diff --git a/TODO.md b/TODO.md index 72416f1..9d65af9 100644 --- a/TODO.md +++ b/TODO.md @@ -1,9 +1,9 @@ -- [x] should get entire Secret when deploy -- [ ] eval in vaultix to json, reduce requirement -- [ ] skip renc +- [x] should get entire `Secret` when deploy +- [ ] [renc] calc hash and skip unchanged - [x] remove renced path while renc -- [ ] permission set +- [ ] apply `Secret` metadata - [ ] age plugin - [ ] check command - [ ] nix integration - [ ] feed the toml after renced, thus store path changed +- [ ] ~~eval in vaultix to json, reduce requirement~~ diff --git a/module/default.nix b/module/default.nix index 19b3dc9..6af71e4 100644 --- a/module/default.nix +++ b/module/default.nix @@ -27,6 +27,9 @@ let options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable) ) "`systemd.sysusers` or `services.userborn` must be enabled."; + storage_dir = self + "/" + cfg.settings.storageDirRelative; + storageExist = assertMsg (builtins.pathExists (storage_dir)) "${storage_dir} doesn't exist plz create and add to git first (maybe need a placeholder for git to recognize it)"; + settingsType = types.submodule (submod: { options = { @@ -40,7 +43,7 @@ let storageDirStore = mkOption { type = types.path; readOnly = true; - default = builtins.path { path = "${self}" + "/" + submod.config.storageDirRelative; }; + default = builtins.path { path = self + "/" + submod.config.storageDirRelative; }; example = literalExpression ''./. /* <- flake root */ + "/secrets/renced/myhost" /* separate folder for each host */''; description = '' The local storage directory for rekeyed secrets. MUST be a str of path related to flake root. @@ -329,7 +332,7 @@ in let secretsMetadata = (pkgs.formats.toml { }).generate "secretsMetadata" (cfg); in - mkIf sysusers { + mkIf (sysusers && storageExist) { test = secretsMetadata; }; } diff --git a/src/cmd/renc.rs b/src/cmd/renc.rs index 0063a1f..15aac29 100644 --- a/src/cmd/renc.rs +++ b/src/cmd/renc.rs @@ -20,12 +20,6 @@ impl profile::Secret { } } -#[derive(Hash, Debug, Eq, PartialEq)] -pub struct NamePathPair(String, PathBuf); - -#[derive(Hash, Debug, Eq, PartialEq)] -pub struct NamePathPairList(Vec); - use age::x25519; use super::stored_sec_path::StoredSecretPath; @@ -49,11 +43,11 @@ impl Profile { let ident = fs::read_to_string(&identity) .map_err(|_| eyre!("reading identity text error")) .and_then(|i| { - // Omit comment + // discard comment i.lines() .last() .map(|i| i.to_owned()) - .wrap_err(eyre!("some")) + .wrap_err(eyre!("last line of identity file")) }) .and_then(|i| { x25519::Identity::from_str(i.as_str()) @@ -72,8 +66,9 @@ impl Profile { /** First decrypt `./secrets/every` with masterIdentity's privkey, - Then compare hash with decrypted existing file (using hostKey), encrypt with host public key, output to - `./secrets/renced/$host` and add to nix store. + Then compare hash with decrypted existing file (using hostKey), + encrypt with host public key, output to `./secrets/renced/$host` + and add to nix store. */ pub fn renc(self, _all: bool, flake_root: PathBuf) -> Result<()> { use age::ssh; diff --git a/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age b/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age index 21ddd2b..e096a79 100644 --- a/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age +++ b/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age @@ -1,8 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 IQ9o3A Z9FjZuhx6o6Yx4SjXf38gfSLWyF1uLYF/LZ2Oo0ihX8 -6YBayhK4Z276OrPNbwyOm230g7OlY//kwaZOYk/CVrc --> snm-grease qVJ69 -JXMZ6ZSiwHdn+n25hsuWY9ijZRkfMZsPdBluwb4spJ6ra7s2QBtodSUjjyNlC/WY -Aijid/EO96VVz8SmySuVuCLpq/m1HuKXgvyfAM6HkCwtaNxGbQ ---- bCxs6iSLg6vaw9DEVN4dZBNc6Y4ZY82dVdD5TMH4u4Y -Õ=\™ ©YVUx6„¢åU¦ŒMrÈùà¤u±7ÍrbšÌãá7 \ No newline at end of file +-> ssh-ed25519 IQ9o3A xsNslkOYgNEc76WruMFa0ebNwERNgPVxCv+go5iK0QM +uyOFGwJkcMEtufyief2T6dJA5R5e83Y7OHoEHFIeNdI +-> ^V%5W1[-grease +cSDxhSuIUsXnSzlLfn/7og +--- ARtC/ddpSc/gFlOGaOmni9nqTwZUOuT/1DJAoUvScEs +ÜÉoo¨œa̱-DìËÕÿô U5†}ù +cDÉ£\ºœán•ÔU»Ýe½ \ No newline at end of file diff --git a/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age b/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age index 6e85379..e00a5c9 100644 Binary files a/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age and b/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age differ