From 6f8f74cc6921874d2b63ef2f8dceebe4ae0c8a3f Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Wed, 15 Mar 2023 17:03:35 +0100
Subject: [PATCH] feat: add format-secrets app to run alejandra on hidden
 configuration

---
 flake.nix                               |   9 +++++++-
 hosts/zackbiene/secrets/secrets.nix.age | Bin 496 -> 516 bytes
 nix/apps.nix                            |  27 ++++++++++++++++++++++++
 nix/colmena.nix                         |  10 ++++-----
 nix/rage-decrypt.sh                     |  16 +++++++++-----
 nix/secrets.nix                         |   4 +---
 secrets/secrets.nix.age                 |  17 ++++++++-------
 7 files changed, 61 insertions(+), 22 deletions(-)
diff --git a/flake.nix b/flake.nix
index ddf7de5..1106f3f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -46,8 +46,15 @@
     ...
   } @ inputs:
     {
+      # The identities that are used to rekey agenix secrets and to
+      # decrypt all repository-wide secrets.
+      secrets = {
+        masterIdentities = [./secrets/yk1-nix-rage.pub];
+        extraEncryptionPubkeys = [./secrets/backup.pub];
+        content = import ./nix/secrets.nix inputs;
+      };
+
       hosts = import ./nix/hosts.nix inputs;
-      secrets = import ./nix/secrets.nix inputs;
       colmena = import ./nix/colmena.nix inputs;
       overlays = import ./nix/overlay.nix inputs;
       homeConfigurations = import ./nix/home-manager.nix inputs;
diff --git a/hosts/zackbiene/secrets/secrets.nix.age b/hosts/zackbiene/secrets/secrets.nix.age
index 080e16667373ab5393e09f01452e2dcf711cd9e5..25625ad941b0b3bfaf00fb4101d199f30ec08963 100644
GIT binary patch
delta 494
zcmWm7O>dK6003a)oQWhR#<K^qWHDJKE#;$q7dtJ`0)^7jj|rWNE0ppAZJ|J+ZI(81
zMh{-rY>EFt&;EcVo_6r)&L&=syLvM|f8e>@dUx*}U0W{98->sYA(?u3H;e0C%68*`
z!<+5HDf9p_0fxzC@VtsRkX~lev^EHPPTXUmT8{&Fp6aj$nh~4{HS<+ImL^KT<q+%u
z4V(lE@)V8Er){gKqGj7l7t16*B>D!E_+n4uyX#&^tAp5IvTns`xY}~$Hz_u0E|Icn
z&~fDG&6Zvx8FlJuTA0lke8FtNc{h{lgd&T;0v*fypY1+9**U5l?_+jo^&<=AW~C}>
zwM(ay6GVc_T<96&T3xR4ZkjEQBrZp`a3echlNn*y;Y?`;ia;19Y)U9$Rh0x7<P@P#
zLxPX0Dxxta+ZicEIgTi!?2RLW(1(kFqx?W&#|h(#8qbefcwyEi+4^X}WDU~~8mg#K
z@}i<57>1!T3|t!r<BnD5CE(bDvE~CCH~MLgNOL9>sC<W(*jAw-i^#L{?{B$HY4t$5
z`MtV5l`sBm-#`9IzPJ!CyU+dd>fzVx8^(VE_MG?DBlXMX*JkJH&e`k7*H?|d+xurP
Vx$=<uxclkbk2iNO^$(x7{sAW)s9gX6

delta 474
zcmWm7yNlCs003a{#3A4yf}Efja4ey1(x&a8l0I^6npcyyX>y`8Ns}hcJHI@dD|9#)
z!2=x>1qE*tCuaq>`vV-D1VO>gK_>@MJm+ut?w$Ry^AO(l5`865Q&I;5Y}~FBVnj2R
zZD&QD>H2^VhO(9JNfpv?G)PBRop{9(Jv<wYJ*qF6i>T+%@UU3noq=M7SXJdI4W-d0
zgxrJ!D@6jdj>CB<E}A2lSaKD$oO!u8S?g627lfI;&18dXr6$jLEiD+N1naG3XK(62
z^Nf=Gz@><CL>9_C(S5&4a74=uF{^M<TQveQI@Lx}`JaI$C+yE|AZE0f#|wC!;HeEl
zXli*$x8Aj;HNMqv3=20v%?@M4W2FW#DQ;}(QV@Ga>X&ROuUF(Drl@r8)EYFP!jN9&
zkdI4fQw)tvbh<i8mzS)}mq;&2q}n6`6ra0#ii=ZE<DC9voU#ytAh1T5P6&v2M7WbR
zz<Mnj$n8p5o~`wg(r5}*QP40sVMd~)LCD+BN5wJw;^L<rW_u-j^LzVC-M#ev=>6vF
z!3N))zkc=EmuvSAU#WMpwrc-$CXXKc(evl<ySvAKZ=F2;@Qpq5@!;J4$&<^&3ol>a
Ge)<ob|EZ+_

diff --git a/nix/apps.nix b/nix/apps.nix
index 6208205..389fa1b 100644
--- a/nix/apps.nix
+++ b/nix/apps.nix
@@ -45,4 +45,31 @@ in
         set -euo pipefail
         ${mapAttrsToLines generateHostKey self.nodes}
       '');
+    format-secrets = let
+      isAbsolutePath = x: substring 0 1 x == "/";
+      masterIdentityArgs = concatMapStrings (x: ''-i "${x}" '') self.secrets.masterIdentities;
+      extraEncryptionPubkeys =
+        concatMapStrings (
+          x:
+            if isAbsolutePath x
+            then ''-R "${x}" ''
+            else ''-r "${x}" ''
+        )
+        self.secrets.extraEncryptionPubkeys;
+      formatSecret = path: ''
+        '';
+    in
+      mkApp (pkgs.writeShellScript "format-secrets" ''
+        set -euo pipefail
+	      [[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
+	      for f in $(find . -type f -name '*.nix.age'); do
+	        echo "Formatting $f ..."
+	        decrypted=$(${./rage-decrypt.sh} --print-out-path "$f" ${concatStringsSep " " self.secrets.masterIdentities}) \
+            || { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
+	        formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
+            || { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
+	      	${pkgs.rage}/bin/rage -e ${masterIdentityArgs} ${extraEncryptionPubkeys} <<< "$formatted" > "$f" \
+            || { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
+	      done
+      '');
   }
diff --git a/nix/colmena.nix b/nix/colmena.nix
index 3469996..4490706 100644
--- a/nix/colmena.nix
+++ b/nix/colmena.nix
@@ -14,7 +14,7 @@ with nixpkgs.lib; let
   nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts;
   generateColmenaNode = hostName: _: {
     imports = [
-      ({ config, ... }: {
+      ({config, ...}: {
         # By default, set networking.hostName to the hostName
         networking.hostName = mkDefault hostName;
         # Define global flakes for this system
@@ -27,8 +27,8 @@ with nixpkgs.lib; let
         # Setup parameters for Secrets
         rekey.forceRekeyOnSystem = "x86_64-linux";
         rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub";
-        rekey.masterIdentities = [../secrets/yk1-nix-rage.pub];
-        rekey.extraEncryptionPubkeys = [../secrets/backup.pub];
+        rekey.masterIdentities = self.secrets.masterIdentities;
+        rekey.extraEncryptionPubkeys = self.secrets.extraEncryptionPubkeys;
       })
       (../hosts + "/${hostName}")
       home-manager.nixosModules.default
@@ -46,12 +46,12 @@ in
       nodeNixpkgs = mapAttrs (hostName: {system, ...}: self.pkgs.${system}) nixosHosts;
       nodeSpecialArgs =
         mapAttrs (hostName: _: {
-          nodeSecrets = self.secrets.nodes.${hostName};
+          nodeSecrets = self.secrets.content.nodes.${hostName};
         })
         nixosHosts;
       specialArgs = {
         inherit (nixpkgs) lib;
-        inherit (self) secrets;
+        secrets = self.secrets.content;
         nixos-hardware = nixos-hardware.nixosModules;
         #impermanence = impermanence.nixosModules;
       };
diff --git a/nix/rage-decrypt.sh b/nix/rage-decrypt.sh
index 5ac1780..8ee9f52 100755
--- a/nix/rage-decrypt.sh
+++ b/nix/rage-decrypt.sh
@@ -2,14 +2,20 @@
 
 set -euo pipefail
 
+print_out_path=false
+if [[ "$1" == "--print-out-path" ]]; then
+	print_out_path=true
+	shift
+fi
+
 file="$1"
-[[ "$file" == "/nix/store/"* ]] || { echo "Input must be a store path!"; exit 1; }
 shift
 identities=("$@")
 
-# Strip .age suffix and store path prefix
+# Strip .age suffix, and store path prefix or ./ if applicable
 basename="${file%".age"}"
-basename="${basename#*"-"}"
+[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
+[[ "$file" == "./"* ]] && basename="${basename#"./"}"
 
 # Calculate a unique content-based identifier (relocations of
 # the source file in the nix store should not affect caching)
@@ -29,5 +35,5 @@ if [[ ! -e "$out" ]]; then
 	rage -d "${args[@]}" -o "$out" "$file"
 fi
 
-# Print decrypted content
-cat "$out"
+# Print out path or decrypted content
+[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
diff --git a/nix/secrets.nix b/nix/secrets.nix
index be57fd6..be99e60 100644
--- a/nix/secrets.nix
+++ b/nix/secrets.nix
@@ -17,8 +17,6 @@
   ...
 } @ inputs:
 with nixpkgs.lib; let
-  # The identities that are used to decrypt any repository-wide secrets.
-  masterIdentities = [../secrets/yk1-nix-rage.pub];
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
   # how modules can be functions or sets.
@@ -30,7 +28,7 @@ with nixpkgs.lib; let
   importEncrypted = path:
     constSet (
       if builtins.pathExists path
-      then builtins.extraBuiltins.rageImportEncrypted masterIdentities path
+      then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
       else {}
     );
 in
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 624516c..5b02c71 100644
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> X25519 vyK4cXkYqS/xic3L1hVfZOm9F2dy41g0k8NtY0S7o0g
-pdm+YdbPD+jg9oRGD1m/bSFwmcI6slqCg8bSSHUgyTg
--> piv-p256 xqSe8Q A7Z8dLqDdsXdeMFUI0yZy7IOH+VovH4bzc2dRkCKQYoE
-fa0294BZfM4wYXdF1j5BogNpVdgfhnITHIFubQq8G6M
--> X-grease YRM7Gw8# 0\&Rw
-SXlWKCRgatc1AAoprriaOmKPrw
---- ybnfcV0t6H0UUl6Oc5z6EYOuLxpeVqh+TcywwgevaFw
-aú§­C	½‹kz  ´DMÞYwÿ8ß›¿¬”Ú†Î.ñòúO¡<àq.6±vX( ¹­ß
\ No newline at end of file
+-> X25519 jCfz22p8CDk1U/maaSqUBJh4KsHNvu2MM54IG9bVuFI
+ChPScrrrFWgg8sVFucu7u5af+BXGgYczIpoohiYQSow
+-> piv-p256 xqSe8Q A64wBcZEPJKnAC9xlBc3gbosqhB9sNN/dFZDQSMcB3Kp
+9ksGpeSm8WOELDHLeTrttKA1ynDEwxi+jNRWzxQfxMQ
+-> DiE~<-grease
+p5tg4SCVvfjsWqai9U2ABMsTwBkIa2waWtGdK4/ulHcCHR8CMvYKS9bjjsw/Z0ZH
+pwDzZGosmU5vRZxy/HM
+--- U08NaDLEjVxdVr4TfeFK07h6ZcaZf1XN79X6mQyLmnk
+ÐòhM¡ˆú*$\¸³1ñ?ºæg§‰á€À¨ìs;kÉ»‡³"ÃÄwß}õ ÿ¹ÈÙ>
\ No newline at end of file
