~

TODO.md

@@ -1,9 +1,9 @@
-- [x] should get entire Secret when deploy
-- [ ] eval in vaultix to json, reduce requirement
-- [ ] skip renc
+- [x] should get entire `Secret` when deploy
+- [ ] [renc] calc hash and skip unchanged
 - [x] remove renced path while renc 
-- [ ] permission set
+- [ ] apply `Secret` metadata
 - [ ] age plugin
 - [ ] check command
 - [ ] nix integration
 - [ ] feed the toml after renced, thus store path changed
+- [ ] ~~eval in vaultix to json, reduce requirement~~

module/default.nix

@@ -27,6 +27,9 @@ let
     options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable)
   ) "`systemd.sysusers` or `services.userborn` must be enabled.";
 
+  storage_dir = self + "/" + cfg.settings.storageDirRelative;
+  storageExist = assertMsg (builtins.pathExists (storage_dir)) "${storage_dir} doesn't exist plz create and add to git first (maybe need a placeholder for git to recognize it)";
+
   settingsType = types.submodule (submod: {
     options = {
 
@@ -40,7 +43,7 @@ let
       storageDirStore = mkOption {
         type = types.path;
         readOnly = true;
-        default = builtins.path { path = "${self}" + "/" + submod.config.storageDirRelative; };
+        default = builtins.path { path = self + "/" + submod.config.storageDirRelative; };
         example = literalExpression ''./. /* <- flake root */ + "/secrets/renced/myhost" /* separate folder for each host */'';
         description = ''
           The local storage directory for rekeyed secrets. MUST be a str of path related to flake root.
@@ -329,7 +332,7 @@ in
     let
       secretsMetadata = (pkgs.formats.toml { }).generate "secretsMetadata" (cfg);
     in
-    mkIf sysusers {
+    mkIf (sysusers && storageExist) {
       test = secretsMetadata;
     };
 }

src/cmd/renc.rs

@@ -20,12 +20,6 @@ impl profile::Secret {
     }
 }
 
-#[derive(Hash, Debug, Eq, PartialEq)]
-pub struct NamePathPair(String, PathBuf);
-
-#[derive(Hash, Debug, Eq, PartialEq)]
-pub struct NamePathPairList(Vec<NamePathPair>);
-
 use age::x25519;
 
 use super::stored_sec_path::StoredSecretPath;
@@ -49,11 +43,11 @@ impl Profile {
                     let ident = fs::read_to_string(&identity)
                         .map_err(|_| eyre!("reading identity text error"))
                         .and_then(|i| {
-                            // Omit comment
+                            // discard comment
                             i.lines()
                                 .last()
                                 .map(|i| i.to_owned())
-                                .wrap_err(eyre!("some"))
+                                .wrap_err(eyre!("last line of identity file"))
                         })
                         .and_then(|i| {
                             x25519::Identity::from_str(i.as_str())
@@ -72,8 +66,9 @@ impl Profile {
 
     /**
     First decrypt `./secrets/every` with masterIdentity's privkey,
-    Then compare hash with decrypted existing file (using hostKey), encrypt with host public key, output to
-    `./secrets/renced/$host` and add to nix store.
+    Then compare hash with decrypted existing file (using hostKey),
+    encrypt with host public key, output to `./secrets/renced/$host`
+    and add to nix store.
     */
     pub fn renc(self, _all: bool, flake_root: PathBuf) -> Result<()> {
         use age::ssh;

test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age

@@ -1,8 +1,8 @@
 age-encryption.org/v1
--> ssh-ed25519 IQ9o3A Z9FjZuhx6o6Yx4SjXf38gfSLWyF1uLYF/LZ2Oo0ihX8
-6YBayhK4Z276OrPNbwyOm230g7OlY//kwaZOYk/CVrc
--> snm-grease qVJ69
-JXMZ6ZSiwHdn+n25hsuWY9ijZRkfMZsPdBluwb4spJ6ra7s2QBtodSUjjyNlC/WY
-Aijid/EO96VVz8SmySuVuCLpq/m1HuKXgvyfAM6HkCwtaNxGbQ
---- bCxs6iSLg6vaw9DEVN4dZBNc6Y4ZY82dVdD5TMH4u4Y
-�=\��YVUx6���U��Mr���u�7�rb����7
+-> ssh-ed25519 IQ9o3A xsNslkOYgNEc76WruMFa0ebNwERNgPVxCv+go5iK0QM
+uyOFGwJkcMEtufyief2T6dJA5R5e83Y7OHoEHFIeNdI
+-> ^V%5W1[-grease
+cSDxhSuIUsXnSzlLfn/7og
+--- ARtC/ddpSc/gFlOGaOmni9nqTwZUOuT/1DJAoUvScEs
+��oo��a̱-D����� U5�}�
+cDɣ\���n��U��e�