From 415c245d924db2d120aa0aabd1d2a6d0ca4ec930 Mon Sep 17 00:00:00 2001 From: oluceps Date: Tue, 5 Nov 2024 19:52:07 +0800 Subject: [PATCH] + fix checking secrets in store - path circle deps --- module/default.nix | 17 +++++++++++++---- src/cmd/check.rs | 12 +++++++++--- src/cmd/renc.rs | 7 +++++-- src/helper/secret_buf.rs | 2 -- src/helper/stored.rs | 2 ++ 5 files changed, 29 insertions(+), 11 deletions(-) diff --git a/module/default.nix b/module/default.nix index 22c25fc..862cc1b 100644 --- a/module/default.nix +++ b/module/default.nix @@ -18,6 +18,7 @@ let mkEnableOption mkIf assertMsg + warnIf ; inherit (config.users) users; @@ -28,8 +29,12 @@ let options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable) ) "`systemd.sysusers` or `services.userborn` must be enabled."; - storagePath = self + "/" + cfg.settings.storageLocation; - storageExist = assertMsg (builtins.pathExists storagePath) "${storagePath} doesn't exist plz manually create and add to git first (may need a placeholder for git to recognize it)"; + # TODO: canonicalize this path, beauty + storagePath = "/" + self + "/" + cfg.settings.storageLocation; + storageExist = builtins.pathExists storagePath; + storageNotFoundWarn = warnIf ( + !storageExist + ) "path not exist: ${storagePath}\nThis build will fail please run renc app and add ${cfg.settings.storageLocation} to git first." true; settingsType = types.submodule (submod: { options = { @@ -44,7 +49,11 @@ let storageInStore = mkOption { type = types.path; readOnly = true; - default = builtins.path { path = self + "/" + submod.config.storageLocation; }; + default = + if builtins.pathExists storagePath then + (builtins.path { path = self + "/" + submod.config.storageLocation; }) + else + pkgs.emptyDirectory; example = literalExpression ''./. /* <- flake root */ + "/secrets/renced/myhost" /* separate folder for each host */''; description = '' The local storage directory for re-encrypted secrets. MUST be a str of path related to flake root. @@ -262,7 +271,7 @@ in pkgs.runCommandNoCCLocal "secret-check-report" { } "${lib.getExe cfg.package} ${profile} check > $out"; in - mkIf (sysusers && storageExist) { + mkIf (sysusers && storageNotFoundWarn) { systemd.services.vaultix-install-secrets = { wantedBy = [ "sysinit.target" ]; after = [ "systemd-sysusers.service" ]; diff --git a/src/cmd/check.rs b/src/cmd/check.rs index 9f7e352..fd9a92e 100644 --- a/src/cmd/check.rs +++ b/src/cmd/check.rs @@ -1,5 +1,5 @@ use eyre::Result; -use spdlog::error; +use spdlog::{debug, error}; use crate::{ helper::stored::{InStore, SecMap, SecPath}, @@ -8,13 +8,19 @@ use crate::{ impl Profile { pub fn check(self) -> Result<()> { - let s_p_map = SecMap::>::from(self.secrets).inner(); + let s_p_map = SecMap::>::from(self.secrets) + .renced( + self.settings.storage_in_store.clone().into(), + self.settings.host_pubkey, + ) + .inner(); s_p_map .into_values() .map(|p| { + debug!("checking in-store path: {}", p.path.display()); if !p.path.exists() { - error!("path {} not exist, try run renc", p.path.display()); + error!("path not found: {}\nTry run renc app", p.path.display()); return Err(eyre::eyre!("rencypted secret not in expected location",)); } Ok(()) diff --git a/src/cmd/renc.rs b/src/cmd/renc.rs index a8214b7..3a4e118 100644 --- a/src/cmd/renc.rs +++ b/src/cmd/renc.rs @@ -1,4 +1,4 @@ -use eyre::{eyre, Result}; +use eyre::{eyre, Context, Result}; use spdlog::{error, info}; use std::{fs, path::PathBuf}; @@ -44,7 +44,10 @@ impl Profile { let renc_path = { let mut p = flake_root.clone(); p.push(self.settings.storage_location.clone()); - let p = p.canonicalize()?; + if let Err(_) = p.canonicalize() { + fs::create_dir_all(&p).wrap_err_with(|| eyre!("create storageLocation error"))? + }; + p.canonicalize()?; info!( "reading user identity encrypted dir under flake root: {}", p.display() diff --git a/src/helper/secret_buf.rs b/src/helper/secret_buf.rs index 863ebbf..0c12d5c 100644 --- a/src/helper/secret_buf.rs +++ b/src/helper/secret_buf.rs @@ -50,13 +50,11 @@ impl SecBuf { } } use eyre::eyre; -use spdlog::info; impl SecBuf { /// encrypt with host pub key, ssh key pub fn encrypt(self, recips: Vec>) -> Result> { let recips_iter = recips.iter().map(|boxed| boxed.as_ref() as &dyn Recipient); - info!("things in recips iter {}", recips.len()); let encryptor = age::Encryptor::with_recipients(recips_iter) .map_err(|_| eyre!("create encryptor err"))?; diff --git a/src/helper/stored.rs b/src/helper/stored.rs index 5cb83bf..90625ad 100644 --- a/src/helper/stored.rs +++ b/src/helper/stored.rs @@ -125,6 +125,8 @@ impl SecMap> { .collect(); SecMap::>(res) } + + /// return self but processed the path to produce in-store storageInStore/[hash] map pub fn renced(self, per_host_dir: PathBuf, host_pubkey: String) -> Self { let res = self .inner()