passwords: Only read passwords if needs updating
No need for unlocking keys on each rebuild anymore!
This commit is contained in:
		
							parent
							
								
									7b9c4fb004
								
							
						
					
					
						commit
						a6a1e32ade
					
				
					 1 changed files with 48 additions and 18 deletions
				
			
		|  | @ -56,29 +56,59 @@ in | |||
|               else " | tail -n +2 | yq -r '.${password.selector}'") | ||||
|           ); | ||||
|           readPassword = password: (readPasswordClear password) + (lib.strings.optionalString (password.transform != null) " | ${password.transform}"); | ||||
|           isGeneratedPassword = password: ''test -f "$PASSWORD_STORE_DIR"/${lib.strings.escapeShellArg password.path}.gpg''; | ||||
|           gitPath = password: ''"$PASSWORD_STORE_DIR"/${lib.strings.escapeShellArg password.path}.gpg''; | ||||
|           isGeneratedPassword = password: ''test -f ${gitPath password}''; | ||||
|           dateGit = password: " " + ''(cd "$(dirname ${gitPath password})"; git log -n1 --format='format:%ct' "$(basename ${gitPath password})")'' + " "; | ||||
|           dateStore = password: ''sudo stat -c '%Y' ${passwordStorePath password}''; | ||||
|           isInStore = password: ''sudo test -f ${passwordStorePath password}''; | ||||
|           testCanGenerate = password: lib.asserts.assertMsg (builtins.elem password.selector [ "@" null ]) "Unimplemented: generator + selector ${describePassword password}"; | ||||
|           generatePassword = password: assert testCanGenerate password; ''${password.generator} | pass insert -m ${lib.strings.escapeShellArg password.path}''; | ||||
|           raiseCantGenerate = password: ''echo "Error: no generator" ; exit 1''; | ||||
|           ensurePassword = password: '' | ||||
|             if ! ${isGeneratedPassword password} | ||||
|           syncPasswordStore = password: '' | ||||
|             # ${describePassword password} | ||||
|             write=false | ||||
|             if ${isInStore password} | ||||
|             then | ||||
|               echo Generating ${lib.strings.escapeShellArg (describePassword password)} | ||||
|               ${(if password.generator != null then generatePassword else raiseCantGenerate) password} | ||||
|               if ${isGeneratedPassword password} | ||||
|               then | ||||
|                 date_store="$(${dateStore password})" | ||||
|                 date_git="$(${dateGit password})" | ||||
|                 if [ "$date_git" -eq "$date_store" ] | ||||
|                 then | ||||
|                   echo ${lib.strings.escapeShellArg (describePassword password)}: up-to-date | ||||
|                 elif [ "$date_git" -gt "$date_store" ] | ||||
|                 then | ||||
|                   echo ${lib.strings.escapeShellArg (describePassword password)}: updating | ||||
|                   write=true | ||||
|                 else | ||||
|                   echo ERROR ${lib.strings.escapeShellArg (describePassword password)}: store is more recent than git | ||||
|                   exit 1 | ||||
|                 fi | ||||
|               else | ||||
|                 echo ERROR ${lib.strings.escapeShellArg (describePassword password)}: exists in store but not in git | ||||
|                 exit 1 | ||||
|               fi | ||||
|             else | ||||
|               if ${isGeneratedPassword password} | ||||
|               then | ||||
|                 echo ${lib.strings.escapeShellArg (describePassword password)}: installing | ||||
|               else | ||||
|                 echo ${lib.strings.escapeShellArg (describePassword password)}: generating | ||||
|                 ${(if password.generator != null then generatePassword else raiseCantGenerate) password} | ||||
|               fi | ||||
|               write=true | ||||
|             fi | ||||
|             if [ "$write" = true ] | ||||
|             then | ||||
|               temp="$(mktemp)" | ||||
|               trap 'rm "$temp"' ERR | ||||
|               ${readPassword password} > "$temp" | ||||
|               touch -d @"$(${dateGit password})" "$temp" | ||||
|               sudo install -o root -g root -m u=rw -p -T "$temp" ${lib.strings.escapeShellArg (passwordStorePath password)} | ||||
|               rm "$temp" | ||||
|               trap - ERR | ||||
|             fi | ||||
|           ''; | ||||
|           writePasswordStore = password: '' | ||||
|             # ${describePassword password} | ||||
|             ${ensurePassword password} | ||||
|             echo Updating ${lib.strings.escapeShellArg (describePassword password)} in password store | ||||
|             temp="$(mktemp)" | ||||
|             trap 'rm "$temp"' ERR | ||||
|             ${readPassword password} > "$temp" | ||||
|             sudo install -C -o root -g root -m u=rw -T "$temp" ${lib.strings.escapeShellArg (passwordStorePath password)} | ||||
|             rm "$temp" | ||||
|             trap - ERR | ||||
|           ''; | ||||
|           # TODO Only read password if timestamp didn't change from git repository (and alert if in future, exists on fs but not in git, etc.) | ||||
|           allFilenames = builtins.map (password: "${passwordStoreDir}/${passwordHash password}") passwords; | ||||
|         in | ||||
|         '' | ||||
|  | @ -88,7 +118,7 @@ in | |||
|               test -d "$PASSWORD_STORE_DIR" | ||||
|               sudo install -C -o root -g root -m u=rwx -d "${passwordStoreDir}" | ||||
| 
 | ||||
|               ${lib.strings.concatLines (builtins.map writePasswordStore passwords)} | ||||
|               ${lib.strings.concatLines (builtins.map syncPasswordStore passwords)} | ||||
| 
 | ||||
|               comm -23 <(sudo find ${passwordStoreDir} -type f | sort) <(echo ${lib.strings.escapeShellArg (lib.strings.concatLines allFilenames)} | sort) | while read -r file | ||||
|               do | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue