chore: cleanup flake and add nix tests for sops

weriomat · weriomat · commit b39f5617b983 · 2025-06-06T21:09:19.000+02:00
diff --git a/flake.nix b/flake.nix
@@ -165,13 +165,13 @@
         };
       in
       {
-        packages.default = self.packages."${system}".deploy-rs;
+        packages.default = self.packages.${system}.deploy-rs;
         packages.deploy-rs = pkgs.deploy-rs.deploy-rs;
 
-        apps.default = self.apps."${system}".deploy-rs;
+        apps.default = self.apps.${system}.deploy-rs;
         apps.deploy-rs = {
           type = "app";
-          program = "${self.packages."${system}".default}/bin/deploy";
+          program = "${self.packages.${system}.default}/bin/deploy";
         };
 
         devShells.default = pkgs.mkShell {
diff --git a/nix/tests/default.nix b/nix/tests/default.nix
@@ -20,7 +20,7 @@ let
     done <$refs
   '';
 
-  mkTest = { name ? "", user ? "root", flakes ? true, isLocal ? true, deployArgs }: let
+  mkTest = { name ? "", user ? "root", flakes ? true, isLocal ? true, sops ? false, deployArgs }: let
     nodes = {
       server = { nodes, ... }: {
         imports = [
@@ -36,7 +36,7 @@ let
       };
       client = { nodes, ... }: {
         imports = [ (import ./common.nix { inherit inputs pkgs flakes; }) ];
-        environment.systemPackages = [ pkgs.deploy-rs.deploy-rs ];
+        environment.systemPackages = [ pkgs.deploy-rs.deploy-rs ] ++ lib.optionals sops [ pkgs.sops ];
         # nix evaluation takes a lot of memory, especially in non-flake usage
         virtualisation.memorySize = lib.mkForce 4096;
         virtualisation.additionalPaths = lib.optionals isLocal [
@@ -97,6 +97,14 @@ let
       client.succeed("cp ${./server.nix} ./server.nix")
       client.succeed("cp ${./common.nix} ./common.nix")
       client.succeed("cp ${serverNetworkJSON} ./network.json")
+
+      # Prepare sops keys
+      client.succeed("cp ${./sops/.sops.yaml} ./.sops.yaml")
+      client.succeed("cp ${./sops/password.yaml} ./password.yaml")
+      # this is where sops looks for private keys
+      client.succeed("mkdir -p /root/.config/sops/age/")
+      client.succeed("cp ${./sops/age_private.txt} /root/.config/sops/age/keys.txt")
+
       client.succeed("nix --extra-experimental-features flakes flake lock")
 
       # Setup SSH key
@@ -115,6 +123,9 @@ let
       # Make sure the hello and figlet packages are missing
       server.fail("su ${user} -l -c 'hello | figlet'")
 
+      # Create a missing directory
+      server.succeed("mkdir -p /root/.local/state/nix/profiles")
+
       # Deploy to the server
       client.succeed("deploy ${deployArgs}")
 
@@ -173,4 +184,16 @@ in {
     flakes = true;
     deployArgs = "--file . --targets server";
   };
+  sops = mkTest {
+    name = "sops";
+    user = "sops";
+    sops = true;
+    deployArgs = "-s .#sops";
+  };
+  sops-override-arguments = mkTest {
+    name = "sops-override-arguments";
+    user = "sops";
+    sops = true;
+    deployArgs = "-s .#server --sudo-file ./password.yaml --sudo-secret passwords/sops --ssh-user sops";
+  };
 }
diff --git a/nix/tests/deploy-flake.nix b/nix/tests/deploy-flake.nix
@@ -36,7 +36,7 @@
           "-o" "StrictHostKeyChecking=no"
           "-o" "StrictHostKeyChecking=no"
         ];
-        profiles.system.path = deploy-rs.lib."${system}".activate.nixos self.nixosConfigurations.server;
+        profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.server;
       };
       server-override = {
         hostname = "override";
@@ -46,7 +46,7 @@
         sshOpts = [ ];
         confirmTimeout = 0;
         activationTimeout = 0;
-        profiles.system.path = deploy-rs.lib."${system}".activate.nixos self.nixosConfigurations.server;
+        profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.server;
       };
       profile = {
         hostname = "server";
@@ -67,6 +67,14 @@
           in deploy-rs.lib.${system}.activate.custom activateProfile "$PROFILE/bin/activate";
         };
       };
+      sops = {
+        hostname = "server";
+        sshUser = "sops";
+        sshOpts = [ "-o" "StrictHostKeyChecking=no" ];
+        sudoFile = ./password.yaml;
+        sudoSecret = "passwords/sops";
+        profiles.system.path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.server;
+      };
     };
   };
 }
diff --git a/nix/tests/server.nix b/nix/tests/server.nix
@@ -4,20 +4,49 @@
 { pkgs, ... }:
 {
   nix.settings.trusted-users = [ "deploy" ];
-  users = let
-    inherit (import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs) snakeOilPublicKey;
-  in {
-    mutableUsers = false;
-    users = {
-      deploy = {
-        password = "";
-        isNormalUser = true;
-        createHome = true;
-        openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+  users =
+    let
+      inherit (import "${pkgs.path}/nixos/tests/ssh-keys.nix" pkgs) snakeOilPublicKey;
+    in
+    {
+      mutableUsers = false;
+      users = {
+        deploy = {
+          password = "";
+          isNormalUser = true;
+          createHome = true;
+          group = "deploy";
+          extraGroups = [ "wheel" ]; # need wheel for `sudo su`
+          openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+        };
+        sops = {
+          password = "rootIsAGoodRootPassword";
+          isNormalUser = true;
+          createHome = true;
+          group = "sops";
+          extraGroups = [ "wheel" ]; # need wheel for `sudo su`
+          openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+        };
+        root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
+      };
+      groups = {
+        deploy = { };
+        sops = { };
       };
-      root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
     };
-  };
+
+  # deploy does not need a password for sudo
+  security.sudo.extraRules = [
+    {
+      groups = [ "deploy" ];
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
   services.openssh.enable = true;
   virtualisation.writableStore = true;
 }
diff --git a/nix/tests/sops/.sops.yaml b/nix/tests/sops/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+creation_rules:
+  - path_regex: password.yaml
+    key_groups:
+      - age:
+          - *primary
diff --git a/nix/tests/sops/age_private.txt b/nix/tests/sops/age_private.txt
@@ -0,0 +1,3 @@
+# created: 2025-06-05T11:36:08+02:00
+# public key: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+AGE-SECRET-KEY-1L8HTRL2THGGZLXQQDTDLDG0U8EL4RSSAMVT9RYUG5JWPUJW49N9QS0EFSZ
diff --git a/nix/tests/sops/age_public.txt b/nix/tests/sops/age_public.txt
@@ -0,0 +1 @@
+age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
diff --git a/nix/tests/sops/password.yaml b/nix/tests/sops/password.yaml
@@ -0,0 +1,17 @@
+passwords:
+    sops: ENC[AES256_GCM,data:DXcCPJcsVWA4oja7DFCUERRLR98rcbY=,iv:NaqB7ogUGJUAg0wg4J1xsUEEX48lbDUhRNfuRlBp5YI=,tag:e+D9XwazhhHhqPefepUbrA==,type:str]
+sops:
+    age:
+        - recipient: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMckNqSWF3MUpNOU91T2Zh
+            dU9ZQlozVWd3bnhsakZRSlFxcGVCZ3Z1dGpvCkVtbkhDNkNhTU5PUHhuVm5BaTJa
+            dGRhU0c5MmQ2bVdyc1JnVVB0aCt1YW8KLS0tIHd4NWlDZEQvdEhxb2lVaUtmSktO
+            MDExNzUwUG5KZ2JyZHhKTmFLZEpleWcKDNxV1CKbEeQ4ixX4PMSj60egj31bN2KG
+            Zm0wfO8UtuGkLVcPKLL7jUhgQXzN9jHg/fDzT11tTnmFaEwtfhHzWg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-06T17:18:18Z"
+    mac: ENC[AES256_GCM,data:A6ee/YUtR65KK2697QLKzKgGvaGUZZjgv5Ie2fUBnxtnTf5aWx0E+2mY1krbwv02Wr9HAr/BJnSKqvFrANEA2x58Ijgin+g8nVgspxshTgG1TPXL1+cG724kxheiU0TRnmBwumyEsVlpSjxbyeEDngH4oB9rIuc33Sp7Z1PAXpA=,iv:fgRXSEDjYyjRxwTN1/ZIokgdzE8wjpUALzEUAdWhUIQ=,tag:4lR0+tp/EqXB4qqv4UhxkQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# created: 2025-06-05T11:36:08+02:00`
	`2`	`+# public key: age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm`
	`3`	`+AGE-SECRET-KEY-1L8HTRL2THGGZLXQQDTDLDG0U8EL4RSSAMVT9RYUG5JWPUJW49N9QS0EFSZ`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+age179s8jnppgy9kwakmva8av6frpnhgg9myrvk3xlfpanmhvvzyh96sdygfcm`