.29.0 to 0.30.0 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/crypto/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-09 23:02:24 +00:00
dependabot[bot]
1d0c71cbf5 update vendorHash 2024-12-09 22:55:12 +00:00
dependabot[bot]
84d8bf5ba8 build(deps): bump golang.org/x/sys from 0.27.0 to 0.28.0 
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.27.0 to 0.28.0.
- [Commits](https://github.com/golang/sys/compare/v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-12-09 22:55:12 +00:00
Jörg Thalheim
c6134b6fff fix queuing conditions 2024-12-02 09:29:15 +01:00
Jörg Thalheim
fb055f309d {darwin,home-manager}: add example template 2024-12-02 09:29:15 +01:00
jobs62
8d13626351 try fixing templates on home-manager 
Update pkgs/sops-install-secrets/main.go
 2024-12-02 09:29:15 +01:00
dependabot[bot]
3433ea14fb update vendorHash 2024-11-25 23:03:45 +00:00
dependabot[bot]
6ecde343ef build(deps): bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 
Bumps [github.com/ProtonMail/go-crypto](https://github.com/ProtonMail/go-crypto) from 1.1.2 to 1.1.3.
- [Release notes](https://github.com/ProtonMail/go-crypto/releases)
- [Commits](https://github.com/ProtonMail/go-crypto/compare/v1.1.2...v1.1.3)

---
updated-dependencies:
- dependency-name: github.com/ProtonMail/go-crypto
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-11-25 23:03:45 +00:00
Mergify
53c853fb1a ci(mergify): upgrade configuration to current format 2024-11-21 11:49:09 +01:00
Jared Baur
e39947d0ee allow for missing switch-to-configuration directory 
NixOS' switch-to-configuration program creates the /run/nixos directory,
which may not be present if `system.switch.enable` is `false`.
 2024-11-18 18:23:53 +00:00
Jörg Thalheim
472741cf3f
fix eval of tests (#674) 2024-11-17 16:51:52 +00:00
Jörg Thalheim
0ec0d5d3c5 remove obsolete sops-pgp-hook alias 2024-11-17 15:33:42 +01:00
Jörg Thalheim
799b572ef1 move checks out of pkgs 2024-11-17 15:33:42 +01:00
Jörg Thalheim
420737291e load devshell from flake 2024-11-17 15:33:42 +01:00
Jörg Thalheim
793c07f331 nix-darwin: fix shellcheck warning of activation script 2024-11-17 14:41:25 +01:00
Jörg Thalheim
1c75c1c13a fix darwin evaluation 2024-11-17 14:41:25 +01:00
Jörg Thalheim
fe6a1bb922 add home-manager and sops-nix to ci 2024-11-17 14:41:25 +01:00
Jörg Thalheim
dfcebb55c8 only export nixos tests on Linux 2024-11-17 13:20:58 +01:00
Jörg Thalheim
5f3869dfd2 update github action to also update private flake 2024-11-17 13:20:58 +01:00
Jörg Thalheim
7769727634 move nixpkgs-stable to private flake inputs 
now with home-manager and nix-darwin tests, we don't want to increase
the number of dependencies a user has to override in their flake.lock.
 2024-11-17 13:20:58 +01:00
Jörg Thalheim
d76a2f002f nix-darwin: remove unused variable 2024-11-17 13:20:58 +01:00
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jörg Thalheim
b05bdb2650 nix-darwin: fix evaluation with templates 2024-11-17 11:10:46 +00:00
Jörg Thalheim
a7b8f0feb7 define templates for home-manager 2024-11-17 11:06:56 +00:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets 
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
 2024-11-17 06:19:41 +00:00
sops-nix-bot
47fc1d8c72
flake.lock: Update (#658) 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53?narHash=sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z%2Bw%3D' (2024-10-30)
  → 'github:NixOS/nixpkgs/c69a9bffbecde46b4b939465422ddc59493d3e4d?narHash=sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk%3D' (2024-11-16)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c?narHash=sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY%3D' (2024-11-03)
  → 'github:NixOS/nixpkgs/e8c38b73aeb218e27163376a2d617e61a2ad9b59?narHash=sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g%3D' (2024-11-16)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2024-11-17 03:30:39 +00:00
Ian
d2bd7f433b Implement darwin module for sops-nix 2024-11-16 09:09:49 +00:00