Skip to content

Add sops-nix secrets in the tests#270

Merged
jfroche merged 4 commits into
mainfrom
secrets
Feb 3, 2026
Merged

Add sops-nix secrets in the tests#270
jfroche merged 4 commits into
mainfrom
secrets

Conversation

@JulienMalka

@JulienMalka JulienMalka commented Sep 15, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

We support sops-nix secrets!

This depends on a number of other changes including #266, so this is not ready.

I am bringing sops-nix as a flake input for the sake of testing, I don't know how we feel about that.

I had to add the dependency to sysinit-reactivation.target to the sops-nix systemd unit, I think we should contribute that upstream, otherwise users will trip on it.

@JulienMalka JulienMalka marked this pull request as draft September 15, 2025 08:51
@JulienMalka JulienMalka changed the base branch from main to users September 15, 2025 09:02
@jfroche jfroche force-pushed the secrets branch 4 times, most recently from a93da6e to a9d482e Compare September 16, 2025 10:19
@zimbatm zimbatm added this to the First release milestone Oct 31, 2025
@jfroche jfroche force-pushed the secrets branch 2 times, most recently from ca3f43c to 98bafde Compare January 19, 2026 18:31
jfroche added a commit that referenced this pull request Jan 22, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
8be176e 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
@jfroche jfroche mentioned this pull request Jan 22, 2026
Merged
jfroche added a commit that referenced this pull request Jan 22, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
4f8a39c 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
jfroche added a commit that referenced this pull request Jan 22, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
865678b 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
jfroche added a commit that referenced this pull request Jan 22, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
c87c8d2 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
@jfroche jfroche force-pushed the secrets branch 4 times, most recently from 669e134 to 948c1f0 Compare February 2, 2026 13:07
@jfroche jfroche marked this pull request as ready for review February 2, 2026 13:13
jfroche added a commit that referenced this pull request Feb 3, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
0553ffa 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
jfroche added a commit that referenced this pull request Feb 3, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
f90949a 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
jfroche added a commit that referenced this pull request Feb 3, 2026
@jfroche
refactor: isolate VM tests into separate testFlake
6dc78e4 
Users consuming system-manager as a flake input only need the package,
lib, and modules - not the test infrastructure. By moving VM tests to
a subflake, the main flake stays minimal with nixpkgs as its only input.

This separation enables CI to run fast package checks independently from
slow VM tests, and provides proper flake.lock version pinning for test
dependencies like nix-vm-test (replacing the inline fetchTarball).

Future test dependencies (e.g., sops-nix for compatibility testing in
#270) can be added to testFlake without touching the main flake.
@jfroche jfroche force-pushed the users branch 2 times, most recently from e818562 to 0e6f9f9 Compare February 3, 2026 16:20
Base automatically changed from users to main February 3, 2026 16:27
JulienMalka and others added 2 commits February 3, 2026 17:43
@JulienMalka @jfroche
feat: add test for sops secrets
4c3eb47
@jfroche
feat(nixpkgs): add sops-nix activation script stubs
e1af0b5 
Add stubs for system.activationScripts options used by sops-nix:
- generate-age-key
- setupSecrets
- setupSecretsForUsers

These stubs allow importing sops-nix module without requiring the full
NixOS activation scripts infrastructure.
@jfroche
feat(nixpkgs): add services.openssh.hostKeys stub
676e30a 
sops-nix uses hostKeys to auto-detect SSH keys for age decryption.
This stub allows the module to evaluate; users on non-NixOS systems
should set sops.age.sshKeyPaths explicitly.
@jfroche jfroche force-pushed the secrets branch 2 times, most recently from cda56e9 to 9c5ede9 Compare February 3, 2026 16:57
@jfroche
test: add SSH key-based sops secrets decryption test
ed8e16b 
Verify that secrets can be decrypted using an ed25519 SSH host key
converted to age format via sops.age.sshKeyPaths, which is useful
for machines that already have SSH host keys and don't want to
manage separate age key files.
@jfroche jfroche merged commit 0523109 into main Feb 3, 2026
3 checks passed
@jfroche jfroche deleted the secrets branch February 3, 2026 17:23
@jfroche jfroche mentioned this pull request Apr 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

First release

Development

Successfully merging this pull request may close these issues.

3 participants

@JulienMalka @zimbatm @jfroche