From 2ebfb33183550e87180379a974427e61b19ad189 Mon Sep 17 00:00:00 2001 From: Lukas-C Date: Sun, 26 May 2024 19:23:13 +0200 Subject: [PATCH 1/3] fix: delete orphans only if generatedSecretsDir is set (fixes #23) --- apps/generate.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/apps/generate.nix b/apps/generate.nix index 7c9677a..15ec1fd 100644 --- a/apps/generate.nix +++ b/apps/generate.nix @@ -141,6 +141,12 @@ (map (x: relativeToFlake x.rekeyFile) contextSecret.secret.generator.dependencies)); in stringsWithDeps.textClosureMap (x: x) stages (attrNames stages); + + # It only makes sense to clean up directories of generated secrets + # for the nodes that have a dedicated generatedSecretsDir set. + nodesWithGeneratedSecretsDir = + filter (x: x.config.age.rekey.generatedSecretsDir != null) + (attrValues nodes); in pkgs.writeShellScriptBin "agenix-generate" '' set -euo pipefail @@ -234,10 +240,9 @@ in ( REMOVED_ORPHANS=0 shopt -s nullglob - for f in ${pkgs.lib.concatMapStrings ( - x: - escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + "/* " - ) (attrValues nodes)}; do + for f in ${pkgs.lib.concatMapStringsSep " " + (x: escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + "/*") + nodesWithGeneratedSecretsDir}; do if [[ "''${KNOWN_SECRETS_SET["$f"]-false}" == false ]]; then rm -- "$f" || true REMOVED_ORPHANS=$((REMOVED_ORPHANS + 1)) @@ -247,10 +252,9 @@ in echo " Removed ''${REMOVED_ORPHANS} orphaned files in generation directories" if [[ "$ADD_TO_GIT" == true ]]; then - git add ${pkgs.lib.concatMapStrings ( - x: - escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + " " - ) (attrValues nodes)} + git add ${pkgs.lib.concatMapStringsSep " " + (x: escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir)) + nodesWithGeneratedSecretsDir} fi fi ) From dafe2ce1d9b05702369b2d8d4a56db56f6f9f0eb Mon Sep 17 00:00:00 2001 From: Lukas-C Date: Sun, 26 May 2024 20:12:57 +0200 Subject: [PATCH 2/3] fix: replicate module assert about a required rekeyFile when using a generator --- apps/generate.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/generate.nix b/apps/generate.nix index 15ec1fd..8b3af16 100644 --- a/apps/generate.nix +++ b/apps/generate.nix @@ -56,7 +56,9 @@ # If the path already exists, this makes sure that the definition is the same. addGeneratedSecretChecked = host: set: secretName: let secret = nodes.${host}.config.age.secrets.${secretName}; - sourceFile = relativeToFlake secret.rekeyFile; + sourceFile = assert assertMsg (secret.rekeyFile != null) + "age.secrets.${secretName}: `rekeyFile` must be set when using a generator."; + relativeToFlake secret.rekeyFile; script = secret.generator._script { inherit secret pkgs; inherit (pkgs) lib; From e063f73c0d604a24b844691b5a48d22970718497 Mon Sep 17 00:00:00 2001 From: Lukas-C Date: Mon, 27 May 2024 21:20:08 +0200 Subject: [PATCH 3/3] fix: specify host of origin in error message --- apps/generate.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/generate.nix b/apps/generate.nix index 8b3af16..6851cab 100644 --- a/apps/generate.nix +++ b/apps/generate.nix @@ -57,7 +57,7 @@ addGeneratedSecretChecked = host: set: secretName: let secret = nodes.${host}.config.age.secrets.${secretName}; sourceFile = assert assertMsg (secret.rekeyFile != null) - "age.secrets.${secretName}: `rekeyFile` must be set when using a generator."; + "Host ${host}: age.secrets.${secretName}: `rekeyFile` must be set when using a generator."; relativeToFlake secret.rekeyFile; script = secret.generator._script { inherit secret pkgs;