feat: switch from rage to age
Why
===
* Someone said age works better with password protected keys,
requiring entering the password less often.
* We switched to rage from age in
07ce686870
because it was limiting recipients to 20. This was fixed
https://github.com/FiloSottile/age/issues/139
What changed
===
* Switch from rage back to age (the reference implementation) in all
the spots
* Update the docs to show how to switch back to Rage
* Skip keys that are empty files, which fixes the integration test.
This commit is contained in:
parent
9bc80dc4ce
commit
5c1198a352
6 changed files with 13 additions and 12 deletions
10
README.md
10
README.md
|
@ -45,7 +45,7 @@ All files in the Nix store are readable by any system user, so it is not a suita
|
||||||
|
|
||||||
## Notices
|
## Notices
|
||||||
|
|
||||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
@ -487,7 +487,7 @@ Example of a secret with a name different from its attrpath:
|
||||||
#### `age.ageBin`
|
#### `age.ageBin`
|
||||||
|
|
||||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||||
don't need to change this. Defaults to `rage/bin/rage`.
|
don't need to change this. Defaults to `age/bin/age`.
|
||||||
|
|
||||||
Overriding `age.ageBin` example:
|
Overriding `age.ageBin` example:
|
||||||
|
|
||||||
|
@ -587,13 +587,13 @@ improved upon by reading the identities from the age file.)
|
||||||
|
|
||||||
#### Overriding age binary
|
#### Overriding age binary
|
||||||
|
|
||||||
The agenix CLI uses `rage` by default as its age implemenation, you
|
The agenix CLI uses `age` by default as its age implemenation, you
|
||||||
can use the reference implementation `age` with Flakes like this:
|
can use the `rage` implementation with Flakes like this:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
{pkgs,agenix,...}:{
|
{pkgs,agenix,...}:{
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.age}/bin/age"; })
|
(agenix.packages.x86_64-linux.default.override { ageBin = "${pkgs.rage}/bin/rage"; })
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
# Notices {#notices}
|
# Notices {#notices}
|
||||||
|
|
||||||
* Password-protected ssh keys: since the underlying tool age/rage do not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
* Password-protected ssh keys: since age does not support ssh-agent, password-protected ssh keys do not work well. For example, if you need to rekey 20 secrets you will have to enter your password 20 times.
|
||||||
|
|
|
@ -166,7 +166,7 @@ Example of a secret with a name different from its attrpath:
|
||||||
### `age.ageBin`
|
### `age.ageBin`
|
||||||
|
|
||||||
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
`age.ageBin` the string of the path to the `age` binary. Usually, you
|
||||||
don't need to change this. Defaults to `rage/bin/rage`.
|
don't need to change this. Defaults to `age/bin/age`.
|
||||||
|
|
||||||
Overriding `age.ageBin` example:
|
Overriding `age.ageBin` example:
|
||||||
|
|
||||||
|
|
|
@ -155,7 +155,7 @@ with lib; let
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
options.age = {
|
options.age = {
|
||||||
package = mkPackageOption pkgs "rage" {};
|
package = mkPackageOption pkgs "age" {};
|
||||||
|
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
type = types.attrsOf secretType;
|
type = types.attrsOf secretType;
|
||||||
|
|
|
@ -69,6 +69,7 @@ with lib; let
|
||||||
IDENTITIES=()
|
IDENTITIES=()
|
||||||
for identity in ${toString cfg.identityPaths}; do
|
for identity in ${toString cfg.identityPaths}; do
|
||||||
test -r "$identity" || continue
|
test -r "$identity" || continue
|
||||||
|
test -s "$identity" || continue
|
||||||
IDENTITIES+=(-i)
|
IDENTITIES+=(-i)
|
||||||
IDENTITIES+=("$identity")
|
IDENTITIES+=("$identity")
|
||||||
done
|
done
|
||||||
|
@ -189,9 +190,9 @@ in {
|
||||||
options.age = {
|
options.age = {
|
||||||
ageBin = mkOption {
|
ageBin = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "${pkgs.rage}/bin/rage";
|
default = "${pkgs.age}/bin/age";
|
||||||
defaultText = literalExpression ''
|
defaultText = literalExpression ''
|
||||||
"''${pkgs.rage}/bin/rage"
|
"''${pkgs.age}/bin/age"
|
||||||
'';
|
'';
|
||||||
description = ''
|
description = ''
|
||||||
The age executable to use.
|
The age executable to use.
|
||||||
|
|
|
@ -1,13 +1,13 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
stdenv,
|
stdenv,
|
||||||
rage,
|
age,
|
||||||
jq,
|
jq,
|
||||||
nix,
|
nix,
|
||||||
mktemp,
|
mktemp,
|
||||||
diffutils,
|
diffutils,
|
||||||
substituteAll,
|
substituteAll,
|
||||||
ageBin ? "${rage}/bin/rage",
|
ageBin ? "${age}/bin/age",
|
||||||
shellcheck,
|
shellcheck,
|
||||||
}:
|
}:
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
|
|
Loading…
Reference in a new issue