Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request to document installation of sops-nix utilities #50

Closed
kylegentle opened this issue Nov 30, 2020 · 3 comments
Closed

Request to document installation of sops-nix utilities #50

kylegentle opened this issue Nov 30, 2020 · 3 comments

Comments

@kylegentle
Copy link

kylegentle commented Nov 30, 2020
edited

The ssh-to-pgp program and sops-pgp-hook nix-shell hook are essential to follow the documented Usage example. Neither is automatically accessible from importing the NixOS module under modules/sops. For example, #29 and #43 are both related to the accessibility of ssh-to-pgp.

Under the "Create a sops file" section, the example shell.nix uses <sops-nix>, which implies that sops-nix (the expression defined in this repo's default.nix) is in the Nix search path. Simply importing the NixOS module, which is the only documented installation step, leaves users like myself with an error that sops-nix was not found in the Nix search path.

What is the recommended approach to make these utilities accessible on the machine used for setup?

For reference, here are the relevant parts of my config:

{ config, pkgs, ... }:
let
  rev = "b0d764fccdd35588ebda2907911099198f73c89a";
  sops-nix = builtins.fetchTarball {
    url = "https://github.com/Mic92/sops-nix/archive/${rev}.tar.gz";
    sha256 = "0ny2pr3qjmw9jdbr0n2sy3w76f0pxfpjc8qr7x9zmwzlwck5xpc1";
  };
in
{
  imports =
    [
      ./configuration.nix (
      ./hardware-configuration.nix
      "${sops-nix}/modules/sops"
    ];
}
@kylegentle
Copy link
Author

kylegentle commented Nov 30, 2020
edited

One approach would be to create a shell.nix at the beginning of the Usage workflow, along the lines of:

# shell.nix
with import <nixpkgs> {};
let
  rev = "b0d764fccdd35588ebda2907911099198f73c89a";
  sops-nix = builtins.fetchTarball {
    url = "https://github.com/Mic92/sops-nix/archive/${rev}.tar.gz";
    sha256 = "0ny2pr3qjmw9jdbr0n2sy3w76f0pxfpjc8qr7x9zmwzlwck5xpc1";
  };
in
mkShell {
  # imports all files ending in .asc/.gpg and sets $SOPS_PGP_FP.
  sopsPGPKeyDirs = [ 
    "./keys/hosts"
    "./keys/users"
  ];
  # Also single files can be imported.
  #sopsPGPKeys = [ 
  #  "./keys/users/mic92.asc"
  #  "./keys/hosts/server01.asc"
  #];
  nativeBuildInputs = [
    (pkgs.callPackage sops-nix {}).sops-pgp-hook
    (pkgs.callPackage sops-nix {}).ssh-to-pgp
  ];
}

This is a bit inelegant, but it's what I'm doing while I poke around.

@Mic92
Copy link
Owner

Mic92 commented Dec 2, 2020

Thanks for the feedback. In the meantime I would actually recommend to always have a .sops.yaml. That seems to work more reliable. I think I will update the pgp-hook to only import gpg keys rather than applying environment variables

@ebbertd ebbertd mentioned this issue Dec 29, 2020
Closed
@Mic92
Copy link
Owner

Mic92 commented Jul 3, 2021
edited

ssh-to-pgp is now part of nixpkgs. I added your shell.nix to the README.

@Mic92 Mic92 closed this as completed Jul 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mic92 @kylegentle