modules/age: add option to disable symlinking

There are some cases where it may be better or even required to have the secret be a file that is not a symlink. Setting age.secrets.some-secret.symlink = false; will disable the default functionality of symlinking secrets and instead just forcibly move them to their `path`.
ryantm · Nov 16, 2021 · 7bb0b5d · 7bb0b5d
1 parent e538664
commit 7bb0b5d
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -193,6 +193,22 @@ randomness in `age`'s encryption algorithms, the files always change
 when rekeyed, even if the identities do not. (This eventually could be
 improved upon by reading the identities from the age file.)
 
+## Don't symlink secret
+
+If your secret cannot be a symlink, you should set the `symlink` option to `false`:
+
+```nix
+{
+  age.secrets.some-secret = {
+    file = ./secret;
+    path = "/var/lib/some-service/some-secret";
+    symlink = false;
+  };
+}
+```
+
+Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
+
 ## Threat model/Warnings
 
 This project has not be audited by a security professional.

diff --git a/modules/age.nix b/modules/age.nix
@@ -16,7 +16,11 @@ let
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
   installSecret = secretType: ''
-    _truePath="${cfg.secretsMountPoint}/$_count/${secretType.name}"
+    ${if secretType.symlink then ''
+      _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+    '' else ''
+      _truePath="${secretType.path}"
+    ''}
     echo "decrypting '${secretType.file}' to '$_truePath'..."
     TMP_FILE="$_truePath.tmp"
     mkdir -p "$(dirname "$_truePath")"
@@ -28,7 +32,10 @@ let
     chmod ${secretType.mode} "$TMP_FILE"
     chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
     mv -f "$TMP_FILE" "$_truePath"
-    [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
+    ''}
   '';
 
   isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
@@ -83,6 +90,7 @@ let
           Group of the file.
         '';
       };
+      symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
     };
   });
 in