From 5ba68e987daeb1ad1e73115948dd804c1e7c5ce2 Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Sun, 12 May 2024 12:43:51 +0300
Subject: [PATCH] chore: better unsafe secret handling

turned out my previous scheme didn't work properly under linux xd
---
 .gitignore             |  3 ++-
 agenix-edit            | 14 +++++---------
 lib/secrets-unsafe.nix |  4 +---
 readme.md              |  2 +-
 switch                 | 13 +++++++++----
 5 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/.gitignore b/.gitignore
index badf753..ac11251 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 result
 .DS_Store
-/test.nix
\ No newline at end of file
+/test.nix
+/secrets/unsafe.key
\ No newline at end of file
diff --git a/agenix-edit b/agenix-edit
index a6129d4..4069a92 100755
--- a/agenix-edit
+++ b/agenix-edit
@@ -42,16 +42,12 @@ export MICRO_CONFIG_HOME="$micro_config_dir"
 export EDITOR=micro
 export RULES="$tempfile"
 
-if [ "$(uname)" == "Darwin" ]; then
-  if [ "$is_unsafe" == "true" ]; then
-    private_path="/Users/Shared/agenix-key-unsafe"
-  else
+if [ "$is_unsafe" == "true" ]; then
+  private_path="$script_dir/secrets/unsafe.key"
+else
+  if [ "$(uname)" == "Darwin" ]; then
     private_path="$HOME/.ssh/agenix-key"
-  fi
-else 
-  if [ "$is_unsafe" == "true" ]; then
-    private_path="/etc/ssh/agenix-key-unsafe"
-  else
+  else 
     private_path="/etc/ssh/agenix-key"
   fi
 fi
diff --git a/lib/secrets-unsafe.nix b/lib/secrets-unsafe.nix
index 232f8e5..8f11d19 100644
--- a/lib/secrets-unsafe.nix
+++ b/lib/secrets-unsafe.nix
@@ -2,14 +2,12 @@
   age, 
   writeShellScript, 
   system,
-  stdenv,
   ...
 }: 
 
 {
   readUnsafe = name: let 
-    isDarwin = stdenv.isDarwin;
-    identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";
+    identityPath = ../secrets/unsafe.key;
 
     path = ../secrets + "/UNSAFE.${name}.age";
     drv = builtins.derivation { 
diff --git a/readme.md b/readme.md
index 2e29dc0..8e28939 100755
--- a/readme.md
+++ b/readme.md
@@ -7,7 +7,7 @@ note to self on what needs to be installed on the host manually:
 
 ### common
 - `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption
-- `/etc/ssh/agenix-key-unsafe` (darwin: `/Users/Shared/agenix-key-unsafe`) - private key for unsafe secret decryption
+- `./secrets/unsafe.key` - private key for unsafe secret decryption
 
 > "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time
 > and are available globally to the system. this is useful for things like server ips, since i don't want to
diff --git a/switch b/switch
index e74be43..57532b6 100755
--- a/switch
+++ b/switch
@@ -28,13 +28,18 @@ if [ ! -z ${NIX_HOSTNAME+x} ]; then
     flake=".#$NIX_HOSTNAME"
 fi
 
+function on_exit {
+    git restore --staged secrets/unsafe.key
+    if [ $(hostname) == "teidesu-osx" ]; then
+        git restore --staged hosts/teidesu-osx/arc-setup.nix
+    fi
+}
+trap on_exit EXIT
+
+git add -f secrets/unsafe.key
 if [ "$(uname)" == "Darwin" ]; then
     if [ $(hostname) == "teidesu-osx" ]; then
         git add -f hosts/teidesu-osx/arc-setup.nix
-        function restore {
-            git restore --staged hosts/teidesu-osx/arc-setup.nix
-        }
-        trap restore EXIT
     fi
 
     if command -v darwin-rebuild &> /dev/null; then