ryantm/agenix
1
1
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-09-11 14:25:49 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: ryantm:a849725ff3dee3ab405f502a16e0a0435e668339
Branches Tags
ryantm:main
ryantm:rtm-5-25-flake-lock-checker
ryantm:rtm-2-20-pipe-better
ryantm:python-test-module
ryantm:0.15.0
ryantm:0.14.0
ryantm:0.13.0
ryantm:0.12.0
ryantm:0.11.0
ryantm:0.10.1
ryantm:0.10.0
ryantm:0.9
ryantm:0.8
ryantm:0.7
ryantm:0.6
ryantm:0.5
...
compare: ryantm:6e3ce02206c34d5d816e9378d3c17d097f17eed7
Branches Tags
ryantm:main
ryantm:rtm-5-25-flake-lock-checker
ryantm:rtm-2-20-pipe-better
ryantm:python-test-module
ryantm:0.15.0
ryantm:0.14.0
ryantm:0.13.0
ryantm:0.12.0
ryantm:0.11.0
ryantm:0.10.1
ryantm:0.10.0
ryantm:0.9
ryantm:0.8
ryantm:0.7
ryantm:0.6
ryantm:0.5

4 Commits
a849725ff3 ... 6e3ce02206

Author SHA1 Message Date
Félinàun Chapeau
6e3ce02206
Merge c71f8f5cde into c2fc0762bb 2024-05-25 02:38:46 +02:00
Nathan Henrie
c2fc0762bb
Merge pull request #241 from sternenseemann/nix-2.3-install-check 
agenix: fix installCheckPhase with Nix 2.3
 2024-05-24 08:40:46 -06:00
Félinàun Chapeau
c71f8f5cde Introduce installSecretFn script function to make script shorter. 2024-02-05 07:37:19 +01:00
sternenseemann
1746e4f5ec agenix: fix installCheckPhase with Nix 2.3 
As opposed to e.g. Nix 2.18, Nix 2.3 doesn't try to create a fallback
store in $HOME if $NIX_STORE_DIR and $NIX_STATE_DIR aren't writable.
 2024-02-01 13:30:22 +01:00
2 changed files with 57 additions and 33 deletions
Show Stats Expand all files Collapse all files

82
modules/age.nix
View File

@ -61,35 +61,45 @@ with lib; let
} }
''; '';
installSecret = secretType: '' installSecretFn = ''
${setTruePath secretType} installSecret() {
echo "decrypting '${secretType.file}' to '$_truePath'..." symlink="$1"
TMP_FILE="$_truePath.tmp" name="$2"
path="$3"
file="$4"
mode="$5"
if "$symlink"; then
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/$name"
else
_truePath="$path"
fi
echo "decrypting $file to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
IDENTITIES=() IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue test -r "$identity" || continue
test -s "$identity" || continue test -s "$identity" || continue
IDENTITIES+=(-i) IDENTITIES+=(-i)
IDENTITIES+=("$identity") IDENTITIES+=("$identity")
done done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!" test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
mkdir -p "$(dirname "$_truePath")" mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")" [ "$path" != "${cfg.secretsDir}/$name" ] && mkdir -p "$(dirname "$path")"
( (
umask u=r,g=,o= umask u=r,g=,o=
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!' test -f "$file" || echo '[agenix] WARNING: encrypted file '$file' does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!" test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}" LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "$file"
) )
chmod ${secretType.mode} "$TMP_FILE" chmod "$mode" "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath" mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink '' "$symlink" && ([ "$path" != "${cfg.secretsDir}/$name" ] && ln -sfn "${cfg.secretsDir}/$name" "$path")
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" true
''} }
''; '';
testIdentities = testIdentities =
@ -111,12 +121,22 @@ with lib; let
} }
''; '';
installSecrets = builtins.concatStringsSep "\n" ( installSecrets = let
["echo '[agenix] decrypting secrets...'"] mkLine = secretType: ''
++ testIdentities installSecret "${
++ (map installSecret (builtins.attrValues cfg.secrets)) if secretType.symlink
++ [cleanupAndLink] then "true"
); else "false"
}" "${secretType.name}" "${secretType.path}" "${secretType.file}" "${secretType.mode}";
'';
in
builtins.concatStringsSep "\n" (
["echo '[agenix] decrypting secrets...'"]
++ testIdentities
++ [installSecretFn]
++ (map mkLine (builtins.attrValues cfg.secrets))
++ [cleanupAndLink]
);
chownSecret = secretType: '' chownSecret = secretType: ''
${setTruePath secretType} ${setTruePath secretType}

8
pkgs/agenix.nix
View File

@ -30,9 +30,13 @@ in
shellcheck ${bin} shellcheck ${bin}
${bin} -h | grep ${version} ${bin} -h | grep ${version}
HOME=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir') test_tmp=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
export HOME="$test_tmp/home"
export NIX_STORE_DIR="$test_tmp/nix/store"
export NIX_STATE_DIR="$test_tmp/nix/var"
mkdir -p "$HOME" "$NIX_STORE_DIR" "$NIX_STATE_DIR"
function cleanup { function cleanup {
rm -rf $HOME rm -rf "$test_tmp"
} }
trap "cleanup" 0 2 3 15 trap "cleanup" 0 2 3 15