Merge f5f56c0246 into 3a56735779

fix: always treat link destinations as files to ensure an error when the destination is a directory

README.md

@@ -244,15 +244,15 @@ e.g. inside your `flake.nix` file:
    have `sshd` running on it so that it has generated SSH host keys in
    `/etc/ssh/`.
 
-2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
+2. Make a directory to store secrets and `agenix-rules.nix` file for listing secrets and their public keys:
    ```ShellSession
    $ mkdir secrets
    $ cd secrets
-   $ touch secrets.nix
+   $ touch agenix-rules.nix
    ```
-   This `secrets.nix` file is **not** imported into your NixOS configuration. 
+   This `agenix-rules.nix` file is **not** imported into your NixOS configuration. 
    It's only used for the `agenix` CLI tool (example below) to know which public keys to use for encryption.
-3. Add public keys to your `secrets.nix` file:
+3. Add public keys to your `agenix-rules.nix` file:
    ```nix
    let
      user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
@@ -283,7 +283,7 @@ e.g. inside your `flake.nix` file:
    $ agenix -e secret1.age
    ```
    It will open a temporary file in the app configured in your $EDITOR environment variable.
-   When you save that file its content will be encrypted with all the public keys mentioned in the `secrets.nix` file.
+   When you save that file its content will be encrypted with all the public keys mentioned in the `agenix-rules.nix` file.
 5. Add secret to a NixOS module config:
    ```nix
    {
@@ -567,13 +567,18 @@ EDITOR environment variable of editor to use when editing FILE
 
 If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"
 
-RULES environment variable with path to Nix file specifying recipient public keys.
+AGENIX_RULES environment variable with path to Nix file specifying recipient public keys. 
-Defaults to './secrets.nix'
+Defaults to './agenix-rules.nix'
 ```
 
+Up to version 0.14.0, agenix used the variable `RULES` (instead of
+`AGENIX_RULES`) and the default rules file `secrets.nix` (instead of
+`agenix-rules.nix`). Currently agenix still honours those, but they will be
+deprecated in the future.
+
 #### Rekeying
 
-If you change the public keys in `secrets.nix`, you should rekey your
+If you change the public keys in `agenix-rules.nix`, you should rekey your
 secrets:
 
 ```ShellSession

doc/reference.md

@@ -246,5 +246,5 @@ EDITOR environment variable of editor to use when editing FILE
 
 If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"
 
-RULES environment variable with path to Nix file specifying recipient public keys.
+AGENIX_RULES environment variable with path to Nix file specifying recipient public keys. 
-Defaults to './secrets.nix'
+Defaults to './agenix-rules.nix'

doc/rekeying.md

@@ -1,6 +1,6 @@
 # Rekeying {#rekeying}
 
-If you change the public keys in `secrets.nix`, you should rekey your
+If you change the public keys in `agenix-rules.nix`, you should rekey your
 secrets:
 
 ```ShellSession

doc/tutorial.md

@@ -4,14 +4,14 @@
    have `sshd` running on it so that it has generated SSH host keys in
    `/etc/ssh/`.
 
-2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys (This file is **not** imported into your NixOS configuration. It is only used for the `agenix` CLI.):
+2. Make a directory to store secrets and `agenix-rules.nix` file for listing secrets and their public keys (This file is **not** imported into your NixOS configuration. It is only used for the `agenix` CLI.):
 
    ```ShellSession
    $ mkdir secrets
    $ cd secrets
-   $ touch secrets.nix
+   $ touch agenix-rules.nix
    ```
-3. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
+3. Add public keys to `agenix-rules.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
    ```nix
    let
      user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";

modules/age-home.nix

@@ -61,7 +61,7 @@ with lib; let
 
     ${optionalString secretType.symlink ''
       # shellcheck disable=SC2193,SC2050
-      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
     ''}
   '';
 
@@ -76,7 +76,7 @@ with lib; let
     _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
     (( ++_agenix_generation ))
     echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
-    ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
+    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
 
     (( _agenix_generation > 1 )) && {
     echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."

modules/age.nix

@@ -88,7 +88,7 @@ with lib; let
     mv -f "$TMP_FILE" "$_truePath"
 
     ${optionalString secretType.symlink ''
-      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
+      [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
     ''}
   '';
 
@@ -103,7 +103,7 @@ with lib; let
     _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
     (( ++_agenix_generation ))
     echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
-    ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
+    ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
 
     (( _agenix_generation > 1 )) && {
     echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."

pkgs/agenix.sh

@@ -26,8 +26,8 @@ function show_help () {
   echo ' '
   echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
   echo ' '
-  echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
+  echo 'AGENIX_RULES environment variable with path to Nix file specifying recipient public keys.'
-  echo "Defaults to './secrets.nix'"
+  echo "Defaults to './agenix-rules.nix'"
   echo ' '
   echo "agenix version: @version@"
   echo "age binary path: @ageBin@"
@@ -101,7 +101,40 @@ while test $# -gt 0; do
   esac
 done
 
-RULES=${RULES:-./secrets.nix}
+function get_configured_rules {
+    # prints the first among $AGENIX_RULES, $RULES, erroring out if it points to a
+    # non-existing file
+    ! [ -v AGENIX_RULES ] && ! [ -v RULES ] && return 1
+    local rulesfile="${AGENIX_RULES:-$RULES}"
+    [ -f "$rulesfile" ] || {
+        [ -v AGENIX_RULES ] && variable='AGENIX_RULES' || variable='RULES'
+        err "Rules file '$rulesfile' specified via the variable $variable not found."
+    }
+    echo "$rulesfile"
+}
+
+function find_rules {
+    # walks up the directory tree, printing the first file named agenix-rules.nix
+    # or ./secrets.nix it finds and erroring out otherwise
+    local cwd="$PWD"
+    local rulesfile=''
+    while [ -z "$rulesfile" ]
+    do
+        for f in "$cwd/agenix-rules.nix" "$cwd/secrets.nix"
+        do
+            [ -f "$f" ] && rulesfile="$f"
+        done
+        [ "$cwd" != '/' ] || break
+        cwd=$(dirname "$cwd")
+    done
+    [ -n "$rulesfile" ] || err "$PACKAGE needs a rules file. You can specify one by setting the AGENIX_RULES variable or you can create a file named 'agenix-rules.nix' in the current directory or one of its parents."
+    echo "$rulesfile"
+    unset cwd rulesfile
+}
+
+RULES=$(get_configured_rules || find_rules)
+[ -r "$RULES" ] || err "Cannot read rules file '$RULES'."
+
 function cleanup {
     if [ -n "${CLEARTEXT_DIR+x}" ]
     then