Fix agenix helper identity resolution
This commit is contained in:
Conrad Kramer
parent
03415e579b
commit
4fbebdf85c
1 changed files with 54 additions and 4 deletions
|
|
@ -3,6 +3,38 @@ set -euo pipefail
|
|||
|
||||
BURROW_SECRET_TMPFILES=()
|
||||
|
||||
burrow_secret_repo_path() {
|
||||
local repo_root="$1"
|
||||
local secret_path="$2"
|
||||
|
||||
case "${secret_path}" in
|
||||
"${repo_root}"/*)
|
||||
printf '%s\n' "${secret_path#${repo_root}/}"
|
||||
;;
|
||||
*)
|
||||
printf '%s\n' "${secret_path}"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
burrow_agenix_identity_path() {
|
||||
local repo_root="$1"
|
||||
local candidate
|
||||
|
||||
for candidate in \
|
||||
"${BURROW_AGE_IDENTITY:-}" \
|
||||
"${BURROW_FORGE_SSH_KEY:-}" \
|
||||
"${repo_root}/intake/agent_at_burrow_net_ed25519" \
|
||||
"${HOME}/.ssh/agent_at_burrow_net_ed25519" \
|
||||
"${HOME}/.ssh/id_ed25519"
|
||||
do
|
||||
if [[ -n "${candidate}" && -f "${candidate}" ]]; then
|
||||
printf '%s\n' "${candidate}"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
burrow_cleanup_secret_tmpfiles() {
|
||||
local path
|
||||
for path in "${BURROW_SECRET_TMPFILES[@]:-}"; do
|
||||
|
|
@ -14,15 +46,23 @@ burrow_cleanup_secret_tmpfiles() {
|
|||
burrow_decrypt_age_secret_to_temp() {
|
||||
local repo_root="$1"
|
||||
local secret_path="$2"
|
||||
local agenix_path
|
||||
local identity_path
|
||||
local tmp_file
|
||||
|
||||
if [[ ! -f "${secret_path}" ]]; then
|
||||
echo "age secret not found: ${secret_path}" >&2
|
||||
return 1
|
||||
fi
|
||||
agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
|
||||
identity_path="$(burrow_agenix_identity_path "${repo_root}")"
|
||||
|
||||
tmp_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret.XXXXXX")"
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${secret_path}" > "${tmp_file}"
|
||||
if [[ -n "${identity_path}" ]]; then
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" -i "${identity_path}" > "${tmp_file}"
|
||||
else
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" > "${tmp_file}"
|
||||
fi
|
||||
chmod 600 "${tmp_file}"
|
||||
BURROW_SECRET_TMPFILES+=("${tmp_file}")
|
||||
printf '%s\n' "${tmp_file}"
|
||||
|
|
@ -66,13 +106,23 @@ burrow_encrypt_secret_from_file() {
|
|||
local repo_root="$1"
|
||||
local secret_path="$2"
|
||||
local source_path="$3"
|
||||
local agenix_path
|
||||
local identity_path
|
||||
|
||||
if [[ ! -s "${source_path}" ]]; then
|
||||
echo "secret source missing or empty: ${source_path}" >&2
|
||||
return 1
|
||||
fi
|
||||
agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
|
||||
identity_path="$(burrow_agenix_identity_path "${repo_root}")"
|
||||
|
||||
SECRET_SOURCE_FILE="${source_path}" \
|
||||
EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${secret_path}"
|
||||
if [[ -n "${identity_path}" ]]; then
|
||||
SECRET_SOURCE_FILE="${source_path}" \
|
||||
EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}" -i "${identity_path}"
|
||||
else
|
||||
SECRET_SOURCE_FILE="${source_path}" \
|
||||
EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
|
||||
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}"
|
||||
fi
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue