Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Add a integration where the sudo password can be specified in a sops encrypted file#324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
weriomat wants to merge11 commits intoserokell:master
base:master
Choose a base branch
Loading
fromweriomat:sops

Conversation

@weriomat
Copy link
Contributor

As I use sudo on my machines (to elevate the privileges from the "deploy" user) and don't want to manually type the sudo password every time I run a deployment, I implemented a solution where the password is retrieved from a sops encrypted file.
This is especially nice since I usesops-nix to set the password of the user and now can reuse this fact to run the deployment.

In particular, we need to specifysudoFile as well assudoSecret for a node.
I introduced a NixOS test for this use case as well as provided an example and explained on howsudoSecrets works.
Currently, the only drawback I see with this approach is thatSOPS_AGE_KEY_FILE (sops will look for age private keys under$XDG_CONFIG_HOME/sops/age/keys.txt by default) will not be respected by this implementation and therefore forcing users to put the keys under the aforementioned directory (I have not tested that it won't work, but I assume that).

P.S. The flake underexample/sops currently points to my fork and should be changed when this gets merged :)

@cinderisles
Copy link

cinderisles commentedSep 5, 2025
edited
Loading

@weriomat I tried your fork on the master branch and kept running into an issue with parsing the sops YAML file

in my case, my secrets.yaml looks like this

userPassword:some-password-hash# for use with hashedPasswordFile to set the password for another userdeployPassword:some password

This caused an error parsing theinterface.json file onthis line which uses check-jsonschema.

Your example yaml like below worked, but that error would happen if I tried to add anything else

password:deploy:something

Seems like check-jsonschema usesthis for JSON schema, so I just changed the type forsudoFile from "path" to "string"

This one commit in my fork seems to be enough to fix it based on my testing

cinderisles@bda69b4

@weriomat
Copy link
ContributorAuthor

Thank you for investigating this fix, I will update

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weriomat@cinderisles
[8]ページ先頭
©2009-2025 Movatter.jp