pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2025-12-26 14:14:58 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
1087 commits 17 branches 1 tag 2.6 MiB
Commit graph

120 commits

Author SHA1 Message Date
Leon Schuermann
b2cddb00f9 modules/sops: allow forcing systemd-based activation 
By allowing users to optionally force using systemd unit-based
activation, they can inject dependencies on other services or
mountpoints (for instance, when the age key is not stored on the root
file system).
 2025-11-16 17:48:32 -05:00
Jörg Thalheim
a2bcd1c25c Revert "modules/sops: allow forcing systemd-based activation"
Some checks failed
Test / tests (push) Has been cancelled
Details 
This reverts commit b80c966e70.

See https://github.com/Mic92/sops-nix/issues/856
 2025-11-13 22:35:29 +01:00
Leon Schuermann
b80c966e70 modules/sops: allow forcing systemd-based activation
Some checks are pending
Test / tests (push) Waiting to run
Details 
By allowing users to optionally force using systemd unit-based
activation, they can inject dependencies on other services or
mountpoints (for instance, when the age key is not stored on the root
file system).
 2025-11-13 09:41:12 +01:00
Preston Peranich
f79497d9a9 feat: add package option to home-manager module. 2025-09-10 13:15:49 +02:00
Amine Hassane
10957db2de sops-install-secrets: use noswap mount option with tmpfs 2025-09-10 12:57:30 +02:00
Christoph Heiss
cff8437c5f secrets-for-users: set HOME envvar to avoid warnings on sops >= 3.10.0 
Followup for #765, where I missed this. It's needed here too, since it
runs in the same context as the default module.

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
 2025-04-04 10:42:50 +02:00
Jörg Thalheim
9bc9b59644 home-manager/templates: remove restartUnits/reloadUnits 
this feature is not implemented for the home-manager module.

fixes https://github.com/Mic92/sops-nix/issues/729
 2025-04-04 09:07:10 +02:00
Christoph Heiss
d3088f783f module: set HOME envvar to avoid warnings on sops >= 3.10.0 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>

Update modules/sops/default.nix

Co-authored-by: Dominik Schrempf <dominik.schrempf@gmail.com>
 2025-04-04 08:55:35 +02:00
Jörg Thalheim
1770be8ad8 nix-darwin: remove lib.traceVal from sops.templates 2025-03-19 18:56:19 +01:00
David Kowis
787afce414 add uid and gid to templates 2025-03-17 20:29:15 +01:00
Pablo Ovelleiro Corral
1f8e8fcf3f fix home-manager module 2025-03-17 10:54:23 +01:00
Pablo Ovelleiro Corral
7eb645636c Make assertions lazy 2025-03-17 10:54:23 +01:00
zowoq
5dc08f9cc7 modules/nix-darwin/secrets-for-users: empty set instead of empty list 2025-01-05 09:13:18 +01:00
Jörg Thalheim
24d89184ad nix-darwin: fix launchd decrypt scripts 2025-01-02 20:08:15 +01:00
jobs62
8d13626351 try fixing templates on home-manager 
Update pkgs/sops-install-secrets/main.go
 2024-12-02 09:29:15 +01:00
Jörg Thalheim
793c07f331 nix-darwin: fix shellcheck warning of activation script 2024-11-17 14:41:25 +01:00
Jörg Thalheim
1c75c1c13a fix darwin evaluation 2024-11-17 14:41:25 +01:00
Jörg Thalheim
d76a2f002f nix-darwin: remove unused variable 2024-11-17 13:20:58 +01:00
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jörg Thalheim
b05bdb2650 nix-darwin: fix evaluation with templates 2024-11-17 11:10:46 +00:00
Jörg Thalheim
a7b8f0feb7 define templates for home-manager 2024-11-17 11:06:56 +00:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets 
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
 2024-11-17 06:19:41 +00:00
Ian
d2bd7f433b Implement darwin module for sops-nix 2024-11-16 09:09:49 +00:00
Wael Nasreddine
f1675e3b0e
home-manager: Add support for Split GPG on Qubes OS (#657) 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-11-10 05:32:29 +01:00
Jeremy Fleischman
60e1bce199 Add support for restartUnits and reloadUnits for templates 
This fixes https://github.com/Mic92/sops-nix/issues/634
 2024-11-08 06:34:20 +00:00
Jeremy Fleischman
fe63071416 Improve activation messages about rendered templates 
This fixes https://github.com/Mic92/sops-nix/issues/652
 2024-11-07 19:49:39 +00:00
liyangau
c5ae1e214f fix missing lib in mkOption 2024-11-06 09:50:27 +01:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Sizhe Zhao
b2211d1a53 fix(home-manager/sops): fix setting unit env 
The Environment option should be set in Service section.
 2024-10-26 08:38:45 +00:00
Sizhe Zhao
78a0e634fc fix(home-manager/sops): fix setting systemd unit environment 2024-10-24 13:07:55 +00:00
Mark Sisson
d089e742fb feat(home-manager/sops): add environment variable configuration 
Added support for configuring environment variables before calling
`sops-install-secrets`. Introduced a new `environment` option which
allows specifying environment variables. Modified systemd service
and launchd agent to use the specified environment variables.
 2024-10-23 14:55:20 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set. 
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-10-23 07:38:42 +00:00
Sandro Jäckel
26642e8f19 Add some missing literalExpression 2024-10-22 09:03:27 +00:00
Lin Yinfeng
127a96f49d modules/sops/templates: support systemd activation 2024-09-27 07:43:29 +00:00
A. Manzer
5876a12ff6 Allow sops-nix to be restarted when systemd is degraded 
If Systemd is running, but with even a single failed unit, it'll enter Degraded state.  Restart sops-nix anyway.
 2024-09-27 09:35:55 +02:00
r-vdp
d9d781523a Support userborn 2024-09-05 12:42:46 +00:00
Jörg Thalheim
ab2d1ffeb5 {nixos,home-manager}: shell escape age key paths 2024-08-12 09:20:04 +00:00
Sebastian Sellmeier
4371a1301c home-manager: minor oversight cleanup 2024-04-22 10:39:12 +02:00
Jörg Thalheim
e31339a204 home-manager: fix implicit dependency on coreutils 
fixes https://github.com/Mic92/sops-nix/issues/542
 2024-04-19 08:18:56 +00:00
Jörg Thalheim
58b9a13a37 home-manager: fix key store path check for strings 
fixes https://github.com/Mic92/sops-nix/issues/535
 2024-04-18 13:12:29 +02:00
Sebastian Sellmeier
a9795d1959 home-manager: Change defaultSymlinkPath to "<xdg-config-home>/sops-nix/secrets" 2024-04-18 08:22:30 +00:00
the-furry-hubofeverything
74f03c1a51 Refuse age keyfile paths that are in the nix store 2024-04-18 08:17:46 +00:00
Sebastian Sellmeier
dacc9519f5 home-manager: Include home.activation-script for linux similar to macos 2024-04-18 08:02:04 +00:00
Joachim Ernst
cc535d07cb
remove all uses of lib.mdDoc (#532) 2024-04-15 11:55:09 +02:00
Jörg Thalheim
fa8035c073 use gnupg binary also now for ssh rsa keys 
With the last sops bump, our gpg keys are no longer detected by sops without it
 2024-03-14 15:47:03 +01:00
Luflosi
7f015eeff1 modules/sops: fix typo 
The assertion below states: "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set".
 2024-03-14 12:52:12 +01:00
Quentin Smith
f6b80ab6cd Address review comments 2024-02-21 07:24:54 +00:00
Quentin Smith
fbec55367f modules/sops/templates: Support custom files as secret templates 
This exposes the `file` option, which can be used with `pkgs.formats` to write additional configuration formats.
 2024-02-21 07:24:54 +00:00