pkg/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2026-01-04 20:34:59 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
995 commits 17 branches 1 tag 2.6 MiB
Commit graph

119 commits

Author SHA1 Message Date
musjj
df977b7f76 fix line length in documentation 2025-09-18 17:41:45 +07:00
musjj
7369f32be4 clarify the differences between sshKeyPaths and sshKeyFile 2025-09-18 17:37:17 +07:00
musjj
e148dc2c68 remove sops.age.sshKeyPaths deprecation 2025-09-18 17:36:08 +07:00
musjj
4fb1eef0c0 add native support for ssh keys for age 2025-04-22 06:34:46 +07:00
Christoph Heiss
cff8437c5f secrets-for-users: set HOME envvar to avoid warnings on sops >= 3.10.0 
Followup for #765, where I missed this. It's needed here too, since it
runs in the same context as the default module.

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
 2025-04-04 10:42:50 +02:00
Jörg Thalheim
9bc9b59644 home-manager/templates: remove restartUnits/reloadUnits 
this feature is not implemented for the home-manager module.

fixes https://github.com/Mic92/sops-nix/issues/729
 2025-04-04 09:07:10 +02:00
Christoph Heiss
d3088f783f module: set HOME envvar to avoid warnings on sops >= 3.10.0 
Signed-off-by: Christoph Heiss <christoph@c8h4.io>

Update modules/sops/default.nix

Co-authored-by: Dominik Schrempf <dominik.schrempf@gmail.com>
 2025-04-04 08:55:35 +02:00
Jörg Thalheim
1770be8ad8 nix-darwin: remove lib.traceVal from sops.templates 2025-03-19 18:56:19 +01:00
David Kowis
787afce414 add uid and gid to templates 2025-03-17 20:29:15 +01:00
Pablo Ovelleiro Corral
1f8e8fcf3f fix home-manager module 2025-03-17 10:54:23 +01:00
Pablo Ovelleiro Corral
7eb645636c Make assertions lazy 2025-03-17 10:54:23 +01:00
zowoq
5dc08f9cc7 modules/nix-darwin/secrets-for-users: empty set instead of empty list 2025-01-05 09:13:18 +01:00
Jörg Thalheim
24d89184ad nix-darwin: fix launchd decrypt scripts 2025-01-02 20:08:15 +01:00
jobs62
8d13626351 try fixing templates on home-manager 
Update pkgs/sops-install-secrets/main.go
 2024-12-02 09:29:15 +01:00
Jörg Thalheim
793c07f331 nix-darwin: fix shellcheck warning of activation script 2024-11-17 14:41:25 +01:00
Jörg Thalheim
1c75c1c13a fix darwin evaluation 2024-11-17 14:41:25 +01:00
Jörg Thalheim
d76a2f002f nix-darwin: remove unused variable 2024-11-17 13:20:58 +01:00
Jörg Thalheim
6b85086bcc reformat code base with nixfmt 2024-11-17 12:22:59 +01:00
Jörg Thalheim
b05bdb2650 nix-darwin: fix evaluation with templates 2024-11-17 11:10:46 +00:00
Jörg Thalheim
a7b8f0feb7 define templates for home-manager 2024-11-17 11:06:56 +00:00
Jeremy Fleischman
eee831aadb Do not render templates when decrypting neededForUsers secrets 
This fixes https://github.com/Mic92/sops-nix/issues/659

In https://github.com/Mic92/sops-nix/pull/649, we started rendering
templates twice:

1. When rendering `neededForUsers` secrets (if there are any
   `neededForUsers` secrets).
2. When decrypting "regular" secrets.

This alone was weird and wrong, but didn't cause issues
for people until https://github.com/Mic92/sops-nix/pull/655, which
triggered https://github.com/Mic92/sops-nix/issues/659. The cause is not
super obvious:

1. When rendering `neededForUsers` secrets, we'd generate templates in
   `/run/secrets-for-users/rendered`.
2. However, the `path` for these templates is in
   `/run/secrets/rendered`, which is not inside of the
   `/run/secrets-for-users` directory we're dealing with, so we'd
   generate a symlink from `/run/secrets/rendered/<foo>` to
   `/run/secrets-for-users/rendered/<foo>`, which required making
   the parent directory of the symlink (`/run/secrets/rendered/`).
3. This breaks sops-nix's assumption that `/run/secrets` either doesn't
   exist, or is a symlink, and you get the symptoms described in
   <https://github.com/Mic92/sops-nix/issues/659>.

Reproducing this in a test was straightforward: just expand our existing
template test to also have a `neededForUsers` secret.

Fixing this was also straightforward: don't render templates during the
`neededForUsers` phase (if we want to add support for `neededForUsers`
templates in the future, that would be straightforward to do, but I
opted not do that here).
 2024-11-17 06:19:41 +00:00
Ian
d2bd7f433b Implement darwin module for sops-nix 2024-11-16 09:09:49 +00:00
Wael Nasreddine
f1675e3b0e
home-manager: Add support for Split GPG on Qubes OS (#657) 
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-11-10 05:32:29 +01:00
Jeremy Fleischman
60e1bce199 Add support for restartUnits and reloadUnits for templates 
This fixes https://github.com/Mic92/sops-nix/issues/634
 2024-11-08 06:34:20 +00:00
Jeremy Fleischman
fe63071416 Improve activation messages about rendered templates 
This fixes https://github.com/Mic92/sops-nix/issues/652
 2024-11-07 19:49:39 +00:00
liyangau
c5ae1e214f fix missing lib in mkOption 2024-11-06 09:50:27 +01:00
thomaslepoix
f21c31dadf Emit plain file when key is empty 
Co-Authored-By: Slaier <slaier@users.noreply.github.com>
 2024-11-06 05:57:58 +00:00
Jeremy Fleischman
aa5caa129b rebase, complete implementation 2024-11-06 04:55:41 +00:00
Jörg Thalheim
bb7d636211 template refactoring 2024-11-06 04:55:41 +00:00
Sizhe Zhao
b2211d1a53 fix(home-manager/sops): fix setting unit env 
The Environment option should be set in Service section.
 2024-10-26 08:38:45 +00:00
Sizhe Zhao
78a0e634fc fix(home-manager/sops): fix setting systemd unit environment 2024-10-24 13:07:55 +00:00
Mark Sisson
d089e742fb feat(home-manager/sops): add environment variable configuration 
Added support for configuring environment variables before calling
`sops-install-secrets`. Introduced a new `environment` option which
allows specifying environment variables. Modified systemd service
and launchd agent to use the specified environment variables.
 2024-10-23 14:55:20 +00:00
Martijn de Munnik
a4c33bfecb Allow to set uid and gid instead of owner and group. No checks will be performed when uid and gid are set. 
```
sops.secrets = {
  sslCertificate = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
  sslCertificateKey = {
    sopsFile = ./secrets.yaml;
    owner = "";
    group = "";
    uid = config.containers."nginx".config.users.users."nginx".uid;
    gid = config.containers."nginx".config.users.groups."nginx".gid;
  };
};
```

Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
 2024-10-23 07:38:42 +00:00
Sandro Jäckel
26642e8f19 Add some missing literalExpression 2024-10-22 09:03:27 +00:00
Lin Yinfeng
127a96f49d modules/sops/templates: support systemd activation 2024-09-27 07:43:29 +00:00
A. Manzer
5876a12ff6 Allow sops-nix to be restarted when systemd is degraded 
If Systemd is running, but with even a single failed unit, it'll enter Degraded state.  Restart sops-nix anyway.
 2024-09-27 09:35:55 +02:00
r-vdp
d9d781523a Support userborn 2024-09-05 12:42:46 +00:00
Jörg Thalheim
ab2d1ffeb5 {nixos,home-manager}: shell escape age key paths 2024-08-12 09:20:04 +00:00
Sebastian Sellmeier
4371a1301c home-manager: minor oversight cleanup 2024-04-22 10:39:12 +02:00
Jörg Thalheim
e31339a204 home-manager: fix implicit dependency on coreutils 
fixes https://github.com/Mic92/sops-nix/issues/542
 2024-04-19 08:18:56 +00:00
Jörg Thalheim
58b9a13a37 home-manager: fix key store path check for strings 
fixes https://github.com/Mic92/sops-nix/issues/535
 2024-04-18 13:12:29 +02:00
Sebastian Sellmeier
a9795d1959 home-manager: Change defaultSymlinkPath to "<xdg-config-home>/sops-nix/secrets" 2024-04-18 08:22:30 +00:00
the-furry-hubofeverything
74f03c1a51 Refuse age keyfile paths that are in the nix store 2024-04-18 08:17:46 +00:00
Sebastian Sellmeier
dacc9519f5 home-manager: Include home.activation-script for linux similar to macos 2024-04-18 08:02:04 +00:00
Joachim Ernst
cc535d07cb
remove all uses of lib.mdDoc (#532) 2024-04-15 11:55:09 +02:00
Jörg Thalheim
fa8035c073 use gnupg binary also now for ssh rsa keys 
With the last sops bump, our gpg keys are no longer detected by sops without it
 2024-03-14 15:47:03 +01:00
Luflosi
7f015eeff1 modules/sops: fix typo 
The assertion below states: "Exactly one of sops.gnupg.home and sops.gnupg.sshKeyPaths must be set".
 2024-03-14 12:52:12 +01:00
Quentin Smith
f6b80ab6cd Address review comments 2024-02-21 07:24:54 +00:00
Quentin Smith
fbec55367f modules/sops/templates: Support custom files as secret templates 
This exposes the `file` option, which can be used with `pkgs.formats` to write additional configuration formats.
 2024-02-21 07:24:54 +00:00
DDoSolitary
f88661c9a9 Revert "don't substitute binaries" 
This reverts commit 7711514b85.

With db82bcafd4, we no longer need to
ensure that the pair list only contains utf-8 text, as long as users
don't reference non-utf-8 data in template content.
Fixes Mic92/sops-nix#439.
 2024-02-20 16:46:05 +00:00