Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for choosing which activation method to use #39

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option for choosing which activation method to use #39

wants to merge 1 commit into from

Conversation

zaninime
Copy link

I just tested this on my machine and it seems to perform fine. The default behavior is set to the "old" way, so it's not a breaking change for existing users. Opting-in should be as simple as sops.activationMethod = "systemd";

I used an enum for now, but the alternative would be to use a boolean, ie. useSystemd. I'm happy to change it.

Mic92
Mic92 reviewed Nov 1, 2020
View reviewed changes
modules/sops/default.nix
default = "script";
description = ''
Which method to use for setting up secrets. Use `script` for an
activation script, and `systemd` for a systemd unit.
Copy link
Owner

@Mic92 Mic92 Nov 1, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think systemd is the way to go to use all features of sops-nix. I am thinking about deprecating the activation script method.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I change this PR to reflect this? I'd be happy to do it.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope I get to hack next weekend again on sops-nix: systemd/systemd#16568 (comment)
I prepared systemd socket activation and with this PR systemd/systemd#17510 I should be able to implement it properly and ready for networked KMS.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be more explicit with socket-based secret description it is easier to make systemd wait for secrets to become available without having to specify explicit dependencies. This was my major concern with having sops-nix running as a systemd service instead of activation script. I hope to be able to implement this soonish.

@Mic92 Mic92 mentioned this pull request Nov 4, 2020
Closed
@aanderse
Copy link

aanderse commented Dec 6, 2022

Hi @Mic92 👋

Sorry to pull up an old thread but...

I think systemd is the way to go to use all features of sops-nix. I am thinking about deprecating the activation script method.

Seeing as this PR was never closed is there still any interest in switching to a systemd service instead of activation scripts?

@cransom
Copy link

cransom commented Feb 10, 2023

I have a particular use case where if sops-nix were to switch to a systemd service, it would open up secrets usage for short lived systems. Right now, sops-nix assumes GPG/age/ssh keys and it requires that key material exist and a deploy/nixos-rebuild. sops, if using AWS KMS (or any other KMS), will decrypt without that material at run time if roles and access to the correct KMS key is granted. I'd be happy to work a PR if this functionality is thought useful to the project.

@k3d3
Copy link

k3d3 commented Feb 16, 2024

I'm interested in this in particular because it would allow me to use my machine's TPM as a root of trust, rather than my host SSH key.

@aanderse aanderse mentioned this pull request Apr 13, 2024
Open
@snylonue
Copy link

What's the current status of the pr?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@zaninime @aanderse @cransom @k3d3 @snylonue @Mic92