233 lines
6 KiB
Bash
233 lines
6 KiB
Bash
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
PACKAGE="agenix"
|
|
|
|
function show_help () {
|
|
echo "$PACKAGE - edit and rekey age secret files"
|
|
echo " "
|
|
echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
|
|
echo "$PACKAGE -r [-i PRIVATE_KEY]"
|
|
echo ' '
|
|
echo 'options:'
|
|
echo '-h, --help show help'
|
|
# shellcheck disable=SC2016
|
|
echo '-e, --edit FILE edits FILE using $EDITOR'
|
|
echo '-r, --rekey re-encrypts all secrets with specified recipients'
|
|
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
|
|
echo '-i, --identity identity to use when decrypting'
|
|
echo '-v, --verbose verbose output'
|
|
echo ' '
|
|
echo 'FILE an age-encrypted file'
|
|
echo ' '
|
|
echo 'PRIVATE_KEY a path to a private SSH key used to decrypt file'
|
|
echo ' '
|
|
echo 'EDITOR environment variable of editor to use when editing FILE'
|
|
echo ' '
|
|
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
|
|
echo ' '
|
|
echo 'AGENIX_RULES environment variable with path to Nix file specifying recipient public keys.'
|
|
echo "Defaults to './agenix-rules.nix'"
|
|
echo ' '
|
|
echo "agenix version: @version@"
|
|
echo "age binary path: @ageBin@"
|
|
echo "age version: $(@ageBin@ --version)"
|
|
}
|
|
|
|
function warn() {
|
|
printf '%s\n' "$*" >&2
|
|
}
|
|
|
|
function err() {
|
|
warn "$*"
|
|
exit 1
|
|
}
|
|
|
|
test $# -eq 0 && (show_help && exit 1)
|
|
|
|
REKEY=0
|
|
DECRYPT_ONLY=0
|
|
DEFAULT_DECRYPT=(--decrypt)
|
|
|
|
while test $# -gt 0; do
|
|
case "$1" in
|
|
-h|--help)
|
|
show_help
|
|
exit 0
|
|
;;
|
|
-e|--edit)
|
|
shift
|
|
if test $# -gt 0; then
|
|
export FILE=$1
|
|
else
|
|
echo "no FILE specified"
|
|
exit 1
|
|
fi
|
|
shift
|
|
;;
|
|
-i|--identity)
|
|
shift
|
|
if test $# -gt 0; then
|
|
DEFAULT_DECRYPT+=(--identity "$1")
|
|
else
|
|
echo "no PRIVATE_KEY specified"
|
|
exit 1
|
|
fi
|
|
shift
|
|
;;
|
|
-r|--rekey)
|
|
shift
|
|
REKEY=1
|
|
;;
|
|
-d|--decrypt)
|
|
shift
|
|
DECRYPT_ONLY=1
|
|
if test $# -gt 0; then
|
|
export FILE=$1
|
|
else
|
|
echo "no FILE specified"
|
|
exit 1
|
|
fi
|
|
shift
|
|
;;
|
|
-v|--verbose)
|
|
shift
|
|
set -x
|
|
;;
|
|
*)
|
|
show_help
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
function get_configured_rules {
|
|
# prints the first among $AGENIX_RULES, $RULES, erroring out if it points to a
|
|
# non-existing file
|
|
! [ -v AGENIX_RULES ] && ! [ -v RULES ] && return 1
|
|
local rulesfile="${AGENIX_RULES:-$RULES}"
|
|
[ -f "$rulesfile" ] || {
|
|
[ -v AGENIX_RULES ] && variable='AGENIX_RULES' || variable='RULES'
|
|
err "Rules file '$rulesfile' specified via the variable $variable not found."
|
|
}
|
|
echo "$rulesfile"
|
|
}
|
|
|
|
function find_rules {
|
|
# walks up the directory tree, printing the first file named agenix-rules.nix
|
|
# or ./secrets.nix it finds and erroring out otherwise
|
|
local cwd="$PWD"
|
|
local rulesfile=''
|
|
while [ -z "$rulesfile" ]
|
|
do
|
|
for f in "$cwd/agenix-rules.nix" "$cwd/secrets.nix"
|
|
do
|
|
[ -f "$f" ] && rulesfile="$f"
|
|
done
|
|
[ "$cwd" != '/' ] || break
|
|
cwd=$(dirname "$cwd")
|
|
done
|
|
[ -n "$rulesfile" ] || err "$PACKAGE needs a rules file. You can specify one by setting the AGENIX_RULES variable or you can create a file named 'agenix-rules.nix' in the current directory or one of its parents."
|
|
echo "$rulesfile"
|
|
unset cwd rulesfile
|
|
}
|
|
|
|
RULES=$(get_configured_rules || find_rules)
|
|
[ -r "$RULES" ] || err "Cannot read rules file '$RULES'."
|
|
|
|
function cleanup {
|
|
if [ -n "${CLEARTEXT_DIR+x}" ]
|
|
then
|
|
rm -rf "$CLEARTEXT_DIR"
|
|
fi
|
|
if [ -n "${REENCRYPTED_DIR+x}" ]
|
|
then
|
|
rm -rf "$REENCRYPTED_DIR"
|
|
fi
|
|
}
|
|
trap "cleanup" 0 2 3 15
|
|
|
|
function keys {
|
|
(@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$FILE\".publicKeys)" | @jqBin@ -r .[]) || exit 1
|
|
}
|
|
|
|
function decrypt {
|
|
FILE=$1
|
|
KEYS=$2
|
|
if [ -z "$KEYS" ]
|
|
then
|
|
err "There is no rule for $FILE in $RULES."
|
|
fi
|
|
|
|
if [ -f "$FILE" ]
|
|
then
|
|
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
|
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
|
if [ -f "$HOME/.ssh/id_rsa" ]; then
|
|
DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
|
|
fi
|
|
if [ -f "$HOME/.ssh/id_ed25519" ]; then
|
|
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
|
|
fi
|
|
fi
|
|
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
|
err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
|
|
fi
|
|
|
|
@ageBin@ "${DECRYPT[@]}" "$FILE" || exit 1
|
|
fi
|
|
}
|
|
|
|
function edit {
|
|
FILE=$1
|
|
KEYS=$(keys "$FILE") || exit 1
|
|
|
|
CLEARTEXT_DIR=$(@mktempBin@ -d)
|
|
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
|
|
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
|
|
|
|
decrypt "$FILE" "$KEYS" || exit 1
|
|
|
|
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
|
|
|
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
|
|
|
$EDITOR "$CLEARTEXT_FILE"
|
|
|
|
if [ ! -f "$CLEARTEXT_FILE" ]
|
|
then
|
|
warn "$FILE wasn't created."
|
|
return
|
|
fi
|
|
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
|
|
|
|
ENCRYPT=()
|
|
while IFS= read -r key
|
|
do
|
|
ENCRYPT+=(--recipient "$key")
|
|
done <<< "$KEYS"
|
|
|
|
REENCRYPTED_DIR=$(@mktempBin@ -d)
|
|
REENCRYPTED_FILE="$REENCRYPTED_DIR/$(basename "$FILE")"
|
|
|
|
ENCRYPT+=(-o "$REENCRYPTED_FILE")
|
|
|
|
@ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
|
|
|
|
mv -f "$REENCRYPTED_FILE" "$1"
|
|
}
|
|
|
|
function rekey {
|
|
FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)" | @jqBin@ -r .[]) || exit 1)
|
|
|
|
for FILE in $FILES
|
|
do
|
|
warn "rekeying $FILE..."
|
|
EDITOR=: edit "$FILE"
|
|
cleanup
|
|
done
|
|
}
|
|
|
|
[ $REKEY -eq 1 ] && rekey && exit 0
|
|
[ $DECRYPT_ONLY -eq 1 ] && DEFAULT_DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
|
|
edit "$FILE" && cleanup && exit 0
|