mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-22 09:40:47 +03:00
feature: warn about missing files
rage itself does not have good error messages when files are missing, so add some of our own checks and warnings.
This commit is contained in:
parent
297cd58b41
commit
1a4643b779
1 changed files with 7 additions and 1 deletions
|
@ -27,6 +27,8 @@ let
|
||||||
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
|
[ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && mkdir -p "$(dirname "${secretType.path}")"
|
||||||
(
|
(
|
||||||
umask u=r,g=,o=
|
umask u=r,g=,o=
|
||||||
|
test -f "${secretType.file}" || echo '[agenix] WARNING: encrypted file ${secretType.file} does not exist!'
|
||||||
|
test -d "$(dirname "$TMP_FILE")" || echo "[agenix] WARNING: $(dirname "$TMP_FILE") does not exist!"
|
||||||
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
|
LANG=${config.i18n.defaultLocale} ${ageBin} --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}"
|
||||||
)
|
)
|
||||||
chmod ${secretType.mode} "$TMP_FILE"
|
chmod ${secretType.mode} "$TMP_FILE"
|
||||||
|
@ -38,11 +40,15 @@ let
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
testIdentities = map (path: ''
|
||||||
|
test -f ${path} || echo '[agenix] WARNING: config.age.identityPaths entry ${path} not present!'
|
||||||
|
'') cfg.identityPaths;
|
||||||
|
|
||||||
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
|
||||||
isNotRootSecret = st: !(isRootSecret st);
|
isNotRootSecret = st: !(isRootSecret st);
|
||||||
|
|
||||||
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
|
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
|
||||||
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
|
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ testIdentities ++ (map installSecret rootOwnedSecrets));
|
||||||
|
|
||||||
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
|
nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
|
||||||
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
|
||||||
|
|
Loading…
Reference in a new issue