feat: switch from rage to age
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139
What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
This commit is contained in:
parent
9bc80dc4ce
commit
5c1198a352
6 changed files with 13 additions and 12 deletions
10
README.md
10
README.md
|
@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
|
|||
|
||||
## Notices
|
||||
|
||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
|
||||
## Installation
|
||||
|
||||
|
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
|
|||
#### `age.ageBin`
|
||||
|
||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||
don't need to change this. Defaults to `rage/bin/rage`.
|
||||
don't need to change this. Defaults to `age/bin/age`.
|
||||
|
||||
Overriding `age.ageBin` example:
|
||||
|
||||
|
@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
|
|||
|
||||
#### Overriding age binary
|
||||
|
||||
The agenix CLI uses `rage` by default as its age implemenation, you
|
||||
can use the reference implementation `age` with Flakes like this:
|
||||
The agenix CLI uses `age` by default as its age implemenation, you
|
||||
can use the `rage` implementation with Flakes like this:
|
||||
|
||||
```nix
|
||||
{pkgs,agenix,...}:{
|
||||
environment.systemPackages = [
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
|
||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
|
||||
];
|
||||
}
|
||||
```
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# Notices {#notices}
|
||||
|
||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||
|
|
|
@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
|
|||
### `age.ageBin`
|
||||
|
||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||
don't need to change this. Defaults to `rage/bin/rage`.
|
||||
don't need to change this. Defaults to `age/bin/age`.
|
||||
|
||||
Overriding `age.ageBin` example:
|
||||
|
||||
|
|
|
@ -155,7 +155,7 @@ with lib; let
|
|||
'';
|
||||
in {
|
||||
options.age = {
|
||||
package = mkPackageOption pkgs "rage" {};
|
||||
package = mkPackageOption pkgs "age" {};
|
||||
|
||||
secrets = mkOption {
|
||||
type = types.attrsOf secretType;
|
||||
|
|
|
@ -69,6 +69,7 @@ with lib; let
|
|||
IDENTITIES=()
|
||||
for identity in ${toString cfg.identityPaths}; do
|
||||
test -r "$identity" || continue
|
||||
test -s "$identity" || continue
|
||||
IDENTITIES+=(-i)
|
||||
IDENTITIES+=("$identity")
|
||||
done
|
||||
|
@ -189,9 +190,9 @@ in {
|
|||
options.age = {
|
||||
ageBin = mkOption {
|
||||
type = types.str;
|
||||
default = "${pkgs.rage}/bin/rage";
|
||||
default = "${pkgs.age}/bin/age";
|
||||
defaultText = literalExpression ''
|
||||
"''${pkgs.rage}/bin/rage"
|
||||
"''${pkgs.age}/bin/age"
|
||||
'';
|
||||
description = ''
|
||||
The age executable to use.
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
{
|
||||
lib,
|
||||
stdenv,
|
||||
rage,
|
||||
age,
|
||||
jq,
|
||||
nix,
|
||||
mktemp,
|
||||
diffutils,
|
||||
substituteAll,
|
||||
ageBin ? "${rage}/bin/rage",
|
||||
ageBin ? "${age}/bin/age",
|
||||
shellcheck,
|
||||
}:
|
||||
stdenv.mkDerivation rec {
|
||||
|
|
Loading…
Reference in a new issue