sops-nix
sops-nix copied to clipboard
Mic92
Implement home-manager support
The decryption of the keys should be part of
home.activation.
home.activation is not run on boot, which means we also need a service to decrypt secrets to tmpfs.
Because of this we already need to have dependencies between services, I don't see the value added by also having it in activation phase. Does this make sense?
I did some further testing yesterday and it did start on ("boot") login to the user.
I did some further testing yesterday and it did start on ("boot") login to the user.
Ok. Than I need to investigate this.
I recommend you to test it as well. also I did some work on agenix home-manager module yesterday, https://github.com/ryantm/agenix/pull/109, you might want to take a look. Also I mentioned all the challenges I encountered on the agenix matrix channel if you want to go and read them.
@Kranzes
I did some further testing yesterday and it did start on ("boot") login to the user.
AFAIU this is only true when using home-manager as a module for nixos, not when used standalone. As activation is implemented as a user service on nixos then.
Therefore I think using services which are Before the user activation if and only if used as a service, but run standalone on standalone.
I have no clue how to solve this on darwin though. I do not have any experience with that system, I just know that there is no equivalent to systemd user scervices.
I have no clue how to solve this on darwin though. I do not have any experience with that system, I just know that there is no equivalent to systemd user scervices.
Darwin has launchd, and it looks like home-manager has a module for it, so that might be a good solution.
@mtoohey31 could you help with the launchd logic? I don't really have the infrastructure to test anything in that regard
I think I have pretty much all review comments fixed now. Still missing is launchd support
Added an untested launchd module, please test
Sorry for the slow response, I'd be happy to help with testing but I'm out of time tonight. I'll try to get to it soon.
i started a darwin home-manager implementation based on this PR here: https://github.com/pogobanane/sops-nix/tree/feat/home-manager-darwin
- which compiles
- whose git history needs to be cleaned up
- which is completely untested
- which needs error handling
- whose workarounds/TODOs need work
Also there is https://github.com/4825764518/sops-nix/commits/darwin which implements a darwinModule (nixosModule for MacOs, not home-manager module).
Sorry again for the slow reply, your fork works for me! I made two small changes here, and with those changes I was able to set up a secret for my github cli credentials on this branch of my personal configuration. The secret is being set up properly on reboot too.
Aside from that, I haven't done any extensive testing. I'm not familiar with all of sops-nix's features, so feel free to add on if I've missed anything, but here's some of the cases I figure I should still check:
- [x] Different formats
- [x] yaml
- [x] json
- [x] binary
- [x] Different modes
- [x] Non-default
sopsFilevalues
Does nix-darwin supports some sort of unitests? I am not a regular macos user and I fear I might break it accidentally.
Does nix-darwin supports some sort of unitests? I am not a regular macos user and I fear I might break it accidentally.
Tests would probably be a good idea. Both nix-darwin and home-manager have tests included in their main repositories. nix-darwin's are kind of ad-hoc and not really extensible as far as I can tell, but home-manager uses nmt; it might be helpful here.
Edit: on second thought, I'm not certain how useful nmt tests would be. From the limited amount of home-manager tests I've seen, a lot of them seem to be asserting things about what files are created, but we would also want to test that the sops service runs correctly. It might still be possible to test that with nmt though, I haven't looked into it too much.
I've finished some more testing; it looks like all the things I had listed on the checklist above are working properly. I would recommend setting an output path for the launchd agent's logs though, as I have in a0135da0347006dafc212ce10d7f53380e01108b.
I'm waiting for it to be exposed in flake to test it (can do it myself but lazy).
@dasJ Will do so once I manage to make it work.
Right now, systemd service fails to start. One thing I noticed is that there's a missing space somewhere:
> cat /nix/store/jyk79akz7j478pr2f4kfg9pid0b88vs5-sops-nix-user
#!/nix/store/iffl6dlplhv22i2xy7n1w51a5r631kmi-bash-5.1-p16/bin/bash
export SOPS_GPG_EXEC=/nix/store/2ypi8rh1nm1v2w2pafva4rk1vigsjjvj-gnupg-2.3.4/bin/gpg/nix/store/7zi58cdmn8csqi59sp91f1f3bwi9lwcb-sops-install-secrets-0.0.1/bin/sops-install-secrets -ignore-passwd '/nix/store/1nf3f2pssq0nj5p4frcx0yhrplbpqxjq-manifest.json'
There's no line break between export gpg and the next line with sops-install-secrets.
I've been using this branch with gpg for a while now, with some fixes applied at https://github.com/Mic92/sops-nix/compare/master...anilanar:sops-nix:feat/home-manager-flake.
Maybe merge this PR and wait for user feedback? I don't see any way to make progress but wait for people to test this if it works.
Let's merge this? One minor note though: this PR doesn't fix #163 unlike what PR description says, if I'm not mistaken.
i merged the home-manager-darwin version with this branch in #261. @mtoohey31 could you do another quick test if it still works on darwin?
@mtoohey31 could you do another quick test if it still works on darwin?
Sorry that I never replied to this. I see here: https://github.com/Mic92/sops-nix/pull/261#issuecomment-1412683822 that you were able to test things on darwin, so I take it there's no need for me to do any testing at this point?