git.delta.rocks / jrsonnet / refs/commits / e8c42d8d3245

difftreelog

fix post secret management refactor

Yaroslav Bolyukin2024-04-26parent: #d8c8e6d.patch.diff
in: trunk

3 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
6};6};
7use anyhow::{anyhow, bail, ensure, Context, Result};7use anyhow::{anyhow, bail, ensure, Context, Result};
8use chrono::{DateTime, Utc};8use chrono::{DateTime, Utc};
9use clap::Parser;9use clap::{error::ErrorKind, Parser};
10use crossterm::{terminal, tty::IsTty};
11use itertools::Itertools;
10use owo_colors::OwoColorize;12use owo_colors::OwoColorize;
11use serde::Deserialize;13use serde::Deserialize;
12use std::{14use std::{
13	collections::{BTreeSet, HashSet},15	collections::{BTreeSet, HashSet},
16	ffi::OsString,
14	io::{self, Cursor, Read},17	io::{self, stdin, Cursor, Read, Write},
15	path::PathBuf,18	path::PathBuf,
16};19};
17use tabled::{Table, Tabled};20use tabled::{Table, Tabled};
21use tempfile::NamedTempFile;
18use tokio::fs::read_to_string;22use tokio::{fs::read_to_string, process::Command};
19use tracing::{error, info, info_span, warn, Instrument};23use tracing::{error, info, info_span, warn, Instrument};
2024
21#[derive(Parser)]25#[derive(Parser)]
586							{590							{
587								Ok(v) => v,591								Ok(v) => v,
588								Err(e) => {592								Err(e) => {
589									error!("{e}");593									error!("{e:?}");
590									continue;594									continue;
591								}595								}
592							};596							};
modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
385		let config_unchecked_field = nix_go!(fleet_field.unchecked.config);385		let config_unchecked_field = nix_go!(fleet_field.unchecked.config);
386386
387		let import = nix_go!(builtins_field.import);387		let import = nix_go!(builtins_field.import);
388		let overlays = nix_go!(fleet_field.overlays);388		let overlays = nix_go!(config_unchecked_field.overlays);
389		let nixpkgs = nix_go!(fleet_field.nixpkgs | import);389		let nixpkgs = nix_go!(fleet_field.nixpkgs | import);
390390
391		let default_pkgs = nix_go!(nixpkgs(Obj {391		let default_pkgs = nix_go!(nixpkgs(Obj {
modifiedmodules/fleet/secrets.nixdiffbeforeafterboth
153    overlays = [153    overlays = [
154      (final: prev: let154      (final: prev: let
155        lib = final.lib;155        lib = final.lib;
156        inherit (lib) strings;156        inherit (lib) strings concatMap;
157        inherit (strings) escapeShellArgs;157        inherit (strings) escapeShellArgs;
158      in {158      in {
159        mkEncryptSecret = {159        mkEncryptSecret = {
160          rage ? prev.rage,160          rage ? prev.rage,
161          recipients,161          recipients,
162        }:162        }:
163          prev.writeShellScript "encryptor" ''163          prev.writeShellScript "encryptor" ''
164            #!/bin/sh164            #!/bin/sh
165            exec ${rage}/bin/rage ${escapeShellArgs recipients} -e "$@"165            exec ${rage}/bin/rage ${escapeShellArgs (concatMap (r: ["-r" r]) recipients)} -e "$@"
166          '';166          '';
167        # TODO: Move to fleet167        # TODO: Move to fleet
168        # TODO: Merge both generators to one with consistent options syntax?168        # TODO: Merge both generators to one with consistent options syntax?
169        # Impure generator is built on local machine, then built closure is copied to remote machine,169        # Impure generator is built on local machine, then built closure is copied to remote machine,
174          # (Some secrets-encryption-in-git/managed PKI solution is expected)174          # (Some secrets-encryption-in-git/managed PKI solution is expected)
175          impureOn ? null,175          impureOn ? null,
176        }:176        }:
177          (prev.writeShellScript "impureGenerator.sh" ''177          (prev.writeShellScript "impureGenerator.sh" ''
178            #!/bin/sh178            #!/bin/sh
179            set -eu179            set -eu
180
180            cd /var/empty181            # TODO: Provide tempdir from outside, to make it securely erasurable as needed?
182            tmp=$(mktemp -d)
183            cd $tmp
184            # cd /var/empty
181185
182            created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")186            created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")
183187
184            ${script}188            ${script}
185189
186            if ! test -d $out; then190            if ! test -d $out; then
187              echo "impure generator script did not produce expected \$out output"191              echo "impure generator script did not produce expected \$out output"
188              exit 1192              exit 1
189            fi193            fi
190194
191            echo -n $created_at > $out/created_at195            echo -n $created_at > $out/created_at
192            echo -n SUCCESS > $out/marker196            echo -n SUCCESS > $out/marker
193          '')197          '')
194          .overrideAttrs (old: {198          .overrideAttrs (old: {
195            passthru = {199            passthru = {
196              inherit impureOn;200              inherit impureOn;