git.delta.rocks / jrsonnet / refs/commits / 352f51b2ac9d

--- a/Cargo.toml
+++ b/Cargo.toml
@@ -21,6 +21,15 @@
 tempfile = "3.2"
 once_cell = "1.5"
 hostname = "0.3.1"
+age-core = "0.6.0"
+peg = "0.7.0"
+
+nixlike = {path = "crates/nixlike"}
+rage = "0.6.0"
+age = { version = "0.6.0", features = ["ssh", "armor"] }
+base64 = "0.13.0"
+ascii85 = "0.2.1"
+chrono = { version = "0.4.19", features = ["serde"] }
 
 [workspace]
 members = ["crates/nixlike"]

--- a/src/cmds/secrets/mod.rs
+++ b/src/cmds/secrets/mod.rs
@@ -1,10 +1,7 @@
 use crate::{fleetdata::FleetSecret, host::Config};
 use anyhow::{bail, Result};
 use clap::Clap;
-use std::{
-	collections::BTreeMap,
-	io::{Cursor, Read},
-};
+use std::io::{self, Cursor, Read};
 
 #[derive(Clap)]
 pub enum Secrets {
@@ -19,6 +16,8 @@
 		/// Override secret if already present
 		#[clap(long)]
 		force: bool,
+		#[clap(long)]
+		public: Option<String>,
 	},
 }
 
@@ -37,51 +36,40 @@
 				machines,
 				name,
 				force,
+				public,
 			} => {
 				let recipients = machines
 					.iter()
-					.map(|m| config.recipient(&m))
+					.map(|m| config.recipient(m))
 					.collect::<Result<Vec<_>>>()?;
 
-				let secret_data = {
+				let secret = {
 					let mut input = vec![];
-					std::io::stdin().read_to_end(&mut input)?;
+					io::stdin().read_to_end(&mut input)?;
 
-					let data: BTreeMap<String, String> = serde_json::from_slice(&input)?;
-					let mut transformed_data: BTreeMap<String, String> = BTreeMap::new();
-					for (k, v) in data {
-						if k.ends_with("_pub") {
-							transformed_data.insert(k, v);
-						} else if k.ends_with("_secret") {
-							let mut encrypted = vec![];
-							let recipients = recipients
-								.iter()
-								.cloned()
-								.map(|r| Box::new(r) as Box<dyn age::Recipient>)
-								.collect();
-							let mut encryptor = age::Encryptor::with_recipients(recipients)
-								.wrap_output(&mut encrypted)?;
-							std::io::copy(&mut Cursor::new(v.as_bytes()), &mut encryptor)?;
-							drop(encryptor);
-
-							transformed_data.insert(k, ascii85::encode(&encrypted));
-						} else {
-							bail!("unknown key type: {:?}", k);
-						}
-					}
-					transformed_data
+					let mut encrypted = vec![];
+					let recipients = recipients
+						.iter()
+						.cloned()
+						.map(|r| Box::new(r) as Box<dyn age::Recipient>)
+						.collect();
+					let mut encryptor =
+						age::Encryptor::with_recipients(recipients).wrap_output(&mut encrypted)?;
+					io::copy(&mut Cursor::new(input), &mut encryptor)?;
+					ascii85::encode(&encrypted)
 				};
 
 				let mut data = config.data_mut();
-				if data.secrets.contains_key(&name) && !force {
+				if data.secret.contains_key(&name) && !force {
 					bail!("secret already defined");
 				}
-				data.secrets.insert(
+				data.secret.insert(
 					name,
 					FleetSecret {
-						owners: machines.clone(),
+						owners: machines,
 						expire_at: None,
-						data: secret_data,
+						secret,
+						public,
 					},
 				);
 			}

--- a/src/fleetdata.rs
+++ b/src/fleetdata.rs
@@ -16,7 +16,7 @@
 	pub hosts: BTreeMap<String, HostData>,
 	#[serde(default)]
 	#[serde(skip_serializing_if = "BTreeMap::is_empty")]
-	pub secrets: BTreeMap<String, FleetSecret>,
+	pub secret: BTreeMap<String, FleetSecret>,
 }
 
 #[derive(Serialize, Deserialize)]
@@ -26,5 +26,7 @@
 	#[serde(default)]
 	#[serde(skip_serializing_if = "Option::is_none")]
 	pub expire_at: Option<DateTime<Utc>>,
-	pub data: BTreeMap<String, String>,
+	#[serde(skip_serializing_if = "Option::is_none")]
+	pub public: Option<String>,
+	pub secret: String,
 }

--- a/src/keys.rs
+++ b/src/keys.rs
@@ -27,7 +27,7 @@
 		} else {
 			warn!("Loading key for {}", host);
 			let key = self
-				.command_on(&host, "cat", false)
+				.command_on(host, "cat", false)
 				.arg("/etc/ssh/ssh_host_ed25519_key.pub")
 				.run_string()?;
 			self.update_key(host, key.clone());