sops-nix icon indicating copy to clipboard operation
sops-nix copied to clipboard
verified publisher icon Mic92

Add option for choosing which activation method to use

Open zaninime opened this issue 5 years ago • 4 comments

I just tested this on my machine and it seems to perform fine. The default behavior is set to the "old" way, so it's not a breaking change for existing users. Opting-in should be as simple as sops.activationMethod = "systemd";

I used an enum for now, but the alternative would be to use a boolean, ie. useSystemd. I'm happy to change it.

zaninime avatar Oct 26 '20 10:10 zaninime

Hi @Mic92 :wave:

Sorry to pull up an old thread but...

I think systemd is the way to go to use all features of sops-nix. I am thinking about deprecating the activation script method.

Seeing as this PR was never closed is there still any interest in switching to a systemd service instead of activation scripts?

aanderse avatar Dec 06 '22 19:12 aanderse

I have a particular use case where if sops-nix were to switch to a systemd service, it would open up secrets usage for short lived systems. Right now, sops-nix assumes GPG/age/ssh keys and it requires that key material exist and a deploy/nixos-rebuild. sops, if using AWS KMS (or any other KMS), will decrypt without that material at run time if roles and access to the correct KMS key is granted. I'd be happy to work a PR if this functionality is thought useful to the project.

cransom avatar Feb 10 '23 16:02 cransom

I'm interested in this in particular because it would allow me to use my machine's TPM as a root of trust, rather than my host SSH key.

k3d3 avatar Feb 16 '24 17:02 k3d3

What's the current status of the pr?

snylonue avatar Apr 14 '24 03:04 snylonue