chore: better unsafe secret handling

turned out my previous scheme didn't work properly under linux xd
2024-05-12 12:43:51 +03:00 · 2024-05-12 12:43:51 +03:00 · 5ba68e987d
commit 5ba68e987d
parent 9c15fce069
5 changed files with 18 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
 result
 .DS_Store
 /test.nix
+/secrets/unsafe.key
--- a/12
+++ b/12
@ -42,15 +42,11 @@ export MICRO_CONFIG_HOME="$micro_config_dir"
 export EDITOR=micro
 export RULES="$tempfile"

-if [ "$(uname)" == "Darwin" ]; then
-  if [ "$is_unsafe" == "true" ]; then
-    private_path="/Users/Shared/agenix-key-unsafe"
-  else
-    private_path="$HOME/.ssh/agenix-key"
-  fi
+if [ "$is_unsafe" == "true" ]; then
+  private_path="$script_dir/secrets/unsafe.key"
 else
-  if [ "$is_unsafe" == "true" ]; then
-    private_path="/etc/ssh/agenix-key-unsafe"
+  if [ "$(uname)" == "Darwin" ]; then
+    private_path="$HOME/.ssh/agenix-key"
  else 
    private_path="/etc/ssh/agenix-key"
  fi
--- a/lib/secrets-unsafe.nix
+++ b/lib/secrets-unsafe.nix
@ -2,14 +2,12 @@
  age, 
  writeShellScript, 
  system,
-  stdenv,
  ...
 }: 

 {
  readUnsafe = name: let 
-    isDarwin = stdenv.isDarwin;
-    identityPath = if isDarwin then "/Users/Shared/agenix-key-unsafe" else "/etc/ssh/agenix-key-unsafe";
+    identityPath = ../secrets/unsafe.key;

    path = ../secrets + "/UNSAFE.${name}.age";
    drv = builtins.derivation { 
--- a/readme.md
+++ b/readme.md
@ -7,7 +7,7 @@ note to self on what needs to be installed on the host manually:

 ### common
 - `/etc/ssh/agenix-key` (darwin: `~/.ssh/agenix-key`) - private key for secret decryption
- `/etc/ssh/agenix-key-unsafe` (darwin: `/Users/Shared/agenix-key-unsafe`) - private key for unsafe secret decryption
+- `./secrets/unsafe.key` - private key for unsafe secret decryption

 > "unsafe" secrets are only secret to the "outside" world (i.e. the git repo), but are decrypted at build-time
 > and are available globally to the system. this is useful for things like server ips, since i don't want to
--- a/13
+++ b/13
@ -28,13 +28,18 @@ if [ ! -z ${NIX_HOSTNAME+x} ]; then
    flake=".#$NIX_HOSTNAME"
 fi

+function on_exit {
+    git restore --staged secrets/unsafe.key
+    if [ $(hostname) == "teidesu-osx" ]; then
+        git restore --staged hosts/teidesu-osx/arc-setup.nix
+    fi
+}
+trap on_exit EXIT
+
+git add -f secrets/unsafe.key
 if [ "$(uname)" == "Darwin" ]; then
    if [ $(hostname) == "teidesu-osx" ]; then
        git add -f hosts/teidesu-osx/arc-setup.nix
-        function restore {
-            git restore --staged hosts/teidesu-osx/arc-setup.nix
-        }
-        trap restore EXIT
    fi

    if command -v darwin-rebuild &> /dev/null; then