difftreelog
feat support secrets without secret data
in: trunk
4 files changed
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -70,17 +70,21 @@
let mut input = vec![];
io::stdin().read_to_end(&mut input)?;
- let mut encrypted = vec![];
- let recipients = recipients
- .iter()
- .cloned()
- .map(|r| Box::new(r) as Box<dyn age::Recipient>)
- .collect();
- let mut encryptor =
- age::Encryptor::with_recipients(recipients).wrap_output(&mut encrypted)?;
- io::copy(&mut Cursor::new(input), &mut encryptor)?;
- encryptor.finish()?;
- encrypted
+ if input.is_empty() {
+ input
+ } else {
+ let mut encrypted = vec![];
+ let recipients = recipients
+ .iter()
+ .cloned()
+ .map(|r| Box::new(r) as Box<dyn age::Recipient>)
+ .collect();
+ let mut encryptor = age::Encryptor::with_recipients(recipients)
+ .wrap_output(&mut encrypted)?;
+ io::copy(&mut Cursor::new(input), &mut encryptor)?;
+ encryptor.finish()?;
+ encrypted
+ }
};
let mut data = config.data_mut();
cmds/fleet/src/fleetdata.rsdiffbeforeafterboth--- a/cmds/fleet/src/fleetdata.rs
+++ b/cmds/fleet/src/fleetdata.rs
@@ -39,7 +39,12 @@
pub expire_at: Option<DateTime<Utc>>,
#[serde(skip_serializing_if = "Option::is_none")]
pub public: Option<String>,
- #[serde(serialize_with = "as_z85", deserialize_with = "from_z85")]
+ #[serde(
+ default,
+ skip_serializing_if = "Vec::is_empty",
+ serialize_with = "as_z85",
+ deserialize_with = "from_z85"
+ )]
pub secret: Vec<u8>,
}
cmds/install-secrets/src/main.rsdiffbeforeafterboth29 mode: String,29 mode: String,30 owner: String,30 owner: String,31 #[serde(deserialize_with = "from_z85")]31 #[serde(deserialize_with = "from_z85")]32 secret: Vec<u8>,32 secret: Option<Vec<u8>>,33}33}343435fn from_z85<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>35fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>36where36where37 D: Deserializer<'de>,37 D: Deserializer<'de>,38{38{39 use serde::de::Error;39 use serde::de::Error;40 String::deserialize(deserializer)40 if let Some(v) = <Option<String>>::deserialize(deserializer)? {41 .and_then(|string| z85::decode(&string).map_err(|err| Error::custom(err.to_string())))41 Ok(Some(42 z85::decode(&v).map_err(|err| Error::custom(err.to_string()))?,43 ))44 } else {45 Ok(None)46 }42}47}434844type Data = HashMap<String, DataItem>;49type Data = HashMap<String, DataItem>;49 name: &str,54 name: &str,50 value: DataItem,55 value: DataItem,51) -> Result<()> {56) -> Result<()> {57 if value.secret.is_none() {58 return Ok(());59 }60 let secret = value.secret.as_ref().unwrap();6152 let mut path = dir.to_path_buf();62 let mut path = dir.to_path_buf();53 path.push(name);63 path.push(name);88 // File is owned by root, and only root can modify it98 // File is owned by root, and only root can modify it899990 let decrypted = {100 let decrypted = {91 let mut input = Cursor::new(&value.secret);101 let mut input = Cursor::new(&secret);92 let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;102 let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;93 let decryptor = match decryptor {103 let decryptor = match decryptor {94 Decryptor::Recipients(r) => r,104 Decryptor::Recipients(r) => r,modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,7 +3,9 @@
sysConfig = config;
secretType = types.submodule ({ config, ... }: {
config = {
- path = mkOptionDefault "/run/secrets/${config._module.args.name}";
+ path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");
+ publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
+ secret = mkIf (config.public != null) "";
};
options = {
public = mkOption {
@@ -12,7 +14,7 @@
default = null;
};
secret = mkOption {
- type = types.str;
+ type = types.nullOr types.str;
description = "Encrypted secret data";
};
mode = mkOption {
@@ -36,6 +38,11 @@
readOnly = true;
description = "Path to the decrypted secret";
};
+ publicPath = mkOption {
+ type = types.package;
+ readOnly = true;
+ description = "Path to the public part of secret";
+ };
};
});
secretsFile = pkgs.writeTextFile {