Skip to content

Commit

Permalink
Merge pull request #25 from Lukas-C/main
Browse files Browse the repository at this point in the history 
Attempt orphan deletion only if `age.rekey.generatedSecretsDir` is set
  • Loading branch information
@oddlama
oddlama authored May 27, 2024
2 parents 8da0392 + e063f73 commit a6d83a2
Showing 1 changed file with 15 additions and 9 deletions.
24 changes: 15 additions & 9 deletions apps/generate.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,9 @@
# If the path already exists, this makes sure that the definition is the same.
addGeneratedSecretChecked = host: set: secretName: let
secret = nodes.${host}.config.age.secrets.${secretName};
sourceFile = relativeToFlake secret.rekeyFile;
sourceFile = assert assertMsg (secret.rekeyFile != null)
"Host ${host}: age.secrets.${secretName}: `rekeyFile` must be set when using a generator.";
relativeToFlake secret.rekeyFile;
script = secret.generator._script {
inherit secret pkgs;
inherit (pkgs) lib;
Expand Down Expand Up @@ -141,6 +143,12 @@
(map (x: relativeToFlake x.rekeyFile) contextSecret.secret.generator.dependencies));
in
stringsWithDeps.textClosureMap (x: x) stages (attrNames stages);

# It only makes sense to clean up directories of generated secrets
# for the nodes that have a dedicated generatedSecretsDir set.
nodesWithGeneratedSecretsDir =
filter (x: x.config.age.rekey.generatedSecretsDir != null)
(attrValues nodes);
in
pkgs.writeShellScriptBin "agenix-generate" ''
set -euo pipefail
Expand Down Expand Up @@ -234,10 +242,9 @@ in
(
REMOVED_ORPHANS=0
shopt -s nullglob
for f in ${pkgs.lib.concatMapStrings (
x:
escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + "/* "
) (attrValues nodes)}; do
for f in ${pkgs.lib.concatMapStringsSep " "
(x: escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + "/*")
nodesWithGeneratedSecretsDir}; do
if [[ "''${KNOWN_SECRETS_SET["$f"]-false}" == false ]]; then
rm -- "$f" || true
REMOVED_ORPHANS=$((REMOVED_ORPHANS + 1))
Expand All @@ -247,10 +254,9 @@ in
echo " Removed ''${REMOVED_ORPHANS} orphaned files in generation directories"
if [[ "$ADD_TO_GIT" == true ]]; then
git add ${pkgs.lib.concatMapStrings (
x:
escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + " "
) (attrValues nodes)}
git add ${pkgs.lib.concatMapStringsSep " "
(x: escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir))
nodesWithGeneratedSecretsDir}
fi
fi
)
Expand Down

0 comments on commit a6d83a2

Please sign in to comment.