mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 17:50:48 +03:00
Code Issues Projects Releases Packages Wiki Activity

exit of sub commands fail; don't re-encrypt if there is no diff; apply some shellcheck suggestions

Browse source
This commit is contained in:
Ryan Mulligan 2020-09-03 16:51:23 -07:00
parent b381af08ec
commit f38625001d
1 changed files with 18 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
pkgs/agenix.nix
View file

@ -1,6 +1,6 @@
{writeShellScriptBin, runtimeShell, age} : {writeShellScriptBin, runtimeShell, age} :
writeShellScriptBin "agenix" '' writeShellScriptBin "agenix" ''
set -euo pipefail set -Eeuo pipefail
PACKAGE="agenix" PACKAGE="agenix"
@ -84,7 +84,7 @@ trap "cleanup" 0 2 3 15
function edit { function edit {
FILE=$1 FILE=$1
KEYS=$(nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$FILE\".public_keys)" | sed 's/"//g' | sed 's/\\n/\n/g') KEYS=$((nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$FILE\".public_keys)" | sed 's/"//g' | sed 's/\\n/\n/g') || exit 1)
if [ -z "$KEYS" ] if [ -z "$KEYS" ]
then then
@ -101,13 +101,21 @@ function edit {
while IFS= read -r key while IFS= read -r key
do do
DECRYPT+=(--identity "$key") DECRYPT+=(--identity "$key")
done <<<$(find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") done <<<"$((find ~/.ssh -maxdepth 1 -type f -not -name "*pub" -not -name "config" -not -name "authorized_keys" -not -name "known_hosts") || exit 1)"
DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE") DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
${age}/bin/age "''${DECRYPT[@]}" ${age}/bin/age "''${DECRYPT[@]}" || exit 1
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
fi fi
$EDITOR "$CLEARTEXT_FILE" $EDITOR "$CLEARTEXT_FILE"
if [ ! -f "$CLEARTEXT_FILE" ]
then
echo "$FILE wasn't created."
return
fi
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && diff "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" 1>/dev/null && echo "$FILE wasn't changed, skipping re-encryption." && return
ENCRYPT=() ENCRYPT=()
while IFS= read -r key while IFS= read -r key
do do
@ -119,21 +127,22 @@ function edit {
ENCRYPT+=(-o "$REENCRYPTED_FILE") ENCRYPT+=(-o "$REENCRYPTED_FILE")
cat "$CLEARTEXT_FILE" | ${age}/bin/age "''${ENCRYPT[@]}" ${age}/bin/age "''${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
mv -f "$REENCRYPTED_FILE" "$1" mv -f "$REENCRYPTED_FILE" "$1"
} }
function rekey { function rekey {
echo "rekeying..." FILES=$((nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))" | sed 's/"//g' | sed 's/\\n/\n/g') || exit 1)
FILES=$(nix-instantiate --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))" | sed 's/"//g' | sed 's/\\n/\n/g')
for FILE in $FILES for FILE in $FILES
do do
EDITOR=: edit $FILE echo "rekeying $FILE..."
EDITOR=: edit "$FILE"
cleanup
done done
} }
[ $REKEY -eq 1 ] && rekey && exit 0 [ $REKEY -eq 1 ] && rekey && exit 0
edit $FILE && exit 0 edit "$FILE" && cleanup && exit 0
'' ''