test(shadowing): sops-install-secrets

Author: vdbe

pkgs/sops-install-secrets/nixos-test.nix

@@ -377,4 +377,75 @@
     inherit pkgs;
     inherit (pkgs) system;
   };
+
+  sops-files-shadowing = makeTest {
+    name = "sops-files-shadowing";
+    nodes.machine = {lib,...}:
+    let
+      inherit (lib.lists) reverseList;
+      inherit (lib.modules) mkDefault;
+
+      sopsFile = ./test-assets/secrets.yaml;
+      systemSopsFile = ./test-assets/secrets-system.yaml;
+      userSopsFile = ./test-assets/secrets-user.yaml;
+
+      sopsFiles = [ sopsFile ];
+      systemSopsFiles = sopsFiles ++ [ systemSopsFile ];
+      userSopsFiles = systemSopsFiles ++ [ userSopsFile ];
+
+      mkSecretConfig = key: sopsFiles: { inherit key sopsFiles; };
+    in {
+      imports = [ ../../modules/sops ];
+      sops = {
+        age.keyFile = ./test-assets/age-keys.txt;
+        defaultSopsFile = sopsFile;
+
+        secrets.test_key = {};
+        secrets.test_key_system = mkSecretConfig "test_key" systemSopsFiles;
+        secrets.test_key_user = mkSecretConfig "test_key" userSopsFiles;
+
+        secrets.test_key2_system = mkSecretConfig "test_key2" systemSopsFiles;
+        secrets.test_key2_user = mkSecretConfig "test_key2" userSopsFiles;
+
+        secrets.test_key3_user = mkSecretConfig "test_key3" userSopsFiles;
+
+        secrets.test_key3_user_reverse = mkSecretConfig "test_key3" (reverseList userSopsFiles);
+        secrets.test_key2_user_reverse = mkSecretConfig "test_key2" (reverseList userSopsFiles);
+        secrets.test_key_user_reverse = mkSecretConfig "test_key" (reverseList userSopsFiles);
+
+        secrets.priority_file = {
+          key = "test_key";
+          sopsFile = systemSopsFile;
+          sopsFiles = mkDefault userSopsFiles;
+        };
+        secrets.priority_same = {
+          inherit sopsFile;
+          key = "nested/test/file";
+          sopsFiles = [ systemSopsFile userSopsFile ];
+        };
+      };
+    };
+
+    testScript = ''
+      start_all()
+      machine.succeed("cat /run/secrets/test_key | grep -qw test_value")
+      machine.succeed("cat /run/secrets/test_key_system | grep -qw test_value_system")
+      machine.succeed("cat /run/secrets/test_key_user | grep -qw test_value_user")
+
+      machine.succeed("cat /run/secrets/test_key2_system | grep -qw test_value2_system")
+      machine.succeed("cat /run/secrets/test_key2_user | grep -qw test_value2_user")
+
+      machine.succeed("cat /run/secrets/test_key3_user | grep -qw test_value3_user")
+
+      machine.succeed("cat /run/secrets/test_key3_user_reverse | grep -qw test_value3_user")
+      machine.succeed("cat /run/secrets/test_key2_user_reverse | grep -qw test_value2_system")
+      machine.succeed("cat /run/secrets/test_key_user_reverse | grep -qw test_value")
+
+      machine.succeed("cat /run/secrets/priority_file | grep -qw test_value_system")
+      machine.succeed("cat /run/secrets/priority_same | grep -qw 'another value'")
+    '';
+  } {
+    inherit pkgs;
+    inherit (pkgs) system;
+  };
 }

pkgs/sops-install-secrets/test-assets/secrets-system.yaml

@@ -0,0 +1,64 @@
+test_key: ENC[AES256_GCM,data:nKT/4vbkpyYUS18rJ4na1pk=,iv:1VwaqxGdrUlquA6pr1yQV4wnq1FPlEhilK9FGPFs8SM=,tag:HUxe8+MUpyQUXuIwR3dxIQ==,type:str]
+test_key2: ENC[AES256_GCM,data:IZ3XrdhsMKSAeRBxm1kiHSd+,iv:XGEBYa++pwrp3zQNGFDp7mSpQzZDEYC1oLEJOCnT5Bs=,tag:VuEURKlDst5aKTqmnPksog==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaGJ0ZlFUMXNNSkRYeitS
+            TVkvU1RacHJIYzdMT1AxaldVRnNIMVVxb1hZCnFOclVlMEdJUDJWMDhaejRkU3hq
+            Y0tObnZYYnhidTB2Z2p0amhUaTZGeHMKLS0tIERDU3pKb1FwZk44bXBualhnS0Z5
+            eWlUdXhCZGM2dzcxNEY0MTBwN3prTDgK9Sgzw8IuSnBBLS9cNlh6UnzTraxgrQe6
+            qo+34EQln2Kty7Ot+8TnYo1X+8xRn3VTsQw8+iVdcr28DI0ltMcFtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8pk4akrdamj7nvqy3zywgtny8dxz7t5xzu7u8v9mhrayp9freqsqatyrs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVkFidnFPQ0toY0RPeFZN
+            eCsxSUxlU05LUXJYVWVBb3NTblhKVExsNzN3CjkyWlJFaXE3N1RiaEJ1RjdtZncv
+            cERvdi9kQ3FYY2l3NmF4SUVzYlJxYUEKLS0tIFNSUzhkV0tDYWFjVUprczVCTS9Y
+            c3poQXZhSzZvVTY2YmdEVVVaUHVxTVkK7Y/YTczA/T5EmLJNjGkL6bh0eI0xH7aH
+            sjOdnuQG2vioHBYnsqWmmn0bUvY7y3q0h6y+gMDfmzYIgh6B2spUrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-12T16:37:17Z"
+    mac: ENC[AES256_GCM,data:igpv/Z/VWq53sh3A+LqUl8jPOZumm3/0yaj7Tco9nAqzwJ7v/QNgUiCZlFe2tUZXXE/0kH+C990aRU8QqKR0uJJ86Jz0jyRTdHYEqPtWUabAg9kofAsU1tr+qTRJ1dfuYJ+BukF0tLNwFce00th+RRJzCjBncSHnP4go7rELyr0=,iv:reqRxtuXt/wOhDVHoYcjOpmhpTqFzMpqh8C0ZVKTwUI=,tag:F2irgrIq61xXhs4v5Y4img==,type:str]
+    pgp:
+        - created_at: "2023-11-12T16:37:09Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA/m6nevQP1fAAQf9HVmJtTe34ameXLpIKgHvUmMLFzarqCTpFx1h4WZo+0Nk
+            3eHw572Mm0npG5/uRqbff6fdb433dNlJXLF/O3ZFLk30+6cKsWbcDXAlrCC6fug7
+            UJh3SJ+Vrp+fsPQXF+2JIkz7ktRZAJ1ktKOKh8P6UjJcrVVG0QH/2gx2wjx+0TBZ
+            Jem+zF+2TSvj/VQPcdfi4eBisyDGUopiSgLlvENNK6h3pStVWqQTMmMVEZw6SGvW
+            OwqgydTzzgsLsrZOr4RMNd0KOwhFtHZ758OMePoxdmhDMS/n06fia5TlajTidMOT
+            H5vosuHh3EuEyl+dKX/N2HwYToADCV+MIdMBN3n8JNJeAVJUp1Kxyh0MlMgUm/vk
+            g83FuYZ8u3F8MaCzk/+XlJUst0iraxPyO0DQpTuYRmtZ1seVAEidWsDmoDzqxq29
+            S4GigtxlDcAFhzSMuteLjhWPXO5CHOc+h9tPFqAUCQ==
+            =bj6u
+            -----END PGP MESSAGE-----
+          fp: 7FB89715AADA920D65D25E63F9BA9DEBD03F57C0
+        - created_at: "2023-11-12T16:37:09Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA3ulPRkZxd/UAQwAqqwRqq/9n06pkZQ1TXS/4Y9s5QdoMOOYrlMwGXNIkieR
+            6u6qAmJhwsEBWp03gfggFnsfAnKH7zXGdNhWumLkWMvX6DldHkv+4jG/mWOqaNUw
+            wnkJXNpNoff79DIpZlYZkeTLyFU+02wvbSN56WJCXUCzu+07snT8mCFVRRu6+JJH
+            v3AD+7K/AWsL3NeL8/eijKuse2nMyWfkSQO77lNS65rI+HAEPkPr+AcYmc0qsvk1
+            nt+f/UwuLzdsx0wiJ/qoO23vpUGekA6f4Pl5sJX2vfIoroet6h/SlMEBFfgN+9uE
+            kHJvd31p5OWhSxGe1s+gYNpJqkRJlevcZhMw7GRY5wrlxSz+KjUysudSklAdBiDA
+            C2XvU9GrxKAvWLNZpmPLJgJSeEFdT3GaG0uZdkqXL3ERN+5i4xonLrmipJabLP2r
+            X2y4lHwTPqnJAAtzkajNbkJECl9HjXimQKIue3Adxdks48b87yn9r4jEFl5Q3jzi
+            7PJRGSXxXh7IYug9oK8j0lgBR73bXlKg6NoRb60Qf+fNr1C+2/u9/oZHtMVkL9DC
+            GQgYMcNl/iaXwtMKrXRpXdybJiUaEVDUj1IniOKslkA+SXqYPT/GEgzsZg7N1iNj
+            T8HB88mqIowz
+            =+4j5
+            -----END PGP MESSAGE-----
+          fp: 2504791468B153B8A3963CC97BA53D1919C5DFD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

pkgs/sops-install-secrets/test-assets/secrets-user.yaml

@@ -0,0 +1,65 @@
+test_key: ENC[AES256_GCM,data:JZ2xgV5SWgDZavBCIcH+,iv:kl6h4EJbivo1wVHqzM8W0vHyf4U+qEYoqH6JXIgYdTw=,tag:z0roNXcgF+dGvv4MMAO2Rw==,type:str]
+test_key2: ENC[AES256_GCM,data:E43CtluUaO4EzvWrrbwIWA==,iv:AI3togB1kiYo3VEjEwNyWCWb7XC1nooN3vDj/K9wuNc=,tag:7OYaY/Htw95akdr1klYFWg==,type:str]
+test_key3: ENC[AES256_GCM,data:vWP0CpCR6Mh2mcTJBsQmBA==,iv:9iZHc5m89AmfWLKGqw6RHA+M51wclGqcZzVur7ZDk5k=,tag:yfdfW7VS3eptl/YRqn61mg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBINGZkWG9TNkk3cTdvc2hh
+            NFNpbG11TnZjZHRZdFczSTZSRElGcHhkeFZ3CldjMXpjMFdOd1JzemFONmkya2pv
+            ZGlGN25DZVFpSG9waTkydjJXSUJFRjAKLS0tIFZWblk2cmtRWEdUYXo4REROTVpW
+            V0M4MjBaYTBrTCtSVXRtNGh0bzNaREUKsbZ9EK24APYCCC63qbI4YsJmkNFH/j88
+            ROwRAXFqm0SZcwqUU6TbK9ulyyfE9dsWZ8a6Zb3iDFlFVBuEd5Yb7w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1a8pk4akrdamj7nvqy3zywgtny8dxz7t5xzu7u8v9mhrayp9freqsqatyrs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaXVQeVlFU0trMGROZEdp
+            Y2xJNzJzWGNFcEtVS1R4ODBIWWk5dkFEeDBVCktrWkFlUkI3eksyVWRmNTcxRWpU
+            YllzU1NwNHZHWk9oU2FabFFSRnJuY0UKLS0tIDBaUjVaak5qUGNlRHVpSi9HTEFW
+            OFdHYSsyNGcvSG91dGxFdk1NYmVRSkkKEEqXuDN7gFKwUDY6O9EMbhEzGIY/BfGU
+            SM435jTAcR76tq10HbgYgBQ2ef2vvUmvkVzHGQV9LsTxMT+11oFSHw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-12T16:44:49Z"
+    mac: ENC[AES256_GCM,data:auu+8Cs8qRX5OEfCSO0m5U9rEdgKYBWninSVu0H1+VDtGOxjOPhVjAJgIa9wHGbrhp7LoDFymgiGGzbG3H4B/gZAFEhoyYn8VfJOHouT12M6kijtBUAhSqL5csbTMfiZmganvKPYN6PXg7hX2MyjJlFAGLc/Ixte61fKGoExqgA=,iv:P1uCpCO+nqS+dUXhxCcYd/2q0PHVUfbGvYm5PHVrP9s=,tag:yxlNfyTSnM0Wbj95Z/8Ffw==,type:str]
+    pgp:
+        - created_at: "2023-11-12T16:41:00Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA/m6nevQP1fAAQf/XVOr/ZOZo/b5lDJ7EIeRgwejwtJLGToF6xXM0jcZvlsB
+            1Vk2tuzOpAGpO8JpaTzZj0n4Da8+XXpEqLqeGFBsjPni+W0ErlYR/exIVFBZyCVM
+            gVFnjoAsiR7z+Y+ovYx1VBVpfav3GXXNkPOWNOQlXAhoS9Rxv04AU8XBBy5Hk5kH
+            is+eM9U+iVxlZfEGW3nAylSieMQdEjWG3MM8KgWr4SLSSLY+sAhiM6QwSDF0wkkn
+            mLcFJ4CwbWiZIa0995lbhIusTko+DJfdYB6b6e7yxftMySKskTKp0fRh6eagpLhC
+            oXca0MSIhdWUbgcB4MnWdXl6fGYL7YnTgwOg50ETdNJeAf6p+u/uBElu0Ym94ZRf
+            /DHrY/rRMx6xNtUCwxAI4ekmi/gXky9/lteZtkW87nXGaYweeQECfbDFWtNczbpn
+            mfQzF/LrdlaIMEyMGpLow7AgakEuIPXyH5f9hgz9IA==
+            =NPJP
+            -----END PGP MESSAGE-----
+          fp: 7FB89715AADA920D65D25E63F9BA9DEBD03F57C0
+        - created_at: "2023-11-12T16:41:00Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQGMA3ulPRkZxd/UAQv/UWnL12QFkO1EDguYrLyzq50qAc9wtWJvYP8SS4CP/k1t
+            ii0cSteyxbiPnYAFFRsiW3KDfkVIOl24+qKihmOcsq+uL90VxweGHJbZwwdNLU5v
+            YD+bbvfAN1iO2eY0ipTL1gNSu0zl4s8bZaTaYBIBhwTMXNWLfz7CHMU2yJ1g5sWK
+            oZjGYkleq76zUmhDpzKONivYQiN+UayZ5XqEavdVc5omUlM26hO6jgDUxYua7Wjf
+            m5cDyPHLzO04d91z0hLxYl5dfK93R2/1dicFmh0yin/nyxbqGBKUAoYdpYAhuI9M
+            JnKgeEx1mNZnCJdXSJouAA9FakTIkkbOPr45ik087VQ8AdY/c7Ao8SGB2W2kOPqt
+            +G2r5GBeO/0XH7FUIAcvekOHrjPV16aQpZCouJsFOUMtXi5lnViWhyVPPxERAzIL
+            sCN2AHI/aFXycPEXSnwoCMvW+3KOihLDxBUPK45Pjc7HfiOPDeWCva6BhG5gFQkT
+            sJ2B0yeaJoNlQO2bG+AJ0lgBW4s+Q0rtoSRj52cCnVj4zlgjrArPje/aU8pj0w5k
+            aSl1OoqsD1a5A7vkldmVgec9rWhByRDEnHke00OhmOcPDm6hv0fROwa5qls9RhR0
+            Gs6FXl5y3Cz7
+            =yMyb
+            -----END PGP MESSAGE-----
+          fp: 2504791468B153B8A3963CC97BA53D1919C5DFD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3