0.15.0

Changes

• Revert "feat: remove empty newlines from jq query" @ryantm (#208)
• feat: remove empty newlines from jq query @timhae (#206)
• fix: add --strict nix-instantiate to support builtins.readFile @WillPower3309 (#202)
• fix: update cachix installer to fix darwin CI @n8henrie (#199)
• fix(home): shellcheck failure for fixed secretsDir @Eisfunke (#195)

🐛 Bug Fixes

• create leading directories if they don't exist @CobaltCause (#221)
• only backup cleartext file if it exists @shivak (#176)

🧰 Development

• Update keys functions in agenix.sh @SamueleFacenda (#224)
• contrib: use jq instead of sed @n8henrie (#148)
• dev: try switching to determinate systems installer action @ryantm (#197)

0.14.0

What's Changed

• chore: add nix build result path to gitignore by @montchr in #125
• Track nixos-unstable channel as nixpkgs by @montchr in #127
• test: fix type error by @erikarvstedt in #131
• feature: update flake output format and docs by @ryantm in #136
• contrib: format with Alejandra by @ryantm in #137
• doc: collapse installation sections by @ryantm in #140
• feature: try to add nix-darwin support by @n8henrie in #141
• Skip missing or unreadable keys by @n8henrie in #146
• contrib: use mkDerivation for agenix cli by @ryantm in #139
• Expand tests by @n8henrie in #150
• fix: if an identity is specified, don't use the default ones by @ryantm in #152
• contrib: add instructions for running the tests by @ryantm in #153
• Make isDarwin check more robust by @mputz86 in #156
• feature: pipe cleartext into agenix -e by @ryantm in #154
• Output user-facing warnings to stderr instead of stdout by @n8henrie in #161
• contrib: stop packaging rage by @ryantm in #162
• add -d/--decrypt option to decrypt a file to stdout by @whentze in #158
• fix -d/--decrypt-only not working correctly for binary data by @whentze in #164
• Expand explanation that identityPaths should be strings by @n8henrie in #168
• fix: disallow Nix store paths in age.identityPaths option by @ryantm in #169
• Revert "fix: disallow Nix store paths in age.identityPaths option" by @ryantm in #171
• doc: add new doc website by @ryantm in #170
• doc: try to fix doc ci by @ryantm in #172
• doc: try a slightly different format for github action by @ryantm in #173
• doc: actually fix github pages deploy by @ryantm in #174
• doc: how to skip the Darwin input by @ryantm in #155
• fix truncated output when decrypting a large file to stdout via -d by @whentze in #175
• doc: missing space by @winny- in #179
• Add home-manager module by @ambroisie in #180
• Disable shellcheck warning about impossible comparison by @Scrumplex in #185
• doc: fix defaultText and description by @jian-lin in #191
• Extend documentation to make it more NixOS beginner friendly. by @malteneuss in #192
• Create flakehub-publish-tagged.yml by @ryantm in #196

New Contributors

• @montchr made their first contribution in #125
• @erikarvstedt made their first contribution in #131
• @n8henrie made their first contribution in #141
• @mputz86 made their first contribution in #156
• @whentze made their first contribution in #158
• @winny- made their first contribution in #179
• @ambroisie made their first contribution in #180
• @Scrumplex made their first contribution in #185
• @jian-lin made their first contribution in #191
• @malteneuss made their first contribution in #192

Full Changelog: 0.13.0...0.14.0

agenix 0.13.0

Ryan Mulligan:
doc: add reference section
doc: improve tutorial
doc: mention secrets.nix is not imported into a NixOS configuration
doc: add version to agenix command
contrib: add maintainer release helper scripts

Simplifying decryption

Features

age module

@ryantm and @jsimonetti #119:

Simplify decryption by combining the root and nonRoot secret decryption into one Activation Script and delays setting the owner and group of the secrets until after the users and groups activation scripts are completed.

• This is a breaking change for someone that depended on the user or group of a root secret being set before the "users" and "groups" Activation Scripts run.
• This is also a breaking change because it renames a bunch of the Activation Scripts. The new activation scripts are:
  • agenixInstall: does the decryption of secrets
  • agenixChown: changes secret users and groups
  • agenix: an Activation Script that can be depended on to ensure your Activation Script runs after all agenix operations have completed.
• Also this fixes bug inherent to the old system's order of operations #117 reported by @jsimonetti.

Getting the details right

Features

agenix cli

• @timhae: remove newlines from recipient keys, so secrets.nix can specify recipient keys as files with newlines.
• @felixscheinost: add support for aarch64-darwin

age module

• @ryantm: add warnings about missing files (decryption keys and cypher files) to help with troubleshooting
• @ryantm: rename age.sshKeyPaths to age.identityPaths
• @luishfonseca: when using from a flake, the module can now be referred to by agenix.nixosModule
• @chuangzhu: allow customizing the age binary with config.age.ageBin
• @Sohalt: improved option descriptions

Documentation

• @ryantm: add readFile anti-pattern, add Community and Support section, fix niv CLI installation instructions, remove old NixOS version compatibility notice, table of contents and better installation instructions
• @mausch: fix reference in module docs
• @ymarkus: clarify that 'config' has to be prefixed
• @oslerw: fix installation instructions for channel installation, now that the default branch name has changed.

Fix user secret access

Fixes #69

New default secret path, symlinking secrets, and other fixes

Wow, it has almost been a year since the last release!

🔒 Security fixes

• Before agenix 0.10.0, the umask when creating a secret was incorrectly set, so the secrets were world readable after they were decrypted for a very brief time period before the file permissions were applied to them. #38 Thanks to @pennae for reporting this issue.

⚠️ Breaking changes

• Secrets have a new default location: /run/agenix/<name>. The reason for this new location is that we want agenix to be able to co-exist with other secret systems like sops-nix or nixops. If you need to refer to a path in your NixOS configuration, please always use config.age.secrets.<name>.path, so you can avoid being broken by changes like this. People referring to secret paths outside of NixOS configuration will need to manually update the path location, if they are relying on the default. #27
• Thanks to @cole-h, secrets are now symlinked into place by default. This is how sops-nix works. The main benefit is that decrypted secrets will not remain on a system after they are not part of the configuration. If you do not wish to use the symlink feature, you can set config.age.secrets.<name>.symlink = false;. #27
• Thanks to @ngkz, agenix activation scripts are now run after specialfs activation scripts, which is useful for some setups where /run is mounted in a special way. #49

🔧 Other changes

• Thanks to @blaggacao, an overlay is now available for the agenix CLI. #12
• Various fixes for Darwin. #20 #35
• Locale fixes for Rage. #28
• There is now a NixOS test for testing agenix is working properly. #40
• Many other documentation and small fixes.

0.9 Public Beta

This release is the first public beta release.

Changes from previous releases:

• root-owned secrets are decrypted before the user activation script runs. If you want to manage user's hashed passwords, you must use a version of NixOS with commit e6b8587, so the root-owned secrets can be decrypted before the user activation script runs. Currently only available
  on unstable.
• more messages are displayed while the activation scripts run

public_keys -> publicKeys

Renamed public_keys in .nix file to publicKeys to be more idiomatic.

Fixes

• Makes agenix nix code work with more versions of nix
• Exit early to avoid deleting secret files
• Don't encrypt if file didn't change