-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtell-a-secret.raku
executable file
·293 lines (239 loc) · 11.2 KB
/
tell-a-secret.raku
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
#! /usr/bin/env nix-shell
#! nix-shell --pure -i raku -E
#! nix-shell "let d=[p.rakudo p.coreutils p.gnupg p.diffutils];p=import(import channels/nixos-pin.nix){};in p.mkShell{buildInputs=d;}"
# WARNING! Run from the project root (from where “channels/nixos-pin.nix” can be found).
# Author: Viacheslav Lotsmanov
# License: MIT https://raw.githubusercontent.com/unclechu/nixos-config/master/LICENSE
use v6.d;
$*PROGRAM.dirname.&*chdir;
my Str:D \hardware-dir = 'hardware';
my Str:D \keys-file = 'keys.secret';
my Str:D \decrypted-secret-postfix = '.secret.nix';
my Str:D \encrypted-secret-postfix = "{decrypted-secret-postfix}.asc";
my Str:D \machine-specific-secret-symlink = 'machine-specific.secret.nix';
# Apart from hardware secrets list that is formed automatically
my @extra-secrets is Array:D[Str:D] = keys-file, 'secret.nix';
sub expand-executable(Str:D \e) of Str:D {
{ given IO::Path.new: e, :CWD($_) { return .absolute if .e } } for $*SPEC.path;
die error
"‘{e}’ executable is not found! Paths used for searching:\n" ~
$*SPEC.path.map({" $_"}).join("\n")
}
# Guarding dependencies
constant \ls = expand-executable 'ls';
constant \ln = expand-executable 'ln';
constant \gpg = expand-executable 'gpg';
constant \diff = expand-executable 'diff';
# Shell text coloring helpers
sub red(Str:D \x --> Str:D) { "\e[31m{x}\e[0m" }
sub green(Str:D \x --> Str:D) { "\e[32m{x}\e[0m" }
sub blue(Str:D \x --> Str:D) { "\e[34m{x}\e[0m" }
sub yellow(Str:D \x --> Str:D) { "\e[1;33m{x}\e[0m" }
# More abstract shell text coloring helpers
sub error(Str:D \x --> Str:D) { red x }
sub warning(Str:D \x --> Str:D) { yellow x }
sub info(Str:D \x --> Str:D) { green x }
sub debug(Str:D \x --> Str:D) { blue x }
sub get-hardware-dir-files(--> Seq:D) {
given run «"{ls}" -- "{hardware-dir}/"», :out { LEAVE {.sink}; .out.slurp(:close).lines }
}
# A list of fiels
sub get-hardware-secret-configs(Bool:D \encrypted, Str:D @hardware-dir-files, --> Seq:D) {
my regex R { $(encrypted ?? encrypted-secret-postfix !! decrypted-secret-postfix) $ };
@hardware-dir-files.grep(&R).map(*.subst(&R, ''))
}
sub validate-list-of-files(Array:D \given-list-files, Array:D \expected-list-of-files) {
return if given-list-files ⊆ expected-list-of-files;
die error
"Provided list of files ({given-list-files.map({qq/‘$_’/}).join: ', '}) is not a subset of " ~
"or equal to this list of expected files: {expected-list-of-files.map({qq/‘$_’/}).join: ', '}!"
}
#| Decrypt secret files and public keys used for encryption.
#| WARNING! This will override your changes in your previously decrypted files if you have some.
multi sub MAIN('decrypt', *@files) {
my Str:D \hostname = '/etc/hostname'.IO.slurp(:close).chomp;
my Str:D @hardware-dir-files = get-hardware-dir-files;
my Str:D @hardware-configs-decrypted = get-hardware-secret-configs False, @hardware-dir-files;
my Str:D @hardware-configs-encrypted = get-hardware-secret-configs True, @hardware-dir-files;
warn warning
"Could not find associated encrypted machine-specific config for ‘{hostname}’ hostname. " ~
'Maybe you didn’t rebuild your system yet? Build it without the decrypted secrets first ' ~
'and then run this script, then you can rebuild the system again. Or maybe you just didn’t ' ~
'create machine-specific secret config yet. In this case create ' ~
"‘{hardware-dir}/{hostname}{decrypted-secret-postfix}’ " ~
'(with at least this dummy-plug: ‘{...}: {}’) and run ‘encrypt’ command.'
unless hostname ∈ @hardware-configs-encrypted;
my Str:D @hardware-files =
@hardware-configs-encrypted.map({ "{hardware-dir}/{$_}{decrypted-secret-postfix}" });
my Str:D @files-to-decrypt = @extra-secrets.clone.append: @hardware-files;
if @files.so {
validate-list-of-files @files, @files-to-decrypt;
@files-to-decrypt = @files;
}
for @files-to-decrypt {
$*ERR.say: debug "\nHandling ‘$_’ file…";
sub decrypt(Str:D \f) of Proc:D { run(«"{gpg}" --decrypt --output "{f}" -- "{f}.asc"»).sink }
unless $_.IO ~~ :f { decrypt $_; next }
my Str:D \encrypted-hash = do {
my Proc:D \decrypt-proc = run «"{gpg}" --decrypt -- "$_.asc"», :out;
given run "sha256sum", :in(decrypt-proc.out), :out {
LEAVE { decrypt-proc.sink; .sink }
.out.get.split(/\s+/)[0]
}
};
my Str:D \decrypted-hash = do given run «sha256sum -- "{$_}"», :out {
LEAVE { .sink }
.out.get.split(/\s+/)[0]
};
if encrypted-hash eq decrypted-hash {
$*ERR.say: debug
"Decrypted ‘$_’ file already exists and matches the checksum of the contents of " ~
'encrypted file. File is skipped.';
} else {
$*ERR.say: warning
"Decrypted ‘$_’ file already exists and its content is different from encrypted file " ~
"(‘$_.asc’). GPG will ask you to confirm overwriting the file. Be cautious! " ~
'Maybe you made some changes in the file that you haven’t encrypted yet? ' ~
'You may loose that data if you give a confirmation. ' ~
"Run this command to see the difference between encrypted and unencrypted files:\n" ~
" '{$*PROGRAM}' diff '{$_}'";
decrypt $_
}
}
unless machine-specific-secret-symlink.IO ~~ :f {
$*ERR.say: info "‘{machine-specific-secret-symlink}’ symlink does not exists, creating it…";
run(«
"{ln}" -s --
"{hardware-dir}/{hostname}{decrypted-secret-postfix}"
"{machine-specific-secret-symlink}"
»).sink;
}
}
#| Encrypt your changes in secret files thus you can commit them and push to the repo.
multi sub MAIN('encrypt', Bool:D :f(:$force) = False, *@files) {
die error "‘{keys-file}’ does not exists. Did you run ‘decrypt’ command first?"
unless keys-file.IO ~~ :f;
my Array:D \recipients =
keys-file.IO.slurp(:close).lines
.grep(* !~~ /^\#/) # Remove commented lines
.Array
.prepend($[False, []])
.reduce(sub (Array:D \acc, Str:D \x --> Array:D) {
if acc[0] && x eq '-----END PGP PUBLIC KEY BLOCK-----' { acc[0] = False }
elsif !acc[0] && x eq '-----BEGIN PGP PUBLIC KEY BLOCK-----' { acc[0] = True }
elsif !acc[0] && x.so { acc[1].append: x }
acc
})
.pop;
my Str:D @hardware-dir-files = get-hardware-dir-files;
my Str:D @hardware-configs-decrypted =
get-hardware-secret-configs(False, @hardware-dir-files)
.map({ "{hardware-dir}/{$_}{decrypted-secret-postfix}" });
my Str:D @files-to-encrypt = @extra-secrets.clone.append: @hardware-configs-decrypted;
if @files.so {
validate-list-of-files @files, @files-to-encrypt;
@files-to-encrypt = @files;
}
die error "Secret file ‘{$_}’ not found! Did you run ‘decrypt’ command first?"
unless .IO ~~ :f for @files-to-encrypt;
for @files-to-encrypt {
$*ERR.say: debug "\nHandling ‘$_’ file…";
# If *.asc file doesn’t exist it means it’s a new file to be encrypted for the first time
if !$force && "$_.asc".IO ~~ :e {
my Str:D \encrypted-hash = do {
my Proc:D \decrypt-proc = run «"{gpg}" --decrypt -- "$_.asc"», :out;
given run "sha256sum", :in(decrypt-proc.out), :out {
LEAVE { decrypt-proc.sink; .sink }
.out.get.split(/\s+/)[0]
}
};
my Str:D \decrypted-hash = do given run «sha256sum -- "{$_}"», :out {
LEAVE { .sink }
.out.get.split(/\s+/)[0]
};
if encrypted-hash eq decrypted-hash {
$*ERR.say: debug
"The checksum of ‘$_’ file and checksum of content of encrypted ‘$_.asc’ file match. " ~
'There are no changes to encrypt. If you still want to re-encrypt the file then just ' ~
"call the command with ‘--force’ flag. ‘$_’ file is skipped.";
next
}
} elsif !$force && "$_.asc".IO !~~ :e {
$*ERR.say: info "‘$_’ seems to be a new file. Encrypting it for the first time…"
}
my Array:D \recipients-arguments =
recipients
.Array
.prepend($[])
.reduce(sub (Array:D \acc, Str:D \x --> Array:D) { acc.append: '--recipient', x });
my Str:D @args = (
«"{gpg}" --armor --encrypt»,
recipients-arguments,
«--output "{$_}.asc" -- "$_"»
).flat;
$*ERR.say: warning
"Decrypted ‘$_’ file is different from its encrypted counterpart (‘$_.asc’). " ~
'GPG will ask you to confirm overwriting the encrypted file. Be cautious! ' ~
'In case you have new changes in both you can loose some data from the encrypted file. ' ~
"Run this command to see the difference between encrypted and unencrypted files:\n" ~
" '{$*PROGRAM}' diff '{$_}'";
$*ERR.say: debug
@args.map({ /^<[a..zA..Z0..9.\-_]>+$/ ?? $_ !! "'$_'" }).Array.prepend('+').join(' ');
run(@args).sink
}
}
#| Import public keys to use them for encryption.
multi sub MAIN('import') {
die error "‘{keys-file}’ does not exists. Did you run ‘decrypt’ command first?"
unless keys-file.IO ~~ :f;
run(«"{gpg}" --import -- "{keys-file}"»).sink
}
#| Show the difference between encrypted and unencrypted files.
#| First goes encrypted source and the second is its unencrypted counterpart.
multi sub MAIN('diff', *@files) {
my Str:D \hostname = '/etc/hostname'.IO.slurp(:close).chomp;
my Str:D @hardware-dir-files = get-hardware-dir-files;
my Str:D @hardware-configs-decrypted = get-hardware-secret-configs False, @hardware-dir-files;
my Str:D @hardware-configs-encrypted = get-hardware-secret-configs True, @hardware-dir-files;
my Str:D @hardware-files =
@hardware-configs-encrypted.map({ "{hardware-dir}/{$_}{decrypted-secret-postfix}" });
my Str:D @files-to-diff = @extra-secrets.clone.append: @hardware-files;
if @files.so {
# Validate existence of the encrypted source files
validate-list-of-files @files, @files-to-diff;
@files-to-diff = @files;
}
# Validate existence of unencrypted counterparts that we are diff-ing
die error "Secret file ‘{$_}’ not found! Did you run ‘decrypt’ command first?"
unless .IO ~~ :f for @files-to-diff;
for @files-to-diff {
$*ERR.say: debug "\nHandling ‘$_’ file…";
# Decrypted contents of the encrypted file.
# NOT the contents of the decrypted file.
my Str:D \decrypted-contents = do
given run «"{gpg}" --decrypt -- "$_.asc"», :out { LEAVE {.sink}; .out.slurp(:close) };
# Hash of the decrypted contents of the encrypted file
my Str:D \encrypted-hash = do given run "sha256sum", :in, :out {
LEAVE { .sink }
.in.spurt(decrypted-contents, :close);
.out.get.split(/\s+/)[0];
};
# Hash of the decrypted file
my Str:D \decrypted-hash = do given run «sha256sum -- "{$_}"», :out {
LEAVE { .sink }
.out.get.split(/\s+/)[0]
};
if encrypted-hash eq decrypted-hash {
$*ERR.say: debug
"The checksum of ‘$_’ file and checksum of content of encrypted ‘$_.asc’ file match. " ~
'There is no difference between the two.';
next
}
$*ERR.say: info
"The difference between ’$_.asc’ and its unencrypted counterpart ’$_‘:";
given run «"{diff}" --color - -- "$_"», :in {
LEAVE { .so } # Ignore non-zero exit code by using “.so”
.in.spurt(decrypted-contents, :close);
}
}
}