Merge pull request #81 from chuangzhu/agebin

Allow customizing ageBin
ryantm · Dec 5, 2021 · c53ac31 · c53ac31
2 parents 52ea2f8 + d85abe9
commit c53ac31
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -209,6 +209,28 @@ If your secret cannot be a symlink, you should set the `symlink` option to `fals
 
 Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
 
+## Use other implementations
+
+This project uses the Rust implementation of age, [rage](https://github.com/str4d/rage), by default. You can change it to use the [official implementation](https://github.com/FiloSottile/age).
+
+### Module
+
+```nix
+{
+  age.ageBin = "${pkgs.age}/bin/age";
+}
+```
+
+### CLI
+
+```nix
+{
+  environment.systemPackages = [
+    (agenix.defaultPackage.x86_64-linux.override { ageBin = "${pkgs.age}/bin/age"; })
+  ];
+}
+```
+
 ## Threat model/Warnings
 
 This project has not be audited by a security professional.

diff --git a/modules/age.nix b/modules/age.nix
@@ -10,7 +10,7 @@ let
     if lib.versionOlder pkgs.rage.version "0.5.0"
     then pkgs.callPackage ../pkgs/rage.nix { }
     else pkgs.rage;
-  ageBin = "${rage}/bin/rage";
+  ageBin = config.age.ageBin;
 
   users = config.users.users;
 
@@ -96,6 +96,13 @@ let
 in
 {
   options.age = {
+    ageBin = mkOption {
+      type = types.str;
+      default = "${rage}/bin/rage";
+      description = ''
+        The age executable to use.
+      '';
+    };
     secrets = mkOption {
       type = types.attrsOf secretType;
       default = { };

diff --git a/pkgs/agenix.nix b/pkgs/agenix.nix
@@ -8,13 +8,14 @@
   nix,
   mktemp,
   diffutils,
+  ageBin ? "${
+    # we need at least rage 0.5.0 to support ssh keys
+    if rage.version < "0.5.0"
+    then callPackage ./rage.nix {}
+    else rage
+  }/bin/rage"
 } :
 let
-  # we need at least rage 0.5.0 to support ssh keys
-  rageToUse = if rage.version < "0.5.0"
-         then callPackage ./rage.nix {}
-         else rage;
-  ageBin = "${rageToUse}/bin/rage";
   sedBin = "${gnused}/bin/sed";
   nixInstantiate = "${nix}/bin/nix-instantiate";
   mktempBin = "${mktemp}/bin/mktemp";