+32 -22

cmd/nox/main.go

reviewed

··· 68 68 // }, 69 69 // }, 70 70 { 71 71 + Name: "encrypt", 72 72 + Aliases: []string{"enc"}, 73 73 + Usage: "Encrypt a file", 74 74 + Flags: []cli.Flag{ 75 75 + &cli.StringFlag{ 76 76 + Name: "input", 77 77 + Usage: "path to input file", 78 78 + Aliases: []string{"i"}, 79 79 + Value: constants.StandardInput, 80 80 + Destination: &inputPath, 81 81 + }, 82 82 + &cli.StringFlag{ 83 83 + Name: "output", 84 84 + Usage: "path to output file", 85 85 + Aliases: []string{"o"}, 86 86 + Value: constants.StandardOutput, 87 87 + Destination: &outputPath, 88 88 + }, 89 89 + &cli.StringSliceFlag{ 90 90 + Name: "recipient", 91 91 + Usage: "age public key of recipient (repeatable)", 92 92 + Aliases: []string{"r"}, 93 93 + }, 94 94 + }, 95 95 + Action: func(ctx context.Context, cmd *cli.Command) error { 96 96 + fmt.Println("encrypting file", inputPath) 97 97 + fmt.Println("writing to", outputPath) 98 98 + fmt.Println(cmd.StringSlice("recipient")) 99 99 + return nil 100 100 + }, 101 101 + }, 102 102 + { 71 103 Name: "export", 72 104 Aliases: []string{"e"}, 73 105 Usage: "Export all secrets to a single file", ··· 110 142 return processor.SyncApp(rtx) 111 143 } 112 144 return processor.SyncApps(rtx) 113 113 - }, 114 114 - }, 115 115 - { 116 116 - Name: "encrypt", 117 117 - Aliases: []string{"enc"}, 118 118 - Usage: "Encrypt a file", 119 119 - Flags: []cli.Flag{ 120 120 - &cli.StringFlag{ 121 121 - Name: "input", 122 122 - Usage: "path to input file", 123 123 - Destination: &inputPath, 124 124 - }, 125 125 - &cli.StringFlag{ 126 126 - Name: "output", 127 127 - Usage: "path to output file", 128 128 - Destination: &outputPath, 129 129 - }, 130 130 - }, 131 131 - Action: func(ctx context.Context, cmd *cli.Command) error { 132 132 - fmt.Println("encrypting file", inputPath) 133 133 - fmt.Println("writing to", outputPath) 134 134 - return nil 135 145 }, 136 146 }, 137 147 {

+4 -1

config.yaml .nox.yaml

reviewed

··· 1 1 interval: "10m" 2 2 - ageKeyPath: "keys/key.txt" 2 2 + age: 3 3 + identity: "keys/key.txt" 4 4 + recipients: 5 5 + - "age1nuxu3q9wr5wrd53dj8hj5flhz86q2dpjyuq7agseh0wzwq5t696s2dm0ht" 3 6 statePath: ".nox-state.json" 4 7 defaultRepo: git@github.com:ShorkBytes/nox-secrets.git 5 8 secrets:

+11 -5

internal/config/config.go

reviewed

··· 12 12 } 13 13 14 14 type FileConfig struct { 15 15 - Path string `yaml:"path"` 16 16 - Output string `yaml:"output,omitempty"` 15 15 + Path string `yaml:"path"` 16 16 + Output string `yaml:"output,omitempty"` 17 17 } 18 18 19 19 type AppConfig struct { 20 20 - Repo string `yaml:"repo,omitempty"` 21 21 - Branch string `yaml:"branch"` 20 20 + Repo string `yaml:"repo,omitempty"` 21 21 + Branch string `yaml:"branch"` 22 22 Files []FileConfig `yaml:"files"` 23 23 } 24 24 25 25 + type AgeConfig struct { 26 26 + Identity string `yaml:"identity"` 27 27 + Identities []string `yaml:"identities,omitempty"` 28 28 + Recipients []string `yaml:"recipients,omitempty"` 29 29 + } 30 30 + 25 31 type Config struct { 26 32 Interval string `yaml:"interval"` 27 27 - AgeKeyPath string `yaml:"ageKeyPath"` 33 33 + Age AgeConfig `yaml:"age"` 28 34 StatePath string `yaml:"statePath"` 29 35 DefaultRepo string `yaml:"defaultRepo"` 30 36 Secrets []SecretMapping `yaml:"secrets"`

+1 -1

internal/config/context.go

reviewed

··· 49 49 50 50 identityPath := opts.IdentityPath 51 51 if identityPath == "" { 52 52 - identityPath = cfg.AgeKeyPath 52 52 + identityPath = cfg.Age.Identity 53 53 } 54 54 ids, err := crypto.LoadAgeIdentities(identityPath) 55 55 if err != nil {

+5 -3

internal/constants/constants.go

reviewed

··· 1 1 package constants 2 2 3 3 const ( 4 4 - DefaultStatePath = ".nox-state.json" 5 5 - DefaultConfigPath = "config.yaml" 6 6 - ) 4 4 + DefaultStatePath = ".nox-state.json" 5 5 + DefaultConfigPath = ".nox.yaml" 6 6 + StandardOutput = "<stdout>" 7 7 + StandardInput = "<stdin>" 8 8 + )

+41

internal/crypto/encrypt.go

reviewed

··· 1 1 + package crypto 2 2 + 3 3 + import ( 4 4 + "bytes" 5 5 + "fmt" 6 6 + "io" 7 7 + "os" 8 8 + 9 9 + "filippo.io/age" 10 10 + ) 11 11 + 12 12 + // EncryptFile encrypts the given file using the given identities 13 13 + func EncryptFile(path string, recipients []age.Recipient) ([]byte, error) { 14 14 + data, err := os.ReadFile(path) 15 15 + if err != nil { 16 16 + return nil, fmt.Errorf("failed to read file: %w", err) 17 17 + } 18 18 + return EncryptBytes(data, recipients) 19 19 + } 20 20 + 21 21 + func EncryptBytes(data []byte, recipients []age.Recipient) ([]byte, error) { 22 22 + 23 23 + src := bytes.NewReader(data) 24 24 + dst := new(bytes.Buffer) 25 25 + 26 26 + enc, err := age.Encrypt(dst, recipients...) 27 27 + if err != nil { 28 28 + return nil, fmt.Errorf("initializing age enc failed: %w", err) 29 29 + } 30 30 + 31 31 + if _, err := io.Copy(enc, src); err != nil { 32 32 + enc.Close() // ensure resources are freed 33 33 + return nil, fmt.Errorf("encryption failed: %w", err) 34 34 + } 35 35 + 36 36 + if err := enc.Close(); err != nil { 37 37 + return nil, fmt.Errorf("finalizing encryption failed: %w", err) 38 38 + } 39 39 + 40 40 + return dst.Bytes(), nil 41 41 + }

+1 -1

internal/processor/validate.go

reviewed

··· 11 11 ) 12 12 13 13 func ValidateConfig(cfg *config.Config) error { 14 14 - if cfg.AgeKeyPath == "" { 14 14 + if cfg.Age.Identity == "" { 15 15 return fmt.Errorf("age key path is required") 16 16 } 17 17