2023-01-29 20:58:38 +01:00
#!/usr/bin/env bash
set -Eeuo pipefail
PACKAGE = "agenix"
function show_help ( ) {
echo " $PACKAGE - edit and rekey age secret files "
echo " "
echo " $PACKAGE -e FILE [-i PRIVATE_KEY] "
echo " $PACKAGE -r [-i PRIVATE_KEY] "
echo ' '
echo 'options:'
echo '-h, --help show help'
# shellcheck disable=SC2016
echo '-e, --edit FILE edits FILE using $EDITOR'
echo '-r, --rekey re-encrypts all secrets with specified recipients'
2023-02-21 02:15:37 +01:00
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
2023-01-29 20:58:38 +01:00
echo '-i, --identity identity to use when decrypting'
echo '-v, --verbose verbose output'
echo ' '
echo 'FILE an age-encrypted file'
echo ' '
echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
echo ' '
echo 'EDITOR environment variable of editor to use when editing FILE'
echo ' '
2023-02-19 19:20:07 +01:00
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
echo ' '
2023-01-29 20:58:38 +01:00
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
echo "Defaults to './secrets.nix'"
echo ' '
echo "agenix version: @version@"
echo "age binary path: @ageBin@"
echo " age version: $( @ageBin@ --version) "
}
2023-02-21 20:46:44 +01:00
function warn( ) {
printf '%s\n' " $* " >& 2
}
function err( ) {
warn " $* "
exit 1
}
2023-01-29 20:58:38 +01:00
test $# -eq 0 && ( show_help && exit 1)
REKEY = 0
2023-02-21 02:15:37 +01:00
DECRYPT_ONLY = 0
2023-01-29 20:58:38 +01:00
DEFAULT_DECRYPT = ( --decrypt)
while test $# -gt 0; do
case " $1 " in
-h| --help)
show_help
exit 0
; ;
-e| --edit)
shift
if test $# -gt 0; then
export FILE = $1
else
echo "no FILE specified"
exit 1
fi
shift
; ;
-i| --identity)
shift
if test $# -gt 0; then
DEFAULT_DECRYPT += ( --identity " $1 " )
else
echo "no PRIVATE_KEY specified"
exit 1
fi
shift
; ;
-r| --rekey)
shift
REKEY = 1
; ;
2023-02-21 02:15:37 +01:00
-d| --decrypt)
shift
DECRYPT_ONLY = 1
if test $# -gt 0; then
export FILE = $1
else
echo "no FILE specified"
exit 1
fi
shift
; ;
2023-01-29 20:58:38 +01:00
-v| --verbose)
shift
set -x
; ;
*)
show_help
exit 1
; ;
esac
done
RULES = ${ RULES :- ./secrets.nix }
function cleanup {
if [ -n " ${ CLEARTEXT_DIR +x } " ]
then
rm -rf " $CLEARTEXT_DIR "
fi
if [ -n " ${ REENCRYPTED_DIR +x } " ]
then
rm -rf " $REENCRYPTED_DIR "
fi
}
trap "cleanup" 0 2 3 15
2023-02-21 02:15:37 +01:00
function keys {
( @nixInstantiate@ --eval -E " (let rules = import $RULES ; in builtins.concatStringsSep \"\n\" rules.\" $1 \".publicKeys) " | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g' ) | @sedBin@ '/^$/d' || exit 1
}
2023-01-29 20:58:38 +01:00
2023-02-21 02:15:37 +01:00
function decrypt {
FILE = $1
KEYS = $2
2023-01-29 20:58:38 +01:00
if [ -z " $KEYS " ]
then
2023-02-21 20:46:44 +01:00
err " There is no rule for $FILE in $RULES . "
2023-01-29 20:58:38 +01:00
fi
if [ -f " $FILE " ]
then
DECRYPT = ( " ${ DEFAULT_DECRYPT [@] } " )
2023-02-18 20:55:58 +01:00
if [ [ " ${ DECRYPT [*] } " != *"--identity" * ] ] ; then
if [ -f " $HOME /.ssh/id_rsa " ] ; then
DECRYPT += ( --identity " $HOME /.ssh/id_rsa " )
fi
if [ -f " $HOME /.ssh/id_ed25519 " ] ; then
DECRYPT += ( --identity " $HOME /.ssh/id_ed25519 " )
fi
2023-01-29 20:58:38 +01:00
fi
if [ [ " ${ DECRYPT [*] } " != *"--identity" * ] ] ; then
2023-02-21 20:46:44 +01:00
err " No identity found to decrypt $FILE . Try adding an SSH key at $HOME /.ssh/id_rsa or $HOME /.ssh/id_ed25519 or using the --identity flag to specify a file. "
2023-01-29 20:58:38 +01:00
fi
2023-02-24 09:00:48 +01:00
@ageBin@ " ${ DECRYPT [@] } " " $FILE " || exit 1
2023-01-29 20:58:38 +01:00
fi
2023-02-21 02:15:37 +01:00
}
function edit {
FILE = $1
KEYS = $( keys " $FILE " ) || exit 1
2023-02-24 09:00:48 +01:00
CLEARTEXT_DIR = $( @mktempBin@ -d)
CLEARTEXT_FILE = " $CLEARTEXT_DIR / $( basename " $FILE " ) "
DEFAULT_DECRYPT += ( -o " $CLEARTEXT_FILE " )
2023-02-21 02:15:37 +01:00
decrypt " $FILE " " $KEYS " || exit 1
2023-01-29 20:58:38 +01:00
2023-02-24 09:00:48 +01:00
cp " $CLEARTEXT_FILE " " $CLEARTEXT_FILE .before "
2023-02-19 19:20:07 +01:00
[ -t 0 ] || EDITOR = 'cp /dev/stdin'
2023-01-29 20:58:38 +01:00
$EDITOR " $CLEARTEXT_FILE "
if [ ! -f " $CLEARTEXT_FILE " ]
then
2023-02-21 20:46:44 +01:00
warn " $FILE wasn't created. "
2023-01-29 20:58:38 +01:00
return
fi
2023-02-21 20:46:44 +01:00
[ -f " $FILE " ] && [ " $EDITOR " != ":" ] && @diffBin@ -q " $CLEARTEXT_FILE .before " " $CLEARTEXT_FILE " && warn " $FILE wasn't changed, skipping re-encryption. " && return
2023-01-29 20:58:38 +01:00
ENCRYPT = ( )
while IFS = read -r key
do
ENCRYPT += ( --recipient " $key " )
done <<< " $KEYS "
REENCRYPTED_DIR = $( @mktempBin@ -d)
REENCRYPTED_FILE = " $REENCRYPTED_DIR / $( basename " $FILE " ) "
ENCRYPT += ( -o " $REENCRYPTED_FILE " )
@ageBin@ " ${ ENCRYPT [@] } " <" $CLEARTEXT_FILE " || exit 1
mv -f " $REENCRYPTED_FILE " " $1 "
}
function rekey {
FILES = $( ( @nixInstantiate@ --eval -E " (let rules = import $RULES ; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules)) " | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g' ) || exit 1)
for FILE in $FILES
do
2023-02-21 20:46:44 +01:00
warn " rekeying $FILE ... "
2023-01-29 20:58:38 +01:00
EDITOR = : edit " $FILE "
cleanup
done
}
[ $REKEY -eq 1 ] && rekey && exit 0
2023-03-14 18:53:32 +01:00
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT += ( "-o" "-" ) && decrypt " ${ FILE } " " $( keys " $FILE " ) " && exit 0
2023-01-29 20:58:38 +01:00
edit " $FILE " && cleanup && exit 0