From df20b65305fb0bcaaef5a186bab90afd215ba824 Mon Sep 17 00:00:00 2001 From: oluceps Date: Mon, 16 Sep 2024 15:30:38 +0800 Subject: [PATCH] ~ --- TODO.md | 8 ++++---- module/default.nix | 7 +++++-- src/cmd/renc.rs | 15 +++++---------- ...8806ab468373d36c092aebf73-factorio-admin.age | 14 +++++++------- ...b0974360dd2d93e3de475a84-factorio-server.age | Bin 376 -> 303 bytes 5 files changed, 21 insertions(+), 23 deletions(-) diff --git a/TODO.md b/TODO.md index 72416f1..9d65af9 100644 --- a/TODO.md +++ b/TODO.md @@ -1,9 +1,9 @@ -- [x] should get entire Secret when deploy -- [ ] eval in vaultix to json, reduce requirement -- [ ] skip renc +- [x] should get entire `Secret` when deploy +- [ ] [renc] calc hash and skip unchanged - [x] remove renced path while renc -- [ ] permission set +- [ ] apply `Secret` metadata - [ ] age plugin - [ ] check command - [ ] nix integration - [ ] feed the toml after renced, thus store path changed +- [ ] ~~eval in vaultix to json, reduce requirement~~ diff --git a/module/default.nix b/module/default.nix index 19b3dc9..6af71e4 100644 --- a/module/default.nix +++ b/module/default.nix @@ -27,6 +27,9 @@ let options.systemd ? sysusers && (config.systemd.sysusers.enable || config.services.userborn.enable) ) "`systemd.sysusers` or `services.userborn` must be enabled."; + storage_dir = self + "/" + cfg.settings.storageDirRelative; + storageExist = assertMsg (builtins.pathExists (storage_dir)) "${storage_dir} doesn't exist plz create and add to git first (maybe need a placeholder for git to recognize it)"; + settingsType = types.submodule (submod: { options = { @@ -40,7 +43,7 @@ let storageDirStore = mkOption { type = types.path; readOnly = true; - default = builtins.path { path = "${self}" + "/" + submod.config.storageDirRelative; }; + default = builtins.path { path = self + "/" + submod.config.storageDirRelative; }; example = literalExpression ''./. /* <- flake root */ + "/secrets/renced/myhost" /* separate folder for each host */''; description = '' The local storage directory for rekeyed secrets. MUST be a str of path related to flake root. @@ -329,7 +332,7 @@ in let secretsMetadata = (pkgs.formats.toml { }).generate "secretsMetadata" (cfg); in - mkIf sysusers { + mkIf (sysusers && storageExist) { test = secretsMetadata; }; } diff --git a/src/cmd/renc.rs b/src/cmd/renc.rs index 0063a1f..15aac29 100644 --- a/src/cmd/renc.rs +++ b/src/cmd/renc.rs @@ -20,12 +20,6 @@ impl profile::Secret { } } -#[derive(Hash, Debug, Eq, PartialEq)] -pub struct NamePathPair(String, PathBuf); - -#[derive(Hash, Debug, Eq, PartialEq)] -pub struct NamePathPairList(Vec); - use age::x25519; use super::stored_sec_path::StoredSecretPath; @@ -49,11 +43,11 @@ impl Profile { let ident = fs::read_to_string(&identity) .map_err(|_| eyre!("reading identity text error")) .and_then(|i| { - // Omit comment + // discard comment i.lines() .last() .map(|i| i.to_owned()) - .wrap_err(eyre!("some")) + .wrap_err(eyre!("last line of identity file")) }) .and_then(|i| { x25519::Identity::from_str(i.as_str()) @@ -72,8 +66,9 @@ impl Profile { /** First decrypt `./secrets/every` with masterIdentity's privkey, - Then compare hash with decrypted existing file (using hostKey), encrypt with host public key, output to - `./secrets/renced/$host` and add to nix store. + Then compare hash with decrypted existing file (using hostKey), + encrypt with host public key, output to `./secrets/renced/$host` + and add to nix store. */ pub fn renc(self, _all: bool, flake_root: PathBuf) -> Result<()> { use age::ssh; diff --git a/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age b/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age index 21ddd2b..e096a79 100644 --- a/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age +++ b/test/secrets/renced/tester/61baa5c8806ab468373d36c092aebf73-factorio-admin.age @@ -1,8 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 IQ9o3A Z9FjZuhx6o6Yx4SjXf38gfSLWyF1uLYF/LZ2Oo0ihX8 -6YBayhK4Z276OrPNbwyOm230g7OlY//kwaZOYk/CVrc --> snm-grease qVJ69 -JXMZ6ZSiwHdn+n25hsuWY9ijZRkfMZsPdBluwb4spJ6ra7s2QBtodSUjjyNlC/WY -Aijid/EO96VVz8SmySuVuCLpq/m1HuKXgvyfAM6HkCwtaNxGbQ ---- bCxs6iSLg6vaw9DEVN4dZBNc6Y4ZY82dVdD5TMH4u4Y -Õ=\™ ©YVUx6„¢åU¦ŒMrÈùà¤u±7ÍrbšÌãá7 \ No newline at end of file +-> ssh-ed25519 IQ9o3A xsNslkOYgNEc76WruMFa0ebNwERNgPVxCv+go5iK0QM +uyOFGwJkcMEtufyief2T6dJA5R5e83Y7OHoEHFIeNdI +-> ^V%5W1[-grease +cSDxhSuIUsXnSzlLfn/7og +--- ARtC/ddpSc/gFlOGaOmni9nqTwZUOuT/1DJAoUvScEs +ÜÉoo¨œa̱-DìËÕÿô U5†}ù +cDÉ£\ºœán•ÔU»Ýe½ \ No newline at end of file diff --git a/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age b/test/secrets/renced/tester/745a75ccb0974360dd2d93e3de475a84-factorio-server.age index 6e85379264a923b23c4b79068a9ba557aea79867..e00a5c9266646fd69b00a7854938a41bd8ba4226 100644 GIT binary patch delta 268 zcmV+n0rUR&0NyPVoy$KSWv4JOhH*mcM2g(S^hSNHLhcFx!-QyU7R<+Eh%Bw|BY$auEx`; SC<#>xBH;hfZ3P-wCGLKxkzM@& delta 341 zcmZ3_^n+=FPJMY;dcK8YV6u;UkanPDc~F^tnpbF9iH~!TXK^hpru)kkwRUTnS!!rVttgAy9rlDfKQTBV5zfffp=73 zRbgPbzfp=;ag|rTWp;3(L5Oj9Sdn&aiKl0UQ@EMCp=o|nWrU@vpT4`t)PSqH@OIBqhH^o}Bz41w lsWNYmtYUOnXwPtK`!SDhsg?tL4v*IcT@E