Skip to content

Commit

Permalink
Introduce installSecretFn script function to make script shorter.
Browse files Browse the repository at this point in the history
  • Loading branch information
catwith1hat committed Dec 11, 2023
1 parent 13ac9ac commit 01cd0f1
Showing 1 changed file with 51 additions and 30 deletions.
81 changes: 51 additions & 30 deletions modules/age.nix
Original file line number Diff line number Diff line change
Expand Up @@ -61,34 +61,45 @@ with lib; let
}
'';

installSecret = secretType: ''
${setTruePath secretType}
echo "decrypting '${secretType.file}' to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
# This function is called with the following mapping:
# secretType.symlink = $1
# secretType.name = $2
# secretType.path = $3
# secretType.file = $4
# secretType.mode = $5
installSecretFn = ''
installSecret() {
if "$1"; then
_truePath="${cfg.secretsMountPoint}/$_agenix_generation/$2"
else
_truePath="$3"
fi
echo "decrypting $4 to '$_truePath'..."
TMP_FILE="$_truePath.tmp"
IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
IDENTITIES=()
for identity in ${toString cfg.identityPaths}; do
test -r "$identity" || continue
IDENTITIES+=(-i)
IDENTITIES+=("$identity")
done
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix] WARNING: no readable identities found!"
mkdir -p "$(dirname "$_truePath")"
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
(
umask u=r,g=,o=
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "${secretType.file}"
)
chmod ${secretType.mode} "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
mkdir -p "$(dirname "$_truePath")"
[ "$3" != "${cfg.secretsDir}/$2" ] && mkdir -p "$(dirname "$3")"
(
umask u=r,g=,o=
test -f "$4" || echo '[agenix] WARNING: encrypted file '$4' does not exist!'
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
LANG=${config.i18n.defaultLocale or "C"} ${ageBin} --decrypt "''${IDENTITIES[@]}" -o "$TMP_FILE" "$4"
)
chmod "$5" "$TMP_FILE"
mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''}
"$1" && ([ "$3" != "${cfg.secretsDir}/$2" ] && ln -sfn "${cfg.secretsDir}/$2" "$3")
true
}
'';

testIdentities =
Expand All @@ -110,12 +121,22 @@ with lib; let
}
'';

installSecrets = builtins.concatStringsSep "\n" (
["echo '[agenix] decrypting secrets...'"]
++ testIdentities
++ (map installSecret (builtins.attrValues cfg.secrets))
++ [cleanupAndLink]
);
installSecrets = let
mkLine = secretType: ''
installSecret "${
if secretType.symlink
then "true"
else "false"
}" "${secretType.name}" "${secretType.path}" "${secretType.file}" "${secretType.mode}";
'';
in
builtins.concatStringsSep "\n" (
["echo '[agenix] decrypting secrets...'"]
++ testIdentities
++ [installSecretFn]
++ (map mkLine (builtins.attrValues cfg.secrets))
++ [cleanupAndLink]
);

chownSecret = secretType: ''
${setTruePath secretType}
Expand Down

0 comments on commit 01cd0f1

Please sign in to comment.