mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 23:58:29 +03:00
don't expose decrypted secret during installation
This commit is contained in:
parent
9388c9bbad
commit
568dede67c
1 changed files with 5 additions and 4 deletions
|
@ -61,10 +61,11 @@ let
|
||||||
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
|
identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
|
||||||
|
|
||||||
installSecret = secretType: ''
|
installSecret = secretType: ''
|
||||||
rm -f "${secretType.path}"
|
TMP_DIR=$(mktemp -d)
|
||||||
${pkgs.age}/bin/age --decrypt ${identities} -o "${secretType.path}" "${secretType.file}"
|
TMP_FILE="$TMP_DIR/file"
|
||||||
chmod ${secretType.mode} "${secretType.path}"
|
(umask 0400; ${pkgs.age}/bin/age --decrypt ${identities} -o "$TMP_FILE" "${secretType.file}")
|
||||||
chown ${secretType.owner}:${secretType.group} "${secretType.path}"
|
install -o '${secretType.owner}' -g '${secretType.group}' -m '${secretType.mode}' "$TMP_FILE" '${secretType.path}'
|
||||||
|
rm -rf "$TMP_DIR"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
installAllSecrets = builtins.concatStringsSep (map installSecret (builtins.attrValues cfg.secrets));
|
installAllSecrets = builtins.concatStringsSep (map installSecret (builtins.attrValues cfg.secrets));
|
||||||
|
|
Loading…
Reference in a new issue