Add support for age plugins #186
Conversation
| @@ -187,6 +187,13 @@ in { | |||
| The age executable to use. | |||
| ''; | |||
| }; | |||
| pluginPackages = mkOption { | |||
There was a problem hiding this comment.
I was thinking perhaps it would be nicer to name this path, similar to systemd.services.<name>.path. On the other hand, the name pluginPackages communicates more intent and I believe is more discoverable. Thoughts? :)
There was a problem hiding this comment.
I think pluginPackages or just plugins are preferable: intent is clearer, as you said, and it is more discoverable by users who might not know age plugins are just executables in PATH.
|
Have a look at this old PR #134 in which I tried the exact same thing just to arrive at the conclusion that this is probably not what I wanted. |
This is only related to using this with
|
|
So, those efforts have died and this still seems a simple and viable approach. Perhaps time to re-open and reconsider? |
|
@koenw This is the exact same way I implemented plugin support in my test config! Even works with ragenix (even though that one is actually suppose to have plugin support; it looks as if the plugins aren't being put in the path from what I saw). When I manually overwritten the ageBin and appended the plugins to the PATH, it made it function properly). However, I do wish there was a similar way of implementing this for the HomeManager module; |
There was a problem hiding this comment.
Seems entirely sensible to me, and a badly-needed feature, especially in environments where SSH host keys might not be available early-enough during boot.
The case I ran into is simply because the secrets-containing ZFS dataset isn't yet mounted during the first activation (though I expect many other root-on-tmpfs setups would run into the same issue) but this also enables setups where the SSH host keys are either provided via agenix or sealed to the TPM.
| @@ -187,6 +187,13 @@ in { | |||
| The age executable to use. | |||
| ''; | |||
| }; | |||
| pluginPackages = mkOption { | |||
There was a problem hiding this comment.
I think pluginPackages or just plugins are preferable: intent is clearer, as you said, and it is more discoverable by users who might not know age plugins are just executables in PATH.
|
It seems to me rather reasonable to only support non-interactive plugins which can run on first activation. To support to plugins which require certain services to run, I believe the most reasonable solution would be to:
I believe that could reasonably wait until a follow-up PR though. Footnotes
|
First of all thanks for the software :)
When
nixos-rebuild-ing my system flake with secrets encrypted to/with my Yubikey, (r)age gave the error that it was unable to find the pluginage-plugin-yubikeyin it's $PATH even though I was able to run it myself. This is because any installed plugins would be unavailable in the build environment.I have added an option to the agenix module to specify the age plugin packages that should be available in the build environment. This fixed the error for me and I am now able to successfully
nixos-rebuildwith secrets decrypted from my Yubikey.I'm still finding my way with Nix so please let me know if you need any changes (or if this is totally not the right approach at all).
Thanks!