oddlama / agenix-rekey

An agenix extension adding secret generation and automatic rekeying using a YubiKey or master-identity
MIT License
213 stars 18 forks source link

Attempt orphan deletion only if `age.rekey.generatedSecretsDir` is set #25

Closed Lukas-C closed 5 months ago

Lukas-C commented 5 months ago

Fixes #23 by adding the path at age.rekey.generatedSecretsDir only as a deletion candidate if it is not null.

I have done some basic validation that secret generation and orphan removal with age.rekey.generatedSecretsDir set to a sensible value still results in the expected behavior. However, as I usually don't really have an advanced use case of this as a test bed, some more testing might be a good idea.

Also fixes another unhelpful error message similar to the one in #23. Before, when running agenix generate with a secret that has generators set, but not rekeyFile, would result in the same basic error message:

error: Cannot generate  as it isn't a direct subpath of the flake directory /nix/store/h9fl1a96wgcsfp4qd7hqnqczi2zp8xva-source, meaning this script cannot determine its true origin!

This seems to happen because the module asserts at ./modules/agenix-rekey.nix appear to be sidestepped when running agenix generate. Therefore, we replicate the module-level assert in ./apps/generate.nix.


TIL: The following appears to be valid bash:

for f in ; do
  echo "I'm not printed."
done
Lukas-C commented 5 months ago

Good point! I have adjusted the message appropriately.

oddlama commented 5 months ago

Awesome! LGTM

Lukas-C commented 5 months ago

Very happy to be able to contribute something! Thank you very much, especially for the quick resolution!