mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-21 17:20:47 +03:00
Code Issues Projects Releases Packages Wiki Activity

fix: always treat link destinations as files to ensure error when destination is a directory.

Browse source 
This can happen if for example a secret is used in the initrd, which
materializes it as a directory, which then causes agenix to silently
create an incorrect link when switching to stage2. This ensures that
agenix will abort with an error.
This commit is contained in:
oddlama 2023-05-20 01:51:05 +02:00
parent 8d37c5bdea
commit 08ed896eb6
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/age-home.nix
View file

@ -61,7 +61,7 @@ with lib; let
${optionalString secretType.symlink '' ${optionalString secretType.symlink ''
# shellcheck disable=SC2193,SC2050 # shellcheck disable=SC2193,SC2050
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''} ''}
''; '';
@ -76,7 +76,7 @@ with lib; let
_agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)" _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}"
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."

4
modules/age.nix
View file

@ -88,7 +88,7 @@ with lib; let
mv -f "$TMP_FILE" "$_truePath" mv -f "$TMP_FILE" "$_truePath"
${optionalString secretType.symlink '' ${optionalString secretType.symlink ''
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}"
''} ''}
''; '';
@ -103,7 +103,7 @@ with lib; let
_agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)"
(( ++_agenix_generation )) (( ++_agenix_generation ))
echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..."
ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir}
(( _agenix_generation > 1 )) && { (( _agenix_generation > 1 )) && {
echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."