From d240fc93e3dcd938e25b9de5a47619052dc98ef9 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Sun, 17 Apr 2022 16:30:48 +0000 Subject: [PATCH] fix: remove agebox --- .age.yml | 5 +++++ .ageboxreg.yml | 3 --- .agekeys | 1 - Makefile | 18 ++++++++++-------- overlay/zdt/configs/access.conf.agebox | 5 ----- 5 files changed, 15 insertions(+), 17 deletions(-) create mode 100644 .age.yml delete mode 100644 .ageboxreg.yml delete mode 100644 .agekeys delete mode 100644 overlay/zdt/configs/access.conf.agebox diff --git a/.age.yml b/.age.yml new file mode 100644 index 0000000..dce98c5 --- /dev/null +++ b/.age.yml @@ -0,0 +1,5 @@ +version: "1" +paths: +- overlay/zdt/configs/access.conf +keys: +- age1z42dmf0cluvuyp2jz9gzkf2ly9afxqmp9cy6dy22fwak32uhjszscn25k4 diff --git a/.ageboxreg.yml b/.ageboxreg.yml deleted file mode 100644 index 15bdc58..0000000 --- a/.ageboxreg.yml +++ /dev/null @@ -1,3 +0,0 @@ -file_ids: -- overlay/zdt/configs/access.conf -version: "1" diff --git a/.agekeys b/.agekeys deleted file mode 100644 index c714e30..0000000 --- a/.agekeys +++ /dev/null @@ -1 +0,0 @@ -age1z42dmf0cluvuyp2jz9gzkf2ly9afxqmp9cy6dy22fwak32uhjszscn25k4 diff --git a/Makefile b/Makefile index fee68a0..918bc5d 100644 --- a/Makefile +++ b/Makefile @@ -13,18 +13,20 @@ clean: # Adds all tracked encrypted files to .gitignore as safety net age-add-gitignore: - @for f in $$(yq eval .file_ids[] .ageboxreg.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done + @touch .gitignore; for f in $$(yq eval .paths[] .age.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done -# Decrypts all secrets, which also removes the .agebox files locally and they show as "deleted" for now -# This is a design choice of the agebox devs atm +# Decrypts all secrets and removes the .age file age-unseal: - @agebox decrypt --all + @for f in $$(yq eval .paths[] .age.yml); do \ + age --decrypt -i ~/.ssh/git.age -o $$f $$f.age && rm $$f.age; \ + done # Encrypts all secrets, but compares the local unencrypted files with the decrypted content from the index first -# If there are no diffs, just restore the agebox file from the index and delete the unaltered local unencrypted file +# If there are no diffs, just restore the .age file from the index and delete the unaltered local unencrypted file # If there are changes re-encrypt age-seal: - @for f in $$(yq eval .file_ids[] .ageboxreg.yml); do \ + @keys=$$(yq eval .keys[] .age.yml | sed -e 's/^/-r /' ); \ + for f in $$(yq eval .paths[] .age.yml); do \ [ -f $$f ] || continue; \ - git restore $${f}.agebox; agebox cat $$f.agebox | diff - $$f && \ - rm -f $$f || ( rm -f $$f.agebox; agebox encrypt $$f --public-keys .agekeys; ); done + git restore $${f}.age; age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \ + rm -f $$f || ( rm -f $$f.age; age --encrypt $$keys -o $$f.age $$f && rm -f $$f; ); done diff --git a/overlay/zdt/configs/access.conf.agebox b/overlay/zdt/configs/access.conf.agebox deleted file mode 100644 index d89258c..0000000 --- a/overlay/zdt/configs/access.conf.agebox +++ /dev/null @@ -1,5 +0,0 @@ -age-encryption.org/v1 --> X25519 ZT6m1CYk0KfJbxayb1X65OgPL6U4lnVgr90fSOiHNTA -aAo+pQyd8gS9Y2cYufu9rAsSCDr+hmjfRa2h5HtkEZw ---- JlxAy916xCRYxSIeTbFzmU9U6+TYOFSVwDMx30m8i/w -ѳuP#@h9˚Cϐ mm>' kd6qƁSť \ No newline at end of file