mirror of
https://github.com/ryantm/agenix.git
synced 2024-08-16 17:40:36 +03:00
Compare commits
8 Commits
2b558e9af1
...
49e52fce0b
Author | SHA1 | Date | |
---|---|---|---|
|
49e52fce0b | ||
|
3a56735779 | ||
|
c2fc0762bb | ||
|
08ed896eb6 | ||
|
8d37c5bdea | ||
|
63a57d8dfb | ||
|
07479c2e73 | ||
|
1746e4f5ec |
@ -205,7 +205,7 @@ You can run the CLI tool ad-hoc without installing it:
|
||||
nix run github:ryantm/agenix -- --help
|
||||
```
|
||||
|
||||
But you can also add it permanently into a [NixOS module](https://nixos.wiki/wiki/NixOS_modules)
|
||||
But you can also add it permanently into a [NixOS module](https://wiki.nixos.org/wiki/NixOS_modules)
|
||||
(replace system "x86_64-linux" with your system):
|
||||
|
||||
```nix
|
||||
@ -445,7 +445,7 @@ Example:
|
||||
#### `age.secrets.<name>.symlink`
|
||||
|
||||
`age.secrets.<name>.symlink` is a boolean. If true (the default),
|
||||
secrets are symlinked to `age.secrets.<name>.path`. If false, secerts
|
||||
secrets are symlinked to `age.secrets.<name>.path`. If false, secrets
|
||||
are copied to `age.secrets.<name>.path`. Usually, you want to keep
|
||||
this as true, because it secure cleanup of secrets no longer
|
||||
used. (The symlink will still be there, but it will be broken.) If
|
||||
|
@ -61,7 +61,7 @@ with lib; let
|
||||
|
||||
${optionalString secretType.symlink ''
|
||||
# shellcheck disable=SC2193,SC2050
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
''}
|
||||
'';
|
||||
|
||||
@ -76,7 +76,7 @@ with lib; let
|
||||
_agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
|
||||
(( ++_agenix_generation ))
|
||||
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
|
||||
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
|
||||
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
|
||||
|
||||
(( _agenix_generation > 1 )) && {
|
||||
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
||||
|
@ -14,6 +14,11 @@ with lib; let
|
||||
|
||||
users = config.users.users;
|
||||
|
||||
sysusersEnabled =
|
||||
if isDarwin
|
||||
then false
|
||||
else options.systemd ? sysusers && config.systemd.sysusers.enable;
|
||||
|
||||
mountCommand =
|
||||
if isDarwin
|
||||
then ''
|
||||
@ -88,7 +93,7 @@ with lib; let
|
||||
mv -f "$TMP_FILE" "$_truePath"
|
||||
|
||||
${optionalString secretType.symlink ''
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
|
||||
''}
|
||||
'';
|
||||
|
||||
@ -103,7 +108,7 @@ with lib; let
|
||||
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
|
||||
(( ++_agenix_generation ))
|
||||
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
|
||||
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
|
||||
ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
|
||||
|
||||
(( _agenix_generation > 1 )) && {
|
||||
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."
|
||||
@ -261,19 +266,39 @@ in {
|
||||
}
|
||||
];
|
||||
}
|
||||
|
||||
(optionalAttrs (!isDarwin) {
|
||||
# When using sysusers we no longer be started as an activation script
|
||||
# because those are started in initrd while sysusers is started later.
|
||||
systemd.services.agenix-install-secrets = mkIf sysusersEnabled {
|
||||
wantedBy = ["sysinit.target"];
|
||||
after = ["systemd-sysusers.service"];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = pkgs.writeShellScript "agenix-install" (
|
||||
builtins.concatStringsSep "\n" [
|
||||
newGeneration
|
||||
installSecrets
|
||||
chownSecrets
|
||||
]
|
||||
);
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Create a new directory full of secrets for symlinking (this helps
|
||||
# ensure removed secrets are actually removed, or at least become
|
||||
# invalid symlinks).
|
||||
system.activationScripts.agenixNewGeneration = {
|
||||
system.activationScripts = mkIf (!sysusersEnabled) {
|
||||
agenixNewGeneration = {
|
||||
text = newGeneration;
|
||||
deps = [
|
||||
"specialfs"
|
||||
];
|
||||
};
|
||||
|
||||
system.activationScripts.agenixInstall = {
|
||||
agenixInstall = {
|
||||
text = installSecrets;
|
||||
deps = [
|
||||
"agenixNewGeneration"
|
||||
@ -282,10 +307,10 @@ in {
|
||||
};
|
||||
|
||||
# So user passwords can be encrypted.
|
||||
system.activationScripts.users.deps = ["agenixInstall"];
|
||||
users.deps = ["agenixInstall"];
|
||||
|
||||
# Change ownership and group after users and groups are made.
|
||||
system.activationScripts.agenixChown = {
|
||||
agenixChown = {
|
||||
text = chownSecrets;
|
||||
deps = [
|
||||
"users"
|
||||
@ -294,11 +319,13 @@ in {
|
||||
};
|
||||
|
||||
# So other activation scripts can depend on agenix being done.
|
||||
system.activationScripts.agenix = {
|
||||
agenix = {
|
||||
text = "";
|
||||
deps = ["agenixChown"];
|
||||
};
|
||||
};
|
||||
})
|
||||
|
||||
(optionalAttrs isDarwin {
|
||||
launchd.daemons.activate-agenix = {
|
||||
script = ''
|
||||
|
@ -30,9 +30,13 @@ in
|
||||
shellcheck ${bin}
|
||||
${bin} -h | grep ${version}
|
||||
|
||||
HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
|
||||
test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
|
||||
export HOME="$test_tmp/home"
|
||||
export NIX_STORE_DIR="$test_tmp/nix/store"
|
||||
export NIX_STATE_DIR="$test_tmp/nix/var"
|
||||
mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
|
||||
function cleanup {
|
||||
rm -rf $HOME
|
||||
rm -rf "$test_tmp"
|
||||
}
|
||||
trap "cleanup" 0 2 3 15
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user