From f5f56c0246e436afdcb5b1ec49815f2e577c56a2 Mon Sep 17 00:00:00 2001 From: Giorgio Gallo Date: Sat, 14 Oct 2023 11:52:45 +0200 Subject: [PATCH] Rules now read from AGENIX_RULES/agenix-rules.nix --- README.md | 21 +++++++++++++-------- doc/reference.md | 4 ++-- doc/rekeying.md | 2 +- doc/tutorial.md | 6 +++--- pkgs/agenix.sh | 39 ++++++++++++++++++++++++++++++++++++--- 5 files changed, 55 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 998bfc2..280a9b6 100644 --- a/README.md +++ b/README.md @@ -244,15 +244,15 @@ e.g. inside your `flake.nix` file: have `sshd` running on it so that it has generated SSH host keys in `/etc/ssh/`. -2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys: +2. Make a directory to store secrets and `agenix-rules.nix` file for listing secrets and their public keys: ```ShellSession $ mkdir secrets $ cd secrets - $ touch secrets.nix + $ touch agenix-rules.nix ``` - This `secrets.nix` file is **not** imported into your NixOS configuration. + This `agenix-rules.nix` file is **not** imported into your NixOS configuration. It's only used for the `agenix` CLI tool (example below) to know which public keys to use for encryption. -3. Add public keys to your `secrets.nix` file: +3. Add public keys to your `agenix-rules.nix` file: ```nix let user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; @@ -283,7 +283,7 @@ e.g. inside your `flake.nix` file: $ agenix -e secret1.age ``` It will open a temporary file in the app configured in your $EDITOR environment variable. - When you save that file its content will be encrypted with all the public keys mentioned in the `secrets.nix` file. + When you save that file its content will be encrypted with all the public keys mentioned in the `agenix-rules.nix` file. 5. Add secret to a NixOS module config: ```nix { @@ -567,13 +567,18 @@ EDITOR environment variable of editor to use when editing FILE If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin" -RULES environment variable with path to Nix file specifying recipient public keys. -Defaults to './secrets.nix' +AGENIX_RULES environment variable with path to Nix file specifying recipient public keys. +Defaults to './agenix-rules.nix' ``` +Up to version 0.14.0, agenix used the variable `RULES` (instead of +`AGENIX_RULES`) and the default rules file `secrets.nix` (instead of +`agenix-rules.nix`). Currently agenix still honours those, but they will be +deprecated in the future. + #### Rekeying -If you change the public keys in `secrets.nix`, you should rekey your +If you change the public keys in `agenix-rules.nix`, you should rekey your secrets: ```ShellSession diff --git a/doc/reference.md b/doc/reference.md index 614b0c9..622c392 100644 --- a/doc/reference.md +++ b/doc/reference.md @@ -246,5 +246,5 @@ EDITOR environment variable of editor to use when editing FILE If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin" -RULES environment variable with path to Nix file specifying recipient public keys. -Defaults to './secrets.nix' +AGENIX_RULES environment variable with path to Nix file specifying recipient public keys. +Defaults to './agenix-rules.nix' diff --git a/doc/rekeying.md b/doc/rekeying.md index 4d56ad3..9b1359d 100644 --- a/doc/rekeying.md +++ b/doc/rekeying.md @@ -1,6 +1,6 @@ # Rekeying {#rekeying} -If you change the public keys in `secrets.nix`, you should rekey your +If you change the public keys in `agenix-rules.nix`, you should rekey your secrets: ```ShellSession diff --git a/doc/tutorial.md b/doc/tutorial.md index 8344121..41a120e 100644 --- a/doc/tutorial.md +++ b/doc/tutorial.md @@ -4,14 +4,14 @@ have `sshd` running on it so that it has generated SSH host keys in `/etc/ssh/`. -2. Make a directory to store secrets and `secrets.nix` file for listing secrets and their public keys (This file is **not** imported into your NixOS configuration. It is only used for the `agenix` CLI.): +2. Make a directory to store secrets and `agenix-rules.nix` file for listing secrets and their public keys (This file is **not** imported into your NixOS configuration. It is only used for the `agenix` CLI.): ```ShellSession $ mkdir secrets $ cd secrets - $ touch secrets.nix + $ touch agenix-rules.nix ``` -3. Add public keys to `secrets.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)): +3. Add public keys to `agenix-rules.nix` file (hint: use `ssh-keyscan` or GitHub (for example, https://github.com/ryantm.keys)): ```nix let user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH"; diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index f638b10..7ced252 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -26,8 +26,8 @@ function show_help () { echo ' ' echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"' echo ' ' - echo 'RULES environment variable with path to Nix file specifying recipient public keys.' - echo "Defaults to './secrets.nix'" + echo 'AGENIX_RULES environment variable with path to Nix file specifying recipient public keys.' + echo "Defaults to './agenix-rules.nix'" echo ' ' echo "agenix version: @version@" echo "age binary path: @ageBin@" @@ -101,7 +101,40 @@ while test $# -gt 0; do esac done -RULES=${RULES:-./secrets.nix} +function get_configured_rules { + # prints the first among $AGENIX_RULES, $RULES, erroring out if it points to a + # non-existing file + ! [ -v AGENIX_RULES ] && ! [ -v RULES ] && return 1 + local rulesfile="${AGENIX_RULES:-$RULES}" + [ -f "$rulesfile" ] || { + [ -v AGENIX_RULES ] && variable='AGENIX_RULES' || variable='RULES' + err "Rules file '$rulesfile' specified via the variable $variable not found." + } + echo "$rulesfile" +} + +function find_rules { + # walks up the directory tree, printing the first file named agenix-rules.nix + # or ./secrets.nix it finds and erroring out otherwise + local cwd="$PWD" + local rulesfile='' + while [ -z "$rulesfile" ] + do + for f in "$cwd/agenix-rules.nix" "$cwd/secrets.nix" + do + [ -f "$f" ] && rulesfile="$f" + done + [ "$cwd" != '/' ] || break + cwd=$(dirname "$cwd") + done + [ -n "$rulesfile" ] || err "$PACKAGE needs a rules file. You can specify one by setting the AGENIX_RULES variable or you can create a file named 'agenix-rules.nix' in the current directory or one of its parents." + echo "$rulesfile" + unset cwd rulesfile +} + +RULES=$(get_configured_rules || find_rules) +[ -r "$RULES" ] || err "Cannot read rules file '$RULES'." + function cleanup { if [ -n "${CLEARTEXT_DIR+x}" ] then