ctucx.git: nixfiles

pkgs/agenix: hopefully fix some rekeying bugs

diff --git a/pkgs/agenix/agenix.sh b/pkgs/agenix/agenix.sh
@@ -115,7 +115,7 @@ function cleanup {
 trap "cleanup" 0 2 3 15
 
 function keys {
-    (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" rules.\"$1\".publicKeys)" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') | @sedBin@ '/^$/d' || exit 1
+    (@nixInstantiate@ --json --eval --strict -E "(let rules = import $RULES; in rules.\"$1\".publicKeys)" | @jqBin@ -r .[]) || exit 1
 }
 
 function decrypt {

@@ -128,7 +128,6 @@ function decrypt {
 
     if [ -f "$FILE" ]
     then
-        DECRYPT=("${DEFAULT_DECRYPT[@]}")
         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
             if [ -f "$HOME/.ssh/id_rsa" ]; then
                 DECRYPT+=(--identity "$HOME/.ssh/id_rsa")

@@ -151,11 +150,12 @@ function edit {
 
     CLEARTEXT_DIR=$(@mktempBin@ -d)
     CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
-    DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
+    DECRYPT=("${DEFAULT_DECRYPT[@]}")
+    DECRYPT+=(-o "$CLEARTEXT_FILE")
 
     decrypt "$FILE" "$KEYS" || exit 1
 
-    cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
+    [ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
 
     [ -t 0 ] || EDITOR='cp /dev/stdin'
 

@@ -168,10 +168,12 @@ function edit {
     fi
     [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
 
-    ENCRYPT=()
+    ENCRYPT=(--armor)
     while IFS= read -r key
     do
-        ENCRYPT+=(--recipient "$key")
+        if [ -n "$key" ]; then
+            ENCRYPT+=(--recipient "$key")
+        fi
     done <<< "$KEYS"
 
     REENCRYPTED_DIR=$(@mktempBin@ -d)

@@ -179,13 +181,15 @@ function edit {
 
     ENCRYPT+=(-o "$REENCRYPTED_FILE")
 
-    @ageBin@ --armor "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+    @ageBin@ "${ENCRYPT[@]}" <"$CLEARTEXT_FILE" || exit 1
+
+    mkdir -p "$(dirname "$FILE")"
 
-    mv -f "$REENCRYPTED_FILE" "$1"
+    mv -f "$REENCRYPTED_FILE" "$FILE"
 }
 
 function rekey {
-    FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))"  | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
+    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
 
     for FILE in $FILES
     do

@@ -196,5 +200,5 @@ function rekey {
 }
 
 [ $REKEY -eq 1 ] && rekey && exit 0
-[ $DECRYPT_ONLY -eq 1 ] && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
+[ $DECRYPT_ONLY -eq 1 ] && DECRYPT=("${DEFAULT_DECRYPT[@]}") && DECRYPT+=("-o" "-") && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
 edit "$FILE" && cleanup && exit 0

diff --git a/pkgs/agenix/default.nix b/pkgs/agenix/default.nix
@@ -3,6 +3,7 @@
   stdenv,
   rage,
   gnused,
+  jq,
   nix,
   mktemp,
   diffutils,

@@ -14,13 +15,13 @@ stdenv.mkDerivation rec {
   pname = "agenix";
   version = "0.13.0";
   src = substituteAll {
-    inherit ageBin version;
-    sedBin = "${gnused}/bin/sed";
-    nixInstantiate = "${nix}/bin/nix-instantiate";
-    mktempBin = "${mktemp}/bin/mktemp";
-    diffBin = "${diffutils}/bin/diff";
-    src = ./agenix.sh;
-  };
+      inherit ageBin version;
+      jqBin = "${jq}/bin/jq";
+      nixInstantiate = "${nix}/bin/nix-instantiate";
+      mktempBin = "${mktemp}/bin/mktemp";
+      diffBin = "${diffutils}/bin/diff";
+      src = ./agenix.sh;
+    };
   dontUnpack = true;
 
   doCheck = true;