commit
c53ac31e44
3 changed files with 36 additions and 6 deletions
22
README.md
22
README.md
|
@ -209,6 +209,28 @@ If your secret cannot be a symlink, you should set the `symlink` option to `fals
|
||||||
|
|
||||||
Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
|
Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
|
||||||
|
|
||||||
|
## Use other implementations
|
||||||
|
|
||||||
|
This project uses the Rust implementation of age, [rage](https://github.com/str4d/rage), by default. You can change it to use the [official implementation](https://github.com/FiloSottile/age).
|
||||||
|
|
||||||
|
### Module
|
||||||
|
|
||||||
|
```nix
|
||||||
|
{
|
||||||
|
age.ageBin = "${pkgs.age}/bin/age";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### CLI
|
||||||
|
|
||||||
|
```nix
|
||||||
|
{
|
||||||
|
environment.systemPackages = [
|
||||||
|
(agenix.defaultPackage.x86_64-linux.override { ageBin = "${pkgs.age}/bin/age"; })
|
||||||
|
];
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
## Threat model/Warnings
|
## Threat model/Warnings
|
||||||
|
|
||||||
This project has not be audited by a security professional.
|
This project has not be audited by a security professional.
|
||||||
|
|
|
@ -10,7 +10,7 @@ let
|
||||||
if lib.versionOlder pkgs.rage.version "0.5.0"
|
if lib.versionOlder pkgs.rage.version "0.5.0"
|
||||||
then pkgs.callPackage ../pkgs/rage.nix { }
|
then pkgs.callPackage ../pkgs/rage.nix { }
|
||||||
else pkgs.rage;
|
else pkgs.rage;
|
||||||
ageBin = "${rage}/bin/rage";
|
ageBin = config.age.ageBin;
|
||||||
|
|
||||||
users = config.users.users;
|
users = config.users.users;
|
||||||
|
|
||||||
|
@ -96,6 +96,13 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.age = {
|
options.age = {
|
||||||
|
ageBin = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "${rage}/bin/rage";
|
||||||
|
description = ''
|
||||||
|
The age executable to use.
|
||||||
|
'';
|
||||||
|
};
|
||||||
secrets = mkOption {
|
secrets = mkOption {
|
||||||
type = types.attrsOf secretType;
|
type = types.attrsOf secretType;
|
||||||
default = { };
|
default = { };
|
||||||
|
|
|
@ -8,13 +8,14 @@
|
||||||
nix,
|
nix,
|
||||||
mktemp,
|
mktemp,
|
||||||
diffutils,
|
diffutils,
|
||||||
|
ageBin ? "${
|
||||||
|
# we need at least rage 0.5.0 to support ssh keys
|
||||||
|
if rage.version < "0.5.0"
|
||||||
|
then callPackage ./rage.nix {}
|
||||||
|
else rage
|
||||||
|
}/bin/rage"
|
||||||
} :
|
} :
|
||||||
let
|
let
|
||||||
# we need at least rage 0.5.0 to support ssh keys
|
|
||||||
rageToUse = if rage.version < "0.5.0"
|
|
||||||
then callPackage ./rage.nix {}
|
|
||||||
else rage;
|
|
||||||
ageBin = "${rageToUse}/bin/rage";
|
|
||||||
sedBin = "${gnused}/bin/sed";
|
sedBin = "${gnused}/bin/sed";
|
||||||
nixInstantiate = "${nix}/bin/nix-instantiate";
|
nixInstantiate = "${nix}/bin/nix-instantiate";
|
||||||
mktempBin = "${mktemp}/bin/mktemp";
|
mktempBin = "${mktemp}/bin/mktemp";
|
||||||
|
|
Loading…
Reference in a new issue