ryantm/agenix
1
1
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-08-16 17:40:36 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: ryantm:2b558e9af15ccabd25011bcaed3984b43228521a
Branches Tags
ryantm:main
ryantm:rtm-5-25-flake-lock-checker
ryantm:rtm-2-20-pipe-better
ryantm:python-test-module
ryantm:0.15.0
ryantm:0.14.0
ryantm:0.13.0
ryantm:0.12.0
ryantm:0.11.0
ryantm:0.10.1
ryantm:0.10.0
ryantm:0.9
ryantm:0.8
ryantm:0.7
ryantm:0.6
ryantm:0.5
...
compare: ryantm:49e52fce0b934ec2d2b149360794f57d4539ca5f
Branches Tags
ryantm:main
ryantm:rtm-5-25-flake-lock-checker
ryantm:rtm-2-20-pipe-better
ryantm:python-test-module
ryantm:0.15.0
ryantm:0.14.0
ryantm:0.13.0
ryantm:0.12.0
ryantm:0.11.0
ryantm:0.10.1
ryantm:0.10.0
ryantm:0.9
ryantm:0.8
ryantm:0.7
ryantm:0.6
ryantm:0.5

8 Commits
2b558e9af1 ... 49e52fce0b

Author SHA1 Message Date
oluceps
49e52fce0b
feat: works with sysuser 
fix: darwin compatible

chore: reformat

fix: infrec

chore: clean logic

Co-authored-by: Cole Helbling <cole.e.helbling@outlook.com>
 2024-06-17 16:35:11 +00:00
Ryan Mulligan
3a56735779
Merge pull request #187 from oddlama/main 
fix: always treat link destinations as files to ensure an error when the destination is a directory
 2024-06-14 06:18:04 -07:00
Nathan Henrie
c2fc0762bb
Merge pull request #241 from sternenseemann/nix-2.3-install-check 
agenix: fix installCheckPhase with Nix 2.3
 2024-05-24 08:40:46 -06:00
oddlama
08ed896eb6
fix: always treat link destinations as files to ensure error when destination is a directory. 
This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
 2024-05-21 15:08:15 +02:00
Nathan Henrie
8d37c5bdea
Merge pull request #259 from hansemschnokeloch/patch-1 
Fix typo
 2024-05-09 15:32:35 -06:00
hansemschnokeloch
63a57d8dfb
Fix typo 2024-05-09 22:25:29 +02:00
Jörg Thalheim
07479c2e73
update link to nixos wiki (#258) 2024-05-07 10:12:37 -07:00
sternenseemann
1746e4f5ec agenix: fix installCheckPhase with Nix 2.3 
As opposed to e.g. Nix 2.18, Nix 2.3 doesn't try to create a fallback
store in $HOME if $NIX_STORE_DIR and $NIX_STATE_DIR aren't writable.
 2024-02-01 13:30:22 +01:00
4 changed files with 67 additions and 36 deletions
Show Stats Expand all files Collapse all files

4
README.md
View File

@ -205,7 +205,7 @@ You can run the CLI tool ad-hoc without installing it:
nix run github:ryantm/agenix -- --help nix run github:ryantm/agenix -- --help
``` ```
But you can also add it permanently into a [NixOS module](https://nixos.wiki/wiki/NixOS_modules) But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules)
(replace system "x86_64-linux" with your system): (replace system "x86_64-linux" with your system):
```nix ```nix
@ -445,7 +445,7 @@ Example:
#### `age.secrets.<name>.symlink` #### `age.secrets.<name>.symlink`
`age.secrets.<name>.symlink` is a boolean. If true (the default), `age.secrets.<name>.symlink` is a boolean. If true (the default),
secrets are symlinked to `age.secrets.<name>.path`. If false, secerts secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
are copied to `age.secrets.<name>.path`. Usually, you want to keep are copied to `age.secrets.<name>.path`. Usually, you want to keep
this as true, because it secure cleanup of secrets no longer this as true, because it secure cleanup of secrets no longer
used. (The symlink will still be there, but it will be broken.) If used. (The symlink will still be there, but it will be broken.) If

4
modules/age-home.nix
View File

@ -61,7 +61,7 @@ with lib; let
${optionalString secretType.symlink '' ${optionalString secretType.symlink ''
# shellcheck disable=SC2193,SC2050 # shellcheck disable=SC2193,SC2050
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''} ''}
''; '';
@ -76,7 +76,7 @@ with lib; let
_agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)" _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."

87
modules/age.nix
View File

@ -14,6 +14,11 @@ with lib; let
users = config.users.users; users = config.users.users;
sysusersEnabled =
if isDarwin
then false
else options.systemd ? sysusers && config.systemd.sysusers.enable;
mountCommand = mountCommand =
if isDarwin if isDarwin
then '' then ''
@ -88,7 +93,7 @@ with lib; let
mv -f "$TMP_FILE" "$_truePath" mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink '' ${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''} ''}
''; '';
@ -103,7 +108,7 @@ with lib; let
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
@ -261,44 +266,66 @@ in {
} }
]; ];
} }
(optionalAttrs (!isDarwin) { (optionalAttrs (!isDarwin) {
# When using sysusers we no longer be started as an activation script
# because those are started in initrd while sysusers is started later.
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
wantedBy = ["sysinit.target"];
after = ["systemd-sysusers.service"];
unitConfig.DefaultDependencies = "no";
serviceConfig = {
Type = "oneshot";
ExecStart = pkgs.writeShellScript "agenix-install" (
builtins.concatStringsSep "\n" [
newGeneration
installSecrets
chownSecrets
]
);
RemainAfterExit = true;
};
};
# Create a new directory full of secrets for symlinking (this helps # Create a new directory full of secrets for symlinking (this helps
# ensure removed secrets are actually removed, or at least become # ensure removed secrets are actually removed, or at least become
# invalid symlinks). # invalid symlinks).
system.activationScripts.agenixNewGeneration = { system.activationScripts = mkIf (!sysusersEnabled) {
text = newGeneration; agenixNewGeneration = {
deps = [ text = newGeneration;
"specialfs" deps = [
]; "specialfs"
}; ];
};
system.activationScripts.agenixInstall = { agenixInstall = {
text = installSecrets; text = installSecrets;
deps = [ deps = [
"agenixNewGeneration" "agenixNewGeneration"
"specialfs" "specialfs"
]; ];
}; };
# So user passwords can be encrypted. # So user passwords can be encrypted.
system.activationScripts.users.deps = ["agenixInstall"]; users.deps = ["agenixInstall"];
# Change ownership and group after users and groups are made. # Change ownership and group after users and groups are made.
system.activationScripts.agenixChown = { agenixChown = {
text = chownSecrets; text = chownSecrets;
deps = [ deps = [
"users" "users"
"groups" "groups"
]; ];
}; };
# So other activation scripts can depend on agenix being done. # So other activation scripts can depend on agenix being done.
system.activationScripts.agenix = { agenix = {
text = ""; text = "";
deps = ["agenixChown"]; deps = ["agenixChown"];
};
}; };
}) })
(optionalAttrs isDarwin { (optionalAttrs isDarwin {
launchd.daemons.activate-agenix = { launchd.daemons.activate-agenix = {
script = '' script = ''

8
pkgs/agenix.nix
View File

@ -30,9 +30,13 @@ in
shellcheck ${bin} shellcheck ${bin}
${bin} -h | grep ${version} ${bin} -h | grep ${version}
HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
export HOME="$test_tmp/home"
export NIX_STORE_DIR="$test_tmp/nix/store"
export NIX_STATE_DIR="$test_tmp/nix/var"
mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
function cleanup { function cleanup {
rm -rf $HOME rm -rf "$test_tmp"
} }
trap "cleanup" 0 2 3 15 trap "cleanup" 0 2 3 15