git.delta.rocks / jrsonnet / refs/commits / 7a2e42ede362

difftreelog

refactor implement new secret storage schema

Yaroslav Bolyukin2022-08-31parent: #590ae3f.patch.diff
in: trunk

5 files changed

modifiedCargo.lockdiffbeforeafterboth
1313
14[[package]]14[[package]]
15name = "aes"15name = "aes"
16version = "0.7.5"16version = "0.8.1"
17source = "registry+https://github.com/rust-lang/crates.io-index"17source = "registry+https://github.com/rust-lang/crates.io-index"
18checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8"18checksum = "bfe0133578c0986e1fe3dfcd4af1cc5b2dd6c3dbf534d69916ce16a2701d40ba"
19dependencies = [19dependencies = [
20 "cfg-if",20 "cfg-if",
21 "cipher",21 "cipher 0.4.3",
22 "cpufeatures",22 "cpufeatures",
23 "ctr",
24 "opaque-debug",
25]23]
2624
27[[package]]25[[package]]
28name = "age"26name = "age"
29version = "0.7.1"27version = "0.8.1"
30source = "registry+https://github.com/rust-lang/crates.io-index"28source = "registry+https://github.com/rust-lang/crates.io-index"
31checksum = "23100453ca2a1bbda9bfc6deac1bebb828d7e66ba481ebccfedfddf29321b6b9"29checksum = "f066ce1514d24201eab31e0831e9333d2e9b06d698b25f705ef0697fee8256a2"
32dependencies = [30dependencies = [
33 "aes",31 "aes",
34 "age-core",32 "age-core",
35 "base64",33 "base64",
36 "bcrypt-pbkdf",34 "bcrypt-pbkdf",
37 "bech32",35 "bech32",
38 "block-modes",36 "cbc",
39 "chacha20poly1305",37 "chacha20poly1305",
38 "cipher 0.4.3",
40 "cookie-factory",39 "cookie-factory",
40 "ctr",
41 "curve25519-dalek",41 "curve25519-dalek",
42 "hkdf",42 "hkdf",
43 "hmac 0.11.0",43 "hmac",
44 "i18n-embed",44 "i18n-embed",
45 "i18n-embed-fl",45 "i18n-embed-fl",
46 "lazy_static",46 "lazy_static",
52 "rsa",52 "rsa",
53 "rust-embed",53 "rust-embed",
54 "scrypt",54 "scrypt",
55 "sha2 0.10.3",
55 "sha2 0.9.9",56 "sha2 0.9.9",
56 "subtle",57 "subtle",
57 "x25519-dalek",58 "x25519-dalek",
6061
61[[package]]62[[package]]
62name = "age-core"63name = "age-core"
63version = "0.7.1"64version = "0.8.0"
64source = "registry+https://github.com/rust-lang/crates.io-index"65source = "registry+https://github.com/rust-lang/crates.io-index"
65checksum = "70afa630ef12a4fc666277713efbe6da2bc87bb3f3af0f1149415b701362c615"66checksum = "00a5c8d8a33abc74ad393896a6305351dd159d0e184788f4729e3c80e397fa45"
66dependencies = [67dependencies = [
67 "base64",68 "base64",
68 "chacha20poly1305",69 "chacha20poly1305",
69 "cookie-factory",70 "cookie-factory",
70 "hkdf",71 "hkdf",
72 "io_tee",
71 "nom",73 "nom",
72 "rand 0.8.5",74 "rand 0.8.5",
73 "secrecy",75 "secrecy",
74 "sha2 0.9.9",76 "sha2 0.10.3",
75]77]
7678
77[[package]]79[[package]]
149151
150[[package]]152[[package]]
151name = "bcrypt-pbkdf"153name = "bcrypt-pbkdf"
152version = "0.7.2"154version = "0.8.1"
153source = "registry+https://github.com/rust-lang/crates.io-index"155source = "registry+https://github.com/rust-lang/crates.io-index"
154checksum = "4bde65b3c84000288c0abe8aa601a4b7c40b0dbbb7d144dd6c712ed9796e1fd5"156checksum = "f4ef233ffa9cb9c7820b2b0e9efd0821ed180e866c9120ec9f45518659742074"
155dependencies = [157dependencies = [
156 "blowfish",158 "blowfish",
157 "hex-literal",
158 "pbkdf2",159 "pbkdf2",
159 "sha2 0.10.1",160 "sha2 0.10.3",
160]161]
161162
162[[package]]163[[package]]
190]191]
191192
192[[package]]193[[package]]
193name = "block-modes"194name = "block-padding"
194version = "0.8.1"195version = "0.3.2"
195source = "registry+https://github.com/rust-lang/crates.io-index"196source = "registry+https://github.com/rust-lang/crates.io-index"
196checksum = "2cb03d1bed155d89dce0f845b7899b18a9a163e148fd004e1c28421a783e2d8e"197checksum = "0a90ec2df9600c28a01c56c4784c9207a96d2451833aeceb8cc97e4c9548bb78"
197dependencies = [198dependencies = [
198 "block-padding",
199 "cipher",199 "generic-array",
200]200]
201
202[[package]]
203name = "block-padding"
204version = "0.2.1"
205source = "registry+https://github.com/rust-lang/crates.io-index"
206checksum = "8d696c370c750c948ada61c69a0ee2cbbb9c50b1019ddb86d9317157a99c2cae"
207201
208[[package]]202[[package]]
209name = "blowfish"203name = "blowfish"
210version = "0.8.0"204version = "0.9.1"
211source = "registry+https://github.com/rust-lang/crates.io-index"205source = "registry+https://github.com/rust-lang/crates.io-index"
212checksum = "fe3ff3fc1de48c1ac2e3341c4df38b0d1bfb8fdf04632a187c8b75aaa319a7ab"206checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
213dependencies = [207dependencies = [
214 "byteorder",208 "byteorder",
215 "cipher",209 "cipher 0.4.3",
216 "opaque-debug",
217]210]
218211
219[[package]]212[[package]]
235checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"228checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8"
236229
237[[package]]230[[package]]
238name = "cc"231name = "cbc"
239version = "1.0.73"232version = "0.1.2"
240source = "registry+https://github.com/rust-lang/crates.io-index"233source = "registry+https://github.com/rust-lang/crates.io-index"
241checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"234checksum = "26b52a9543ae338f279b96b0b9fed9c8093744685043739079ce85cd58f289a6"
235dependencies = [
236 "cipher 0.4.3",
237]
242238
243[[package]]239[[package]]
244name = "cfg-if"240name = "cfg-if"
253checksum = "01b72a433d0cf2aef113ba70f62634c56fddb0f244e6377185c56a7cadbd8f91"249checksum = "01b72a433d0cf2aef113ba70f62634c56fddb0f244e6377185c56a7cadbd8f91"
254dependencies = [250dependencies = [
255 "cfg-if",251 "cfg-if",
256 "cipher",252 "cipher 0.3.0",
257 "cpufeatures",253 "cpufeatures",
258 "zeroize",254 "zeroize",
259]255]
266dependencies = [262dependencies = [
267 "aead",263 "aead",
268 "chacha20",264 "chacha20",
269 "cipher",265 "cipher 0.3.0",
270 "poly1305",266 "poly1305",
271 "zeroize",267 "zeroize",
272]268]
294 "generic-array",290 "generic-array",
295]291]
292
293[[package]]
294name = "cipher"
295version = "0.4.3"
296source = "registry+https://github.com/rust-lang/crates.io-index"
297checksum = "d1873270f8f7942c191139cb8a40fd228da6c3fd2fc376d7e92d47aa14aeb59e"
298dependencies = [
299 "crypto-common",
300 "inout",
301]
296302
297[[package]]303[[package]]
298name = "clap"304name = "clap"
368 "typenum",374 "typenum",
369]375]
370
371[[package]]
372name = "crypto-mac"
373version = "0.11.1"
374source = "registry+https://github.com/rust-lang/crates.io-index"
375checksum = "b1d1a86f49236c215f271d40892d5fc950490551400b02ef360692c29815c714"
376dependencies = [
377 "generic-array",
378 "subtle",
379]
380376
381[[package]]377[[package]]
382name = "ctr"378name = "ctr"
383version = "0.8.0"379version = "0.9.1"
384source = "registry+https://github.com/rust-lang/crates.io-index"380source = "registry+https://github.com/rust-lang/crates.io-index"
385checksum = "049bb91fb4aaf0e3c7efa6cd5ef877dbbbd15b39dad06d9948de4ec8a75761ea"381checksum = "0d14f329cfbaf5d0e06b5e87fff7e265d2673c5ea7d2c27691a2c107db1442a0"
386dependencies = [382dependencies = [
387 "cipher",383 "cipher 0.4.3",
388]384]
389385
390[[package]]386[[package]]
714 "libc",710 "libc",
715]711]
716
717[[package]]
718name = "hex-literal"
719version = "0.3.4"
720source = "registry+https://github.com/rust-lang/crates.io-index"
721checksum = "7ebdb29d2ea9ed0083cd8cece49bbd968021bd99b0849edb4a9a7ee0fdf6a4e0"
722712
723[[package]]713[[package]]
724name = "hkdf"714name = "hkdf"
725version = "0.11.0"715version = "0.12.3"
726source = "registry+https://github.com/rust-lang/crates.io-index"716source = "registry+https://github.com/rust-lang/crates.io-index"
727checksum = "01706d578d5c281058480e673ae4086a9f4710d8df1ad80a5b03e39ece5f886b"717checksum = "791a029f6b9fc27657f6f188ec6e5e43f6911f6f878e0dc5501396e09809d437"
728dependencies = [718dependencies = [
729 "digest 0.9.0",
730 "hmac 0.11.0",719 "hmac",
731]720]
732
733[[package]]
734name = "hmac"
735version = "0.11.0"
736source = "registry+https://github.com/rust-lang/crates.io-index"
737checksum = "2a2a2320eb7ec0ebe8da8f744d7812d9fc4cb4d09344ac01898dbcb6a20ae69b"
738dependencies = [
739 "crypto-mac",
740 "digest 0.9.0",
741]
742721
743[[package]]722[[package]]
744name = "hmac"723name = "hmac"
745version = "0.12.0"724version = "0.12.1"
746source = "registry+https://github.com/rust-lang/crates.io-index"725source = "registry+https://github.com/rust-lang/crates.io-index"
747checksum = "ddca131f3e7f2ce2df364b57949a9d47915cfbd35e46cfee355ccebbf794d6a2"726checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
748dependencies = [727dependencies = [
749 "digest 0.10.3",728 "digest 0.10.3",
750]729]
845 "serde",824 "serde",
846]825]
826
827[[package]]
828name = "inout"
829version = "0.1.3"
830source = "registry+https://github.com/rust-lang/crates.io-index"
831checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
832dependencies = [
833 "block-padding",
834 "generic-array",
835]
847836
848[[package]]837[[package]]
849name = "instant"838name = "instant"
874 "unic-langid",863 "unic-langid",
875]864]
865
866[[package]]
867name = "io_tee"
868version = "0.1.1"
869source = "registry+https://github.com/rust-lang/crates.io-index"
870checksum = "4b3f7cef34251886990511df1c61443aa928499d598a9473929ab5a90a527304"
876871
877[[package]]872[[package]]
878name = "itoa"873name = "itoa"
891886
892[[package]]887[[package]]
893name = "libc"888name = "libc"
894version = "0.2.118"889version = "0.2.132"
895source = "registry+https://github.com/rust-lang/crates.io-index"890source = "registry+https://github.com/rust-lang/crates.io-index"
896checksum = "06e509672465a0504304aa87f9f176f2b2b716ed8fb105ebe5c02dc6dce96a94"891checksum = "8371e4e5341c3a96db127eb2465ac681ced4c433e01dd0e938adbef26ba93ba5"
897892
898[[package]]893[[package]]
899name = "libm"894name = "libm"
985980
986[[package]]981[[package]]
987name = "nix"982name = "nix"
988version = "0.23.1"983version = "0.25.0"
989source = "registry+https://github.com/rust-lang/crates.io-index"984source = "registry+https://github.com/rust-lang/crates.io-index"
990checksum = "9f866317acbd3a240710c63f065ffb1e4fd466259045ccb504130b7f668f35c6"985checksum = "e322c04a9e3440c327fca7b6c8a63e6890a32fa2ad689db972425f07e0d22abb"
991dependencies = [986dependencies = [
987 "autocfg 1.1.0",
992 "bitflags",988 "bitflags",
993 "cc",
994 "cfg-if",989 "cfg-if",
995 "libc",990 "libc",
996 "memoffset",991 "memoffset",
992 "pin-utils",
997]993]
998994
999[[package]]995[[package]]
11411137
1142[[package]]1138[[package]]
1143name = "pbkdf2"1139name = "pbkdf2"
1144version = "0.10.0"1140version = "0.10.1"
1145source = "registry+https://github.com/rust-lang/crates.io-index"1141source = "registry+https://github.com/rust-lang/crates.io-index"
1146checksum = "a4628cc3cf953b82edcd3c1388c5715401420ce5524fedbab426bd5aba017434"1142checksum = "271779f35b581956db91a3e55737327a03aa051e90b1c47aeb189508533adfd7"
1147dependencies = [1143dependencies = [
1148 "digest 0.10.3",1144 "digest 0.10.3",
1149]1145]
14821478
1483[[package]]1479[[package]]
1484name = "salsa20"1480name = "salsa20"
1485version = "0.9.0"1481version = "0.10.2"
1486source = "registry+https://github.com/rust-lang/crates.io-index"1482source = "registry+https://github.com/rust-lang/crates.io-index"
1487checksum = "0c0fbb5f676da676c260ba276a8f43a8dc67cf02d1438423aeb1c677a7212686"1483checksum = "97a22f5af31f73a954c10289c93e8a50cc23d971e80ee446f1f6f7137a088213"
1488dependencies = [1484dependencies = [
1489 "cipher",1485 "cipher 0.4.3",
1490]1486]
14911487
1492[[package]]1488[[package]]
15061502
1507[[package]]1503[[package]]
1508name = "scrypt"1504name = "scrypt"
1509version = "0.8.1"1505version = "0.9.0"
1510source = "registry+https://github.com/rust-lang/crates.io-index"1506source = "registry+https://github.com/rust-lang/crates.io-index"
1511checksum = "e73d6d7c6311ebdbd9184ad6c4447b2f36337e327bda107d3ba9e3c374f9d325"1507checksum = "ba0aaf3911fff0d942c10a49779de7754699810fc7dbe3df515613b2ecc8195a"
1512dependencies = [1508dependencies = [
1513 "hmac 0.12.0",1509 "hmac",
1514 "pbkdf2",1510 "pbkdf2",
1515 "salsa20",1511 "salsa20",
1516 "sha2 0.10.1",1512 "sha2 0.10.3",
1517]1513]
15181514
1519[[package]]1515[[package]]
15771573
1578[[package]]1574[[package]]
1579name = "sha2"1575name = "sha2"
1580version = "0.10.1"1576version = "0.10.3"
1581source = "registry+https://github.com/rust-lang/crates.io-index"1577source = "registry+https://github.com/rust-lang/crates.io-index"
1582checksum = "99c3bd8169c58782adad9290a9af5939994036b76187f7b4f0e6de91dbbfc0ec"1578checksum = "899bf02746a2c92bf1053d9327dadb252b01af1f81f90cdb902411f518bc7215"
1583dependencies = [1579dependencies = [
1584 "cfg-if",1580 "cfg-if",
1585 "cpufeatures",1581 "cpufeatures",
modifiedcmds/fleet/Cargo.tomldiffbeforeafterboth
13tempfile = "3.2"13tempfile = "3.2"
14once_cell = "1.5"14once_cell = "1.5"
15hostname = "0.3.1"15hostname = "0.3.1"
16age-core = "0.7.0"16age-core = "0.8.0"
17peg = "0.8.0"17peg = "0.8.0"
18nixlike = {path = "../../crates/nixlike"}18nixlike = { path = "../../crates/nixlike" }
19age = { version = "0.7.0", features = ["ssh", "armor"] }19age = { version = "0.8.1", features = ["ssh", "armor"] }
20base64 = "0.13.0"20base64 = "0.13.0"
21chrono = { version = "0.4.19", features = ["serde"] }21chrono = { version = "0.4.19", features = ["serde"] }
22z85 = "3.0.3"22z85 = "3.0.3"
23clap = { version = "3.1.0", features = ["derive", "env", "wrap_help", "unicode"] }23clap = { version = "3.1.0", features = [
24	"derive",
25	"env",
26	"wrap_help",
27	"unicode",
28] }
24tokio = { version = "1.14.0", features = ["full"] }29tokio = { version = "1.14.0", features = ["full"] }
25tracing = "0.1.29"30tracing = "0.1.29"
modifiedcmds/install-secrets/Cargo.tomldiffbeforeafterboth
4edition = "2021"4edition = "2021"
55
6[dependencies]6[dependencies]
7age = { version = "0.7.1", features = ["ssh"] }7age = { version = "0.8.1", features = ["ssh"] }
8anyhow = "1.0.44"8anyhow = "1.0.44"
9env_logger = "0.9.0"9env_logger = "0.9.0"
10log = "0.4.14"10log = "0.4.14"
11nix = "0.23.1"11nix = "0.25.0"
12serde = "1.0.130"12serde = "1.0.130"
13serde_json = "1.0.68"13serde_json = "1.0.68"
14clap = { version = "3.1.0", features = ["derive", "env", "wrap_help", "unicode"] }14clap = { version = "3.1.0", features = [
15	"derive",
16	"env",
17	"wrap_help",
18	"unicode",
19] }
15tempfile = "3.2.0"20tempfile = "3.2.0"
16z85 = "3.0.3"21z85 = "3.0.3"
modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
6use nix::sys::stat::Mode;6use nix::sys::stat::Mode;
7use nix::unistd::{chown, Group, User};7use nix::unistd::{chown, Group, User};
8use serde::{Deserialize, Deserializer};8use serde::{Deserialize, Deserializer};
9use std::fs::{self, DirBuilder};9use std::fs::{self, DirBuilder, File};
10use std::io::{self, Cursor, Read};10use std::io::{self, Cursor, Read, Write};
11use std::iter;11use std::iter;
12use std::os::unix::prelude::PermissionsExt;12use std::os::unix::prelude::PermissionsExt;
13use std::str::from_utf8;13use std::str::from_utf8;
3232
33	#[serde(deserialize_with = "from_z85")]33	#[serde(deserialize_with = "from_z85")]
34	secret: Option<Vec<u8>>,34	secret: Option<Vec<u8>>,
35	public: String,35	public: Option<String>,
3636
37	secret_hash: String,37	public_path: PathBuf,
38	public_path: String,38	stable_public_path: PathBuf,
39
40	secret_path: PathBuf,
41	stable_secret_path: PathBuf,
39}42}
4043
41fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>44fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
5659
57fn init_secret(60fn init_secret(identity: &age::ssh::Identity, value: DataItem) -> Result<()> {
58	identity: &age::ssh::Identity,
59	dir: &Path,
60	name: &str,
61	value: DataItem,
62) -> Result<()> {
63	if value.secret.is_none() {61	if let Some(public) = &value.public {
64		return Ok(());62		let mut hashed = File::create(&value.public_path)?;
65	}
66	let secret = value.secret.as_ref().unwrap();63		let mut stable_dir = value.stable_public_path.parent().expect("not root");
67
68	let mut path = dir.to_path_buf();64		let mut stable_temp =
65			tempfile::NamedTempFile::new_in(stable_dir).context("failed to create tempfile")?;
69	path.push(name);66		hashed.write_all(public.as_bytes())?;
70	if path.strip_prefix(&dir).is_err() {67		stable_temp.write_all(public.as_bytes())?;
71		bail!("found escaping name");68		stable_temp.flush()?;
72	}
73
74	let secret_dir = path69		fs::set_permissions(stable_temp.path(), fs::Permissions::from_mode(0o444))
75		.parent()
76		.expect("path is in tempdir, so it should have parent");70			.context("perm")?;
77
78	if secret_dir != dir {
79		DirBuilder::new()71		fs::set_permissions(&value.public_path, fs::Permissions::from_mode(0o444))
80			.recursive(true)
81			// o: xrw
82			// g: xr
83			// a: xr
84			.mode(0o755)
85			.create(
86				path.parent()
87					.expect("path is in tempdir, so it should have parent"),
88			)
89			.context("failed to create secret directory")?;72			.context("perm")?;
90	}73
74		stable_temp
75			.persist(value.stable_public_path)
76			.context("failed to persist")?;
77	}
78	if value.secret.is_none() {
79		return Ok(());
80	}
81	let secret = value.secret.as_ref().unwrap();
9182
92	let mode = Mode::from_bits(83	let mode = Mode::from_bits(
93		u32::from_str_radix(&value.mode, 8).context("failed to parse mode as octal")?,84		u32::from_str_radix(&value.mode, 8).context("failed to parse mode as octal")?,
100		.context("failed to get group")?91		.context("failed to get group")?
101		.ok_or_else(|| anyhow!("group not found"))?;92		.ok_or_else(|| anyhow!("group not found"))?;
93
94	let mut stable_dir = value.stable_secret_path.parent().expect("not root");
102	let mut tempfile =95	let mut stable_temp =
103		tempfile::NamedTempFile::new_in(secret_dir).context("failed to create tempfile")?;96		tempfile::NamedTempFile::new_in(stable_dir).context("failed to create tempfile")?;
97	let mut hashed = File::create(&value.secret_path)?;
98
104	// File is owned by root, and only root can modify it99	// File is owned by root, and only root can modify it
105
121		decrypted115		decrypted
122	};116	};
123117
118	io::copy(&mut Cursor::new(&decrypted), &mut stable_temp)
119		.context("failed to write decrypted file")?;
124	io::copy(&mut Cursor::new(decrypted), &mut tempfile)120	io::copy(&mut Cursor::new(decrypted), &mut hashed).context("failed to write decrypted file")?;
125		.context("failed to write decrypted file")?;
126121
127	// Make file owned by specified user and group, then change mode122	// Make file owned by specified user and group, then change mode
128	chown(tempfile.path(), Some(user.uid), Some(group.gid))123	chown(stable_temp.path(), Some(user.uid), Some(group.gid))
129		.context("failed to apply user/group")?;124		.context("failed to apply user/group")?;
125	chown(&value.secret_path, Some(user.uid), Some(group.gid))
126		.context("failed to apply user/group")?;
130	fs::set_permissions(tempfile.path(), fs::Permissions::from_mode(mode.bits())).unwrap();127	fs::set_permissions(stable_temp.path(), fs::Permissions::from_mode(mode.bits())).unwrap();
128	fs::set_permissions(&value.secret_path, fs::Permissions::from_mode(mode.bits())).unwrap();
129	stable_temp
131	tempfile.persist(path).context("failed to persist")?;130		.persist(value.stable_secret_path)
131		.context("failed to persist")?;
132132
133	Ok(())133	Ok(())
143	let data_str = from_utf8(&data).context("failed to read data to string")?;143	let data_str = from_utf8(&data).context("failed to read data to string")?;
144	let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;144	let data: Data = serde_json::from_str(data_str).context("failed to parse data")?;
145145
146	let tempdir = tempfile::tempdir_in("/run/").context("failed to create secrets tempdir")?;146	if !fs::metadata("/run/secrets")
147		.map(|m| m.is_dir())
148		.unwrap_or(false)
149	{
150		fs::create_dir("/run/secrets").context("failed to create secrets directory")?;
151	}
147152
148	let identity = age::ssh::Identity::from_buffer(153	let identity = age::ssh::Identity::from_buffer(
149		&mut Cursor::new(154		&mut Cursor::new(
155160
156	let mut failed = false;161	let mut failed = false;
157	for (name, value) in data {162	for (name, value) in data {
158		if let Err(e) = init_secret(&identity, tempdir.path(), &name, value) {163		if let Err(e) = init_secret(&identity, value) {
159			error!(164			error!(
160				"{:?}",165				"{:?}",
161				e.context(format!("failed to initialize secret {}", name))166				e.context(format!("failed to initialize secret {}", name))
167		bail!("one or more secrets failed");172		bail!("one or more secrets failed");
168	}173	}
169174
170	if fs::metadata("/run/secrets")
171		.map(|m| m.is_dir())
172		.unwrap_or(false)
173	{
174		// Already linked
175		renameat2(
176			None,
177			tempdir.path(),
178			None,
179			"/run/secrets",
180			RenameFlags::RENAME_EXCHANGE,
181		)
182		.context("failed to exchange secret directories")?;
183		if tempdir.close().is_err() {
184			warn!("failed to unlink old secrets");
185		}
186	} else {
187		// Link now
188		let persisted = tempdir.into_path();
189		fs::rename(&persisted, "/run/secrets").context("failed to link secret directory")?;
190	}
191	Ok(())175	Ok(())
192}176}
193177
modifiedflake.nixdiffbeforeafterboth
22      devShell = (pkgs.mkShell.override { stdenv = llvmPkgs.stdenv; }) {22      devShell = (pkgs.mkShell.override { stdenv = llvmPkgs.stdenv; }) {
23        nativeBuildInputs = with pkgs; [23        nativeBuildInputs = with pkgs; [
24          rust24          rust
25          lld
25          cargo-edit26          cargo-edit
26          cargo-udeps27          cargo-udeps
27          cargo-fuzz28          cargo-fuzz