From 08ed896eb60cf738d5a1d12cb713663d6e83db9b Mon Sep 17 00:00:00 2001 From: oddlama Date: Sat, 20 May 2023 01:51:05 +0200 Subject: [PATCH] fix: always treat link destinations as files to ensure error when destination is a directory. This can happen if for example a secret is used in the initrd, which materializes it as a directory, which then causes agenix to silently create an incorrect link when switching to stage2. This ensures that agenix will abort with an error. --- modules/age-home.nix | 4 ++-- modules/age.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/age-home.nix b/modules/age-home.nix index 9577eb8..7c1051f 100644 --- a/modules/age-home.nix +++ b/modules/age-home.nix @@ -61,7 +61,7 @@ with lib; let ${optionalString secretType.symlink '' # shellcheck disable=SC2193,SC2050 - [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" + [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" ''} ''; @@ -76,7 +76,7 @@ with lib; let _agenix_generation="$(basename "$(readlink "${cfg.secretsDir}")" || echo 0)" (( ++_agenix_generation )) echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." - ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" + ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" "${cfg.secretsDir}" (( _agenix_generation > 1 )) && { echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..." diff --git a/modules/age.nix b/modules/age.nix index 86c4447..e49d9d8 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -88,7 +88,7 @@ with lib; let mv -f "$TMP_FILE" "$_truePath" ${optionalString secretType.symlink '' - [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfn "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" + [ "${secretType.path}" != "${cfg.secretsDir}/${secretType.name}" ] && ln -sfT "${cfg.secretsDir}/${secretType.name}" "${secretType.path}" ''} ''; @@ -103,7 +103,7 @@ with lib; let _agenix_generation="$(basename "$(readlink ${cfg.secretsDir})" || echo 0)" (( ++_agenix_generation )) echo "[agenix] symlinking new secrets to ${cfg.secretsDir} (generation $_agenix_generation)..." - ln -sfn "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} + ln -sfT "${cfg.secretsMountPoint}/$_agenix_generation" ${cfg.secretsDir} (( _agenix_generation > 1 )) && { echo "[agenix] removing old secrets (generation $(( _agenix_generation - 1 )))..."