From 7bb0b5d7f1a4d153ae3c838ee2b6df8218cf4be2 Mon Sep 17 00:00:00 2001
From: Cole Helbling <cole.e.helbling@outlook.com>
Date: Mon, 8 Nov 2021 09:45:34 -0800
Subject: [PATCH] modules/age: add option to disable symlinking

There are some cases where it may be better or even required to have the
secret be a file that is not a symlink. Setting

    age.secrets.some-secret.symlink = false;

will disable the default functionality of symlinking secrets and instead
just forcibly move them to their `path`.
---
 README.md       | 16 ++++++++++++++++
 modules/age.nix | 12 ++++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 51468b4..5499388 100644
--- a/README.md
+++ b/README.md
@@ -193,6 +193,22 @@ randomness in `age`'s encryption algorithms, the files always change
 when rekeyed, even if the identities do not. (This eventually could be
 improved upon by reading the identities from the age file.)
 
+## Don't symlink secret
+
+If your secret cannot be a symlink, you should set the `symlink` option to `false`:
+
+```nix
+{
+  age.secrets.some-secret = {
+    file = ./secret;
+    path = "/var/lib/some-service/some-secret";
+    symlink = false;
+  };
+}
+```
+
+Instead of first decrypting the secret to `/run/agenix` and then symlinking to its `path`, the secret will instead be forcibly moved to its `path`. Please note that, currently, there are no cleanup mechanisms for secrets that are not symlinked by agenix.
+
 ## Threat model/Warnings
 
 This project has not be audited by a security professional.
diff --git a/modules/age.nix b/modules/age.nix
index e18041b..f8978c6 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -16,7 +16,11 @@ let
 
   identities = builtins.concatStringsSep " " (map (path: "-i ${path}") cfg.sshKeyPaths);
   installSecret = secretType: ''
-    _truePath="${cfg.secretsMountPoint}/$_count/${secretType.name}"
+    ${if secretType.symlink then ''
+      _truePath="${cfg.secretsMountPoint}/$_agenix_generation/${secretType.name}"
+    '' else ''
+      _truePath="${secretType.path}"
+    ''}
     echo "decrypting '${secretType.file}' to '$_truePath'..."
     TMP_FILE="$_truePath.tmp"
     mkdir -p "$(dirname "$_truePath")"
@@ -28,7 +32,10 @@ let
     chmod ${secretType.mode} "$TMP_FILE"
     chown ${secretType.owner}:${secretType.group} "$TMP_FILE"
     mv -f "$TMP_FILE" "$_truePath"
-    [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
+
+    ${optionalString secretType.symlink ''
+      [ "${secretType.path}" != "/run/agenix/${secretType.name}" ] && ln -sfn "/run/agenix/${secretType.name}" "${secretType.path}"
+    ''}
   '';
 
   isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
@@ -83,6 +90,7 @@ let
           Group of the file.
         '';
       };
+      symlink = mkEnableOption "symlinking secrets to their destination" // { default = true; };
     };
   });
 in