use Nix instead of YAML
This commit is contained in:
parent
91ff516ef6
commit
7957842d88
4 changed files with 31 additions and 41 deletions
32
README.md
32
README.md
|
@ -114,29 +114,23 @@ nix run github:ryantm/agenix -- --help
|
||||||
|
|
||||||
## Tutorial
|
## Tutorial
|
||||||
|
|
||||||
1. Make a directory to store secrets and a YAML file for configuring encryption.
|
1. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ mkdir secrets
|
$ mkdir secrets
|
||||||
$ cd secerts
|
$ cd secerts
|
||||||
$ touch secrets.yaml
|
$ touch secrets.nix
|
||||||
```
|
```
|
||||||
2. Add public keys to `secrets.yaml` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
|
2. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)):
|
||||||
```yaml
|
```nix
|
||||||
public_keys:
|
let
|
||||||
# users
|
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
|
||||||
- &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
|
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
|
||||||
# systems
|
in
|
||||||
- &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
|
{
|
||||||
|
"secret1.age".public_keys = [ user1 system1];
|
||||||
secrets:
|
"secret2.age".public_keys = [ user1 ];
|
||||||
- name: secret1.age
|
}
|
||||||
public_keys:
|
|
||||||
- *user1
|
|
||||||
- *system1
|
|
||||||
- name: secret2.age
|
|
||||||
public_keys:
|
|
||||||
- *user1
|
|
||||||
```
|
```
|
||||||
3. Edit secret files (assuming your SSH private key is in ~/.ssh/):
|
3. Edit secret files (assuming your SSH private key is in ~/.ssh/):
|
||||||
```console
|
```console
|
||||||
|
@ -150,7 +144,7 @@ nix run github:ryantm/agenix -- --help
|
||||||
|
|
||||||
## Rekeying
|
## Rekeying
|
||||||
|
|
||||||
If you change the public keys in `secrets.yaml`, you should rekey your
|
If you change the public keys in `secrets.nix`, you should rekey your
|
||||||
secrets:
|
secrets:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
|
|
8
example/secrets.nix
Normal file
8
example/secrets.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
let
|
||||||
|
user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
|
||||||
|
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"secret1.age".public_keys = [ user1 system1];
|
||||||
|
"secret2.age".public_keys = [ user1 ];
|
||||||
|
}
|
|
@ -1,14 +0,0 @@
|
||||||
public_keys:
|
|
||||||
# users
|
|
||||||
- &user1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH
|
|
||||||
# systems
|
|
||||||
- &system1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE
|
|
||||||
|
|
||||||
secrets:
|
|
||||||
- name: secret1.age
|
|
||||||
public_keys:
|
|
||||||
- *user1
|
|
||||||
- *system1
|
|
||||||
- name: secret2.age
|
|
||||||
public_keys:
|
|
||||||
- *user1
|
|
|
@ -1,6 +1,7 @@
|
||||||
{writeShellScriptBin, runtimeShell, age, yq-go} :
|
{writeShellScriptBin, runtimeShell, age} :
|
||||||
writeShellScriptBin "agenix" ''
|
writeShellScriptBin "agenix" ''
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
PACKAGE="agenix"
|
PACKAGE="agenix"
|
||||||
|
|
||||||
function show_help () {
|
function show_help () {
|
||||||
|
@ -21,14 +22,14 @@ function show_help () {
|
||||||
echo ' '
|
echo ' '
|
||||||
echo 'EDITOR environment variable of editor to use when editing FILE'
|
echo 'EDITOR environment variable of editor to use when editing FILE'
|
||||||
echo ' '
|
echo ' '
|
||||||
echo 'RULES environment variable with path to YAML file specifying recipient public keys.'
|
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
|
||||||
echo "Defaults to 'secrets.yaml'"
|
echo "Defaults to 'secrets.nix'"
|
||||||
}
|
}
|
||||||
|
|
||||||
test $# -eq 0 && (show_help && exit 1)
|
test $# -eq 0 && (show_help && exit 1)
|
||||||
|
|
||||||
REKEY=0
|
REKEY=0
|
||||||
DECRYPT=(--decrypt)
|
DEFAULT_DECRYPT=(--decrypt)
|
||||||
|
|
||||||
while test $# -gt 0; do
|
while test $# -gt 0; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
|
@ -49,7 +50,7 @@ while test $# -gt 0; do
|
||||||
-i|--identity)
|
-i|--identity)
|
||||||
shift
|
shift
|
||||||
if test $# -gt 0; then
|
if test $# -gt 0; then
|
||||||
DECRYPT+=(--identity "$1")
|
DEFAULT_DECRYPT+=(--identity "$1")
|
||||||
else
|
else
|
||||||
echo "no PRIVATE_KEY specified"
|
echo "no PRIVATE_KEY specified"
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -67,7 +68,7 @@ while test $# -gt 0; do
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
RULES=''${RULES:-secrets.yaml}
|
RULES=''${RULES:-secrets.nix}
|
||||||
|
|
||||||
function cleanup {
|
function cleanup {
|
||||||
if [ ! -z ''${CLEARTEXT_DIR+x} ]
|
if [ ! -z ''${CLEARTEXT_DIR+x} ]
|
||||||
|
@ -83,7 +84,7 @@ trap "cleanup" 0 2 3 15
|
||||||
|
|
||||||
function edit {
|
function edit {
|
||||||
FILE=$1
|
FILE=$1
|
||||||
KEYS=$(${yq-go}/bin/yq r "$RULES" "secrets.(name==$FILE).public_keys.**")
|
KEYS=$(nix eval -f "$RULES" --raw "\"$FILE\".public_keys" --apply "builtins.concatStringsSep \"\n\"")
|
||||||
if [ -z "$KEYS" ]
|
if [ -z "$KEYS" ]
|
||||||
then
|
then
|
||||||
>&2 echo "There is no rule for $FILE in $RULES."
|
>&2 echo "There is no rule for $FILE in $RULES."
|
||||||
|
@ -95,6 +96,7 @@ function edit {
|
||||||
|
|
||||||
if [ -f "$FILE" ]
|
if [ -f "$FILE" ]
|
||||||
then
|
then
|
||||||
|
DECRYPT=("''${DEFAULT_DECRYPT[@]}")
|
||||||
while IFS= read -r key
|
while IFS= read -r key
|
||||||
do
|
do
|
||||||
DECRYPT+=(--identity "$key")
|
DECRYPT+=(--identity "$key")
|
||||||
|
@ -123,7 +125,7 @@ function edit {
|
||||||
|
|
||||||
function rekey {
|
function rekey {
|
||||||
echo "rekeying..."
|
echo "rekeying..."
|
||||||
FILES=$(${yq-go}/bin/yq r "$RULES" "secrets.*.name")
|
FILES=$(nix eval -f "$RULES" --raw --apply "f: builtins.concatStringsSep \"\n\" (builtins.attrNames f)")
|
||||||
for FILE in $FILES
|
for FILE in $FILES
|
||||||
do
|
do
|
||||||
EDITOR=: edit $FILE
|
EDITOR=: edit $FILE
|
||||||
|
|
Loading…
Reference in a new issue