search

ryantm / agenix

age-encrypted secrets for NixOS and Home manager
https://matrix.to/#/#agenix:nixos.org
Creative Commons Zero v1.0 Universal
1.34k stars 108 forks source link

only backup cleartext file if it exists #176

Closed shivak closed 7 months ago

shivak commented 1 year ago

Avoids complaints from cp about nonexistent files.

ryantm commented 1 year ago

@shivak What scenarios cause this complaint?

Maybe this fixes your problem https://github.com/ryantm/agenix/pull/157/files ?

CobaltCause commented 8 months ago

I run into this in the following situation:

$ mkdir -p secrets/wireguard
$ wg genkey | agenix -v -e secrets/wireguard/red.age -i ~/.ssh/id_ed25519
+ test 4 -gt 0
+ case "$1" in
+ shift
+ test 3 -gt 0
+ export FILE=secrets/wireguard/red.age
+ FILE=secrets/wireguard/red.age
+ shift
+ test 2 -gt 0
+ case "$1" in
+ shift
+ test 1 -gt 0
+ DEFAULT_DECRYPT+=(--identity "$1")
+ shift
+ test 0 -gt 0
+ RULES=./secrets.nix
+ trap cleanup 0 2 3 15
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ edit secrets/wireguard/red.age
+ FILE=secrets/wireguard/red.age
++ keys secrets/wireguard/red.age
++ /nix/store/513i3g7cqxzy6a2smnika69qwy9rwbga-nix-2.13.3/bin/nix-instantiate --json --eval --strict -E '(let rules = import ./secrets.nix; in rules."secrets/wireguard/red.age".publicKeys)'
++ /nix/store/hagvhrwy8jzj97kc7nyy9vr18xkg7xvk-jq-1.6-bin/bin/jq -r '.[]'
+ KEYS='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfle747LQBahWbu5VId7zGOlxeILis9BPh/RexQtfQJ benjamin@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvEursdg5B0QAKd8jWzHN+OfYX0OTuy3M3dMzKUDW6g charles@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeir8vZy/O5V1sPRdXybU0jhT8LlRoIdIYq4qxgLjAR root@red'
++ /nix/store/jsk5vfpxnjmh89ddyk9lh2nzpl8dky23-mktemp-1.7/bin/mktemp -d
+ CLEARTEXT_DIR=/tmp/tmp.IDEYZozAzO
++ basename secrets/wireguard/red.age
+ CLEARTEXT_FILE=/tmp/tmp.IDEYZozAzO/red.age
+ DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+ decrypt secrets/wireguard/red.age 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfle747LQBahWbu5VId7zGOlxeILis9BPh/RexQtfQJ benjamin@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvEursdg5B0QAKd8jWzHN+OfYX0OTuy3M3dMzKUDW6g charles@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeir8vZy/O5V1sPRdXybU0jhT8LlRoIdIYq4qxgLjAR root@red'
+ FILE=secrets/wireguard/red.age
+ KEYS='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfle747LQBahWbu5VId7zGOlxeILis9BPh/RexQtfQJ benjamin@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvEursdg5B0QAKd8jWzHN+OfYX0OTuy3M3dMzKUDW6g charles@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeir8vZy/O5V1sPRdXybU0jhT8LlRoIdIYq4qxgLjAR root@red'
+ '[' -z 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfle747LQBahWbu5VId7zGOlxeILis9BPh/RexQtfQJ benjamin@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvEursdg5B0QAKd8jWzHN+OfYX0OTuy3M3dMzKUDW6g charles@computer.surgery
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeir8vZy/O5V1sPRdXybU0jhT8LlRoIdIYq4qxgLjAR root@red' ']'
+ '[' -f secrets/wireguard/red.age ']'
+ cp /tmp/tmp.IDEYZozAzO/red.age /tmp/tmp.IDEYZozAzO/red.age.before
cp: cannot stat '/tmp/tmp.IDEYZozAzO/red.age': No such file or directory
+ '[' -t 0 ']'
+ EDITOR='cp /dev/stdin'
+ cp /dev/stdin /tmp/tmp.IDEYZozAzO/red.age
+ '[' '!' -f /tmp/tmp.IDEYZozAzO/red.age ']'
+ '[' -f secrets/wireguard/red.age ']'
+ ENCRYPT=()
+ IFS=
+ read -r key
+ ENCRYPT+=(--recipient "$key")
+ IFS=
+ read -r key
+ ENCRYPT+=(--recipient "$key")
+ IFS=
+ read -r key
+ ENCRYPT+=(--recipient "$key")
+ IFS=
+ read -r key
++ /nix/store/jsk5vfpxnjmh89ddyk9lh2nzpl8dky23-mktemp-1.7/bin/mktemp -d
+ REENCRYPTED_DIR=/tmp/tmp.K2avYXIoZS
++ basename secrets/wireguard/red.age
+ REENCRYPTED_FILE=/tmp/tmp.K2avYXIoZS/red.age
+ ENCRYPT+=(-o "$REENCRYPTED_FILE")
+ /nix/store/176fb66dbfj3294chdnha0nlqyj3n3ax-rage-0.9.0/bin/rage --recipient 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfle747LQBahWbu5VId7zGOlxeILis9BPh/RexQtfQJ benjamin@computer.surgery' --recipient 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDvEursdg5B0QAKd8jWzHN+OfYX0OTuy3M3dMzKUDW6g charles@computer.surgery' --recipient 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMeir8vZy/O5V1sPRdXybU0jhT8LlRoIdIYq4qxgLjAR root@red' -o /tmp/tmp.K2avYXIoZS/red.age
+ mv -f /tmp/tmp.K2avYXIoZS/red.age secrets/wireguard/red.age
+ cleanup
+ '[' -n x ']'
+ rm -rf /tmp/tmp.IDEYZozAzO
+ '[' -n x ']'
+ rm -rf /tmp/tmp.K2avYXIoZS
+ exit 0
+ cleanup
+ '[' -n x ']'
+ rm -rf /tmp/tmp.IDEYZozAzO
+ '[' -n x ']'
+ rm -rf /tmp/tmp.K2avYXIoZS
jankaifer commented 8 months ago

I faced the same problem in https://github.com/ryantm/agenix/issues/211 And I ended up suggesting the same fix in #212, I'll close my PR as a duplicate, thanks @CobaltCause for noticing.

zmrocze commented 8 months ago

Running into this when creating a fresh file with agenix -e:

# agenix -e my-credentials.age
cp: cannot stat '/run/user/1000/tmp.DVnIKHCzPb/my-credentials.age': No such file or directory

where my-credentials.age doesn't exist before the command is run (and does afterwards, seemingly the command succeeded)

jankaifer commented 7 months ago

@ryantm could we merge this, please? When I started using agenix it took me a few hours to debug this error (it doesn't actually cause problems, but the error messages printed by this issue confused me).

n8henrie commented 7 months ago

Why is this ! -f ... || instead of -f ... &&? Seems like the latter is both shorter and more readable. Is there some edge case behavior I'm not thinking of?

jankaifer commented 7 months ago

I think that -f ... && would work fine. That's how I did it in https://github.com/ryantm/agenix/pull/212/files that I closed as a duplicate (but I used an actual if).