Skip to content

Commit

Permalink
+ fix checking secrets in store
Browse files Browse the repository at this point in the history
- path circle deps
  • Loading branch information
oluceps committed Nov 5, 2024
1 parent b1adcf0 commit 415c245
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 11 deletions.
17 changes: 13 additions & 4 deletions module/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ let
mkEnableOption
mkIf
assertMsg
warnIf
;
inherit (config.users) users;

Expand All @@ -28,8 +29,12 @@ let
options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable)
) "`systemd.sysusers` or `services.userborn` must be enabled.";

storagePath = self + "/" + cfg.settings.storageLocation;
storageExist = assertMsg (builtins.pathExists storagePath) "${storagePath} doesn't exist plz manually create and add to git first (may need a placeholder for git to recognize it)";
# TODO: canonicalize this path, beauty
storagePath = "/" + self + "/" + cfg.settings.storageLocation;
storageExist = builtins.pathExists storagePath;
storageNotFoundWarn = warnIf (
!storageExist
) "path not exist: ${storagePath}\nThis build will fail please run renc app and add ${cfg.settings.storageLocation} to git first." true;

settingsType = types.submodule (submod: {
options = {
Expand All @@ -44,7 +49,11 @@ let
storageInStore = mkOption {
type = types.path;
readOnly = true;
default = builtins.path { path = self + "/" + submod.config.storageLocation; };
default =
if builtins.pathExists storagePath then
(builtins.path { path = self + "/" + submod.config.storageLocation; })
else
pkgs.emptyDirectory;
example = literalExpression ''./. /* <- flake root */ + "/secrets/renced/myhost" /* separate folder for each host */'';
description = ''
The local storage directory for re-encrypted secrets. MUST be a str of path related to flake root.
Expand Down Expand Up @@ -262,7 +271,7 @@ in
pkgs.runCommandNoCCLocal "secret-check-report" { }
"${lib.getExe cfg.package} ${profile} check > $out";
in
mkIf (sysusers && storageExist) {
mkIf (sysusers && storageNotFoundWarn) {
systemd.services.vaultix-install-secrets = {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];
Expand Down
12 changes: 9 additions & 3 deletions src/cmd/check.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use eyre::Result;
use spdlog::error;
use spdlog::{debug, error};

use crate::{
helper::stored::{InStore, SecMap, SecPath},
Expand All @@ -8,13 +8,19 @@ use crate::{

impl Profile {
pub fn check(self) -> Result<()> {
let s_p_map = SecMap::<SecPath<_, InStore>>::from(self.secrets).inner();
let s_p_map = SecMap::<SecPath<_, InStore>>::from(self.secrets)
.renced(
self.settings.storage_in_store.clone().into(),
self.settings.host_pubkey,
)
.inner();

s_p_map
.into_values()
.map(|p| {
debug!("checking in-store path: {}", p.path.display());
if !p.path.exists() {
error!("path {} not exist, try run renc", p.path.display());
error!("path not found: {}\nTry run renc app", p.path.display());
return Err(eyre::eyre!("rencypted secret not in expected location",));
}
Ok(())
Expand Down
7 changes: 5 additions & 2 deletions src/cmd/renc.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use eyre::{eyre, Result};
use eyre::{eyre, Context, Result};
use spdlog::{error, info};
use std::{fs, path::PathBuf};

Expand Down Expand Up @@ -44,7 +44,10 @@ impl Profile {
let renc_path = {
let mut p = flake_root.clone();
p.push(self.settings.storage_location.clone());
let p = p.canonicalize()?;
if let Err(_) = p.canonicalize() {
fs::create_dir_all(&p).wrap_err_with(|| eyre!("create storageLocation error"))?
};
p.canonicalize()?;
info!(
"reading user identity encrypted dir under flake root: {}",
p.display()
Expand Down
2 changes: 0 additions & 2 deletions src/helper/secret_buf.rs
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,11 @@ impl SecBuf<AgeEnc> {
}
}
use eyre::eyre;
use spdlog::info;

impl SecBuf<Plain> {
/// encrypt with host pub key, ssh key
pub fn encrypt(self, recips: Vec<Rc<dyn Recipient>>) -> Result<SecBuf<HostEnc>> {
let recips_iter = recips.iter().map(|boxed| boxed.as_ref() as &dyn Recipient);
info!("things in recips iter {}", recips.len());
let encryptor = age::Encryptor::with_recipients(recips_iter)
.map_err(|_| eyre!("create encryptor err"))?;

Expand Down
2 changes: 2 additions & 0 deletions src/helper/stored.rs
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,8 @@ impl SecMap<SecPath<PathBuf, InStore>> {
.collect();
SecMap::<SecPath<PathBuf, InStore>>(res)
}

/// return self but processed the path to produce in-store storageInStore/[hash] map
pub fn renced(self, per_host_dir: PathBuf, host_pubkey: String) -> Self {
let res = self
.inner()
Expand Down

0 comments on commit 415c245

Please sign in to comment.