hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions
burrow/Scripts/_burrow-secrets.sh
Conrad Kramer 028627bfcb Wire namespace caches and agenix secrets
2026-03-19 03:51:53 -07:00

124 lines
3.3 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
BURROW_SECRET_TMPFILES=()
burrow_secret_repo_path() {
local repo_root="$1"
local secret_path="$2"
case "${secret_path}" in
"${repo_root}"/*)
printf '%s\n' "${secret_path#${repo_root}/}"
;;
*)
printf '%s\n' "${secret_path}"
;;
esac
}
burrow_agenix_identity_path() {
local repo_root="$1"
local candidate
for candidate in \
"${BURROW_AGE_IDENTITY:-}" \
"${BURROW_FORGE_SSH_KEY:-}" \
"${repo_root}/intake/agent_at_burrow_net_ed25519" \
"${HOME}/.ssh/agent_at_burrow_net_ed25519" \
"${HOME}/.ssh/id_ed25519"
do
if [[ -n "${candidate}" && -f "${candidate}" ]]; then
printf '%s\n' "${candidate}"
return 0
fi
done
}
burrow_cleanup_secret_tmpfiles() {
local path
for path in "${BURROW_SECRET_TMPFILES[@]:-}"; do
[[ -n "${path}" ]] && rm -f "${path}" >/dev/null 2>&1 || true
done
BURROW_SECRET_TMPFILES=()
}
burrow_decrypt_age_secret_to_temp() {
local repo_root="$1"
local secret_path="$2"
local agenix_path
local identity_path
local tmp_file
if [[ ! -f "${secret_path}" ]]; then
echo "age secret not found: ${secret_path}" >&2
return 1
fi
agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
identity_path="$(burrow_agenix_identity_path "${repo_root}")"
tmp_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret.XXXXXX")"
if [[ -n "${identity_path}" ]]; then
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" -i "${identity_path}" > "${tmp_file}"
else
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" > "${tmp_file}"
fi
chmod 600 "${tmp_file}"
BURROW_SECRET_TMPFILES+=("${tmp_file}")
printf '%s\n' "${tmp_file}"
}
burrow_resolve_secret_file() {
local repo_root="$1"
local explicit_path="$2"
local intake_path="$3"
local age_path="$4"
local fallback_path="${5:-}"
if [[ -n "${explicit_path}" ]]; then
if [[ ! -s "${explicit_path}" ]]; then
echo "required file missing or empty: ${explicit_path}" >&2
return 1
fi
printf '%s\n' "${explicit_path}"
return 0
fi
if [[ -n "${age_path}" && -f "${age_path}" ]]; then
burrow_decrypt_age_secret_to_temp "${repo_root}" "${age_path}"
return 0
fi
if [[ -n "${intake_path}" && -s "${intake_path}" ]]; then
printf '%s\n' "${intake_path}"
return 0
fi
if [[ -n "${fallback_path}" && -s "${fallback_path}" ]]; then
printf '%s\n' "${fallback_path}"
return 0
fi
return 1
}
burrow_encrypt_secret_from_file() {
local repo_root="$1"
local secret_path="$2"
local source_path="$3"
local agenix_path
local identity_path
if [[ ! -s "${source_path}" ]]; then
echo "secret source missing or empty: ${source_path}" >&2
return 1
fi
agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
identity_path="$(burrow_agenix_identity_path "${repo_root}")"
if [[ -n "${identity_path}" ]]; then
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}" -i "${identity_path}" < "${source_path}"
else
nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}" < "${source_path}"
fi
}
View git blame Copy permalink