ryantm/agenix
1
1
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-09-11 14:25:49 +03:00
Code Issues Projects Releases Wiki Activity

Merge 58c0d2f3e7 into 3f1dae074a

Browse Source
This commit is contained in:
feral-dot-io 2024-08-02 13:31:48 -04:00 committed by GitHub
commit 6b0799ec9d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -280,7 +280,7 @@ e.g. inside your `flake.nix` file:
* from GitHub like https://github.com/ryantm.keys.
4. Create a secret file:
```ShellSession
$ agenix -e secret1.age
$ agenix -c secret1.age
```
It will open a temporary file in the app configured in your $EDITOR environment variable.
When you save that file its content will be encrypted with all the public keys mentioned in the `secrets.nix` file.
@ -548,11 +548,13 @@ Overriding `age.secretsMountPoint` example:
```
agenix - edit and rekey age secret files
agenix -c FILE
agenix -e FILE [-i PRIVATE_KEY]
agenix -r [-i PRIVATE_KEY]
options:
-h, --help show help
-c, --create FILE create or replace FILE using $EDITOR
-e, --edit FILE edits FILE using $EDITOR
-r, --rekey re-encrypts all secrets with specified recipients
-d, --decrypt FILE decrypts FILE to STDOUT

1
pkgs/agenix.nix
View File

@ -55,6 +55,7 @@ in
)
cd $HOME/secrets
echo hello | ${bin} -c secret1.age
test $(${bin} -d secret1.age) = "hello"
'';

32
pkgs/agenix.sh
View File

@ -6,12 +6,15 @@ PACKAGE="agenix"
function show_help () {
echo "$PACKAGE - edit and rekey age secret files"
echo " "
echo "$PACKAGE -c FILE"
echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
echo "$PACKAGE -r [-i PRIVATE_KEY]"
echo ' '
echo 'options:'
echo '-h, --help show help'
# shellcheck disable=SC2016
echo '-c, --create FILE create or replace FILE using $EDITOR'
# shellcheck disable=SC2016
echo '-e, --edit FILE edits FILE using $EDITOR'
echo '-r, --rekey re-encrypts all secrets with specified recipients'
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
@ -46,6 +49,7 @@ function err() {
test $# -eq 0 && (show_help && exit 1)
REKEY=0
ENCRYPT_ONLY=0
DECRYPT_ONLY=0
DEFAULT_DECRYPT=(--decrypt)
@ -55,6 +59,17 @@ while test $# -gt 0; do
show_help
exit 0
;;
-c|--create)
shift
ENCRYPT_ONLY=1
if test $# -gt 0; then
export FILE=$1
else
echo "no FILE specified"
exit 1
fi
shift
;;
-e|--edit)
shift
if test $# -gt 0; then
@ -153,22 +168,29 @@ function edit {
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
decrypt "$FILE" "$KEYS" || exit 1
[ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
# Decrypt file
if [ $ENCRYPT_ONLY -eq 0 ]
then
decrypt "$FILE" "$KEYS" || exit 1
[ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
else
touch "$CLEARTEXT_FILE.before"
fi
# Prompt file edit
[ -t 0 ] || EDITOR='cp /dev/stdin'
$EDITOR "$CLEARTEXT_FILE"
# Check file status
if [ ! -f "$CLEARTEXT_FILE" ]
then
warn "$FILE wasn't created."
return
fi
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
[ $ENCRYPT_ONLY -eq 0 ] && [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
ENCRYPT=()
# Build recipient list
while IFS= read -r key
do
if [ -n "$key" ]; then

4
test/integration.nix
View File

@ -120,6 +120,10 @@ pkgs.nixosTest {
# and get it back out via --decrypt
assert "secret1234" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
# user1 can recreate the secret without decrypting it
system1.succeed(userDo("echo 'secret5678' | agenix -c passwordfile-user1.age"))
assert "secret5678" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
# finally, the plain text should not linger around anywhere in the filesystem.
system1.fail("grep -r secret1234 /tmp")
'';