Merge pull request #230 from ryantm/rtm-12-20-age
feat: switch from rage to age
This commit is contained in:
commit
457669db42
9 changed files with 41 additions and 29 deletions
20
.github/workflows/ci.yaml
vendored
20
.github/workflows/ci.yaml
vendored
|
@ -15,21 +15,29 @@ jobs:
|
||||||
- run: nix fmt . -- --check
|
- run: nix fmt . -- --check
|
||||||
- run: nix flake check
|
- run: nix flake check
|
||||||
tests-darwin:
|
tests-darwin:
|
||||||
runs-on: macos-11
|
runs-on: macos-12
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: cachix/install-nix-action@v22
|
- uses: cachix/install-nix-action@v24
|
||||||
with:
|
with:
|
||||||
extra_nix_config: "system-features = nixos-test benchmark big-parallel kvm"
|
extra_nix_config: |
|
||||||
|
system-features = nixos-test recursive-nix benchmark big-parallel kvm
|
||||||
|
extra-experimental-features = recursive-nix nix-command flakes
|
||||||
- run: nix build
|
- run: nix build
|
||||||
- run: nix build .#doc
|
- run: nix build .#doc
|
||||||
- run: nix fmt . -- --check
|
- run: nix fmt . -- --check
|
||||||
- run: nix flake check
|
- run: nix flake check
|
||||||
- name: "Install nix-darwin module"
|
- name: "Install nix-darwin module"
|
||||||
run: |
|
run: |
|
||||||
system=$(nix build --no-link --print-out-paths .#checks.x86_64-darwin.integration)
|
# https://github.com/ryantm/agenix/pull/230#issuecomment-1867025385
|
||||||
${system}/activate-user
|
|
||||||
sudo ${system}/activate
|
sudo mv /etc/nix/nix.conf{,.bak}
|
||||||
|
nix \
|
||||||
|
--extra-experimental-features 'nix-command flakes' \
|
||||||
|
build .#checks.x86_64-darwin.integration
|
||||||
|
|
||||||
|
./result/activate-user
|
||||||
|
sudo ./result/activate
|
||||||
- name: "Test nix-darwin module"
|
- name: "Test nix-darwin module"
|
||||||
run: |
|
run: |
|
||||||
sudo /run/current-system/sw/bin/agenix-integration
|
sudo /run/current-system/sw/bin/agenix-integration
|
||||||
|
|
10
README.md
10
README.md
|
@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
|
||||||
|
|
||||||
## Notices
|
## Notices
|
||||||
|
|
||||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
|
||||||
#### `age.ageBin`
|
#### `age.ageBin`
|
||||||
|
|
||||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||||
don't need to change this. Defaults to `rage/bin/rage`.
|
don't need to change this. Defaults to `age/bin/age`.
|
||||||
|
|
||||||
Overriding `age.ageBin` example:
|
Overriding `age.ageBin` example:
|
||||||
|
|
||||||
|
@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
|
||||||
|
|
||||||
#### Overriding age binary
|
#### Overriding age binary
|
||||||
|
|
||||||
The agenix CLI uses `rage` by default as its age implemenation, you
|
The agenix CLI uses `age` by default as its age implemenation, you
|
||||||
can use the reference implementation `age` with Flakes like this:
|
can use the `rage` implementation with Flakes like this:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
{pkgs,agenix,...}:{
|
{pkgs,agenix,...}:{
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
|
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
# Notices {#notices}
|
# Notices {#notices}
|
||||||
|
|
||||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||||
|
|
|
@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
|
||||||
### `age.ageBin`
|
### `age.ageBin`
|
||||||
|
|
||||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||||
don't need to change this. Defaults to `rage/bin/rage`.
|
don't need to change this. Defaults to `age/bin/age`.
|
||||||
|
|
||||||
Overriding `age.ageBin` example:
|
Overriding `age.ageBin` example:
|
||||||
|
|
||||||
|
|
18
flake.lock
18
flake.lock
|
@ -7,11 +7,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1673295039,
|
"lastModified": 1700795494,
|
||||||
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
|
||||||
"owner": "lnl7",
|
"owner": "lnl7",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -28,11 +28,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1682203081,
|
"lastModified": 1703113217,
|
||||||
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
|
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
|
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -43,11 +43,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1677676435,
|
"lastModified": 1703013332,
|
||||||
"narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
|
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
|
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
|
|
||||||
packages = eachSystem (system: {
|
packages = eachSystem (system: {
|
||||||
agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
|
agenix = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/agenix.nix {};
|
||||||
doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {};
|
doc = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/doc.nix {inherit self;};
|
||||||
default = self.packages.${system}.agenix;
|
default = self.packages.${system}.agenix;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -49,7 +49,10 @@
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = [
|
modules = [
|
||||||
./test/integration_darwin.nix
|
./test/integration_darwin.nix
|
||||||
"${darwin.outPath}/pkgs/darwin-installer/installer.nix"
|
|
||||||
|
# Allow new-style nix commands in CI
|
||||||
|
{nix.extraOptions = "experimental-features = nix-command flakes";}
|
||||||
|
|
||||||
home-manager.darwinModules.home-manager
|
home-manager.darwinModules.home-manager
|
||||||
{
|
{
|
||||||
home-manager = {
|
home-manager = {
|
||||||
|
|
|
@ -155,7 +155,7 @@ with lib; let
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
options.age = {
|
options.age = {
|
||||||
package = mkPackageOption pkgs "rage" {};
|
package = mkPackageOption pkgs "age" {};
|
||||||
|
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
type = types.attrsOf secretType;
|
type = types.attrsOf secretType;
|
||||||
|
|
|
@ -69,6 +69,7 @@ with lib; let
|
||||||
IDENTITIES=()
|
IDENTITIES=()
|
||||||
for identity in ${toString cfg.identityPaths}; do
|
for identity in ${toString cfg.identityPaths}; do
|
||||||
test -r "$identity" || continue
|
test -r "$identity" || continue
|
||||||
|
test -s "$identity" || continue
|
||||||
IDENTITIES+=(-i)
|
IDENTITIES+=(-i)
|
||||||
IDENTITIES+=("$identity")
|
IDENTITIES+=("$identity")
|
||||||
done
|
done
|
||||||
|
@ -189,9 +190,9 @@ in {
|
||||||
options.age = {
|
options.age = {
|
||||||
ageBin = mkOption {
|
ageBin = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "${pkgs.rage}/bin/rage";
|
default = "${pkgs.age}/bin/age";
|
||||||
defaultText = literalExpression ''
|
defaultText = literalExpression ''
|
||||||
"''${pkgs.rage}/bin/rage"
|
"''${pkgs.age}/bin/age"
|
||||||
'';
|
'';
|
||||||
description = ''
|
description = ''
|
||||||
The age executable to use.
|
The age executable to use.
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
stdenv,
|
stdenv,
|
||||||
rage,
|
age,
|
||||||
jq,
|
jq,
|
||||||
nix,
|
nix,
|
||||||
mktemp,
|
mktemp,
|
||||||
diffutils,
|
diffutils,
|
||||||
substituteAll,
|
substituteAll,
|
||||||
ageBin ? "${rage}/bin/rage",
|
ageBin ? "${age}/bin/age",
|
||||||
shellcheck,
|
shellcheck,
|
||||||
}:
|
}:
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
|
|
Loading…
Reference in a new issue