mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-24 18:48:29 +03:00
use Nix instead of YAML
This commit is contained in:
Ryan Mulligan
parent
91ff516ef6
commit
7957842d88
4 changed files with 31 additions and 41 deletions
32
README.md
32
README.md
|
|
@ -114,29 +114,23 @@ nix run github:ryantm/agenix -- --help
|
|||
|
||||
## Tutorial
|
||||
|
||||
1. Make a directory to store secrets and a YAML file for configuring encryption.
|
||||
1. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
|
||||
|
||||
```console
|
||||
$ mkdir secrets
|
||||
$ cd secerts
|
||||
$ touch secrets.yaml
|
||||
$ touch secrets.nix
|
||||
```
|
||||
2. Add public keys to `secrets.yaml` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
|
||||
```yaml
|
||||
public_keys:
|
||||
# users
|
||||
- &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
|
||||
# systems
|
||||
- &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
|
||||
|
||||
secrets:
|
||||
- name: secret1.age
|
||||
public_keys:
|
||||
- *user1
|
||||
- *system1
|
||||
- name: secret2.age
|
||||
public_keys:
|
||||
- *user1
|
||||
2. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
|
||||
```nix
|
||||
let
|
||||
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
|
||||
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
|
||||
in
|
||||
{
|
||||
"secret1.age".public_keys = [ user1 system1];
|
||||
"secret2.age".public_keys = [ user1 ];
|
||||
}
|
||||
```
|
||||
3. Edit secret files (assuming your SSH private key is in ~/.ssh/):
|
||||
```console
|
||||
|
|
@ -150,7 +144,7 @@ nix run github:ryantm/agenix -- --help
|
|||
|
||||
## Rekeying
|
||||
|
||||
If you change the public keys in `secrets.yaml`, you should rekey your
|
||||
If you change the public keys in `secrets.nix`, you should rekey your
|
||||
secrets:
|
||||
|
||||
```console
|
||||
|
|
|
|||
8
example/secrets.nix
Normal file
8
example/secrets.nix
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
let
|
||||
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
|
||||
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
|
||||
in
|
||||
{
|
||||
"secret1.age".public_keys = [ user1 system1];
|
||||
"secret2.age".public_keys = [ user1 ];
|
||||
}
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
public_keys:
|
||||
# users
|
||||
- &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
|
||||
# systems
|
||||
- &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
|
||||
|
||||
secrets:
|
||||
- name: secret1.age
|
||||
public_keys:
|
||||
- *user1
|
||||
- *system1
|
||||
- name: secret2.age
|
||||
public_keys:
|
||||
- *user1
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
{writeShellScriptBin, runtimeShell, age, yq-go} :
|
||||
{writeShellScriptBin, runtimeShell, age} :
|
||||
writeShellScriptBin "agenix" ''
|
||||
set -euo pipefail
|
||||
|
||||
PACKAGE="agenix"
|
||||
|
||||
function show_help () {
|
||||
|
|
@ -21,14 +22,14 @@ function show_help () {
|
|||
echo ' '
|
||||
echo 'EDITOR environment variable of editor to use when editing FILE'
|
||||
echo ' '
|
||||
echo 'RULES environment variable with path to YAML file specifying recipient public keys.'
|
||||
echo "Defaults to 'secrets.yaml'"
|
||||
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
|
||||
echo "Defaults to 'secrets.nix'"
|
||||
}
|
||||
|
||||
test $# -eq 0 && (show_help && exit 1)
|
||||
|
||||
REKEY=0
|
||||
DECRYPT=(--decrypt)
|
||||
DEFAULT_DECRYPT=(--decrypt)
|
||||
|
||||
while test $# -gt 0; do
|
||||
case "$1" in
|
||||
|
|
@ -49,7 +50,7 @@ while test $# -gt 0; do
|
|||
-i|--identity)
|
||||
shift
|
||||
if test $# -gt 0; then
|
||||
DECRYPT+=(--identity "$1")
|
||||
DEFAULT_DECRYPT+=(--identity "$1")
|
||||
else
|
||||
echo "no PRIVATE_KEY specified"
|
||||
exit 1
|
||||
|
|
@ -67,7 +68,7 @@ while test $# -gt 0; do
|
|||
esac
|
||||
done
|
||||
|
||||
RULES=''${RULES:-secrets.yaml}
|
||||
RULES=''${RULES:-secrets.nix}
|
||||
|
||||
function cleanup {
|
||||
if [ ! -z ''${CLEARTEXT_DIR+x} ]
|
||||
|
|
@ -83,7 +84,7 @@ trap "cleanup" 0 2 3 15
|
|||
|
||||
function edit {
|
||||
FILE=$1
|
||||
KEYS=$(${yq-go}/bin/yq r "$RULES" "secrets.(name==$FILE).public_keys.**")
|
||||
KEYS=$(nix eval -f "$RULES" --raw "\"$FILE\".public_keys" --apply "builtins.concatStringsSep \"\n\"")
|
||||
if [ -z "$KEYS" ]
|
||||
then
|
||||
>&2 echo "There is no rule for $FILE in $RULES."
|
||||
|
|
@ -95,6 +96,7 @@ function edit {
|
|||
|
||||
if [ -f "$FILE" ]
|
||||
then
|
||||
DECRYPT=("''${DEFAULT_DECRYPT[@]}")
|
||||
while IFS= read -r key
|
||||
do
|
||||
DECRYPT+=(--identity "$key")
|
||||
|
|
@ -123,7 +125,7 @@ function edit {
|
|||
|
||||
function rekey {
|
||||
echo "rekeying..."
|
||||
FILES=$(${yq-go}/bin/yq r "$RULES" "secrets.*.name")
|
||||
FILES=$(nix eval -f "$RULES" --raw --apply "f: builtins.concatStringsSep \"\n\" (builtins.attrNames f)")
|
||||
for FILE in $FILES
|
||||
do
|
||||
EDITOR=: edit $FILE
|
||||
|
|
|
|||
Loading…
Reference in a new issue