+127 -33

cmd/nox/main.go

reviewed

··· 1 1 package main 2 2 3 3 import ( 4 4 + "context" 5 5 + "fmt" 4 6 "log" 5 7 "os" 6 6 - "context" 7 8 8 9 "github.com/aottr/nox/internal/config" 9 10 "github.com/aottr/nox/internal/constants" 10 10 - "github.com/aottr/nox/internal/process" 11 11 + "github.com/aottr/nox/internal/processor" 11 12 "github.com/urfave/cli/v3" 12 13 ) 13 14 14 15 func main() { 15 16 16 17 var configPath string 18 18 + var statePath string 19 19 + var identityPath string 20 20 + var appName string 21 21 + var dryRun bool 22 22 + var force bool 23 23 + var verbose bool 24 24 + var inputPath string 25 25 + var outputPath string 17 26 18 27 cmd := &cli.Command{ 19 28 Name: "nox", 20 29 Usage: "Manage and decrypt app secrets", 21 30 Flags: []cli.Flag{ 22 22 - &cli.StringFlag{ 23 23 - Name: "config", 24 24 - Value: constants.DefaultConfigPath, 25 25 - Usage: "path to config file", 26 26 - Destination: &configPath, 27 27 - }, 28 28 - }, 29 29 - Commands: []*cli.Command{ 30 30 - { 31 31 - Name: "run", 32 32 - Aliases: []string{"r"}, 33 33 - Usage: "Fetch, decrypt, and process app secrets", 34 34 - Action: func(ctx context.Context, cmd *cli.Command) error { 35 35 - cfg, err := config.Load(configPath) 31 31 + &cli.StringFlag{ 32 32 + Name: "config", 33 33 + Value: constants.DefaultConfigPath, 34 34 + Usage: "path to config file", 35 35 + Destination: &configPath, 36 36 + }, 37 37 + &cli.StringFlag{ 38 38 + Name: "state", 39 39 + Value: constants.DefaultStatePath, 40 40 + Usage: "path to state file", 41 41 + Destination: &statePath, 42 42 + }, 43 43 + &cli.StringFlag{ 44 44 + Name: "identity", 45 45 + Usage: "path to age identity file", 46 46 + Destination: &identityPath, 47 47 + }, 48 48 + &cli.BoolFlag{ 49 49 + Name: "verbose", 50 50 + Aliases: []string{"v"}, 51 51 + Value: false, 52 52 + Usage: "print verbose output", 53 53 + Destination: &verbose, 54 54 + }, 55 55 + }, 56 56 + Commands: []*cli.Command{ 57 57 + // { 58 58 + // Name: "run", 59 59 + // Aliases: []string{"r"}, 60 60 + // Usage: "Fetch, decrypt, and process app secrets", 61 61 + // Action: func(ctx context.Context, cmd *cli.Command) error { 62 62 + // cfg, err := config.Load(configPath) 63 63 + // if err != nil { 64 64 + // log.Fatalf("failed to load config: %v", err) 65 65 + // } 66 66 + // return processor.ProcessApps(cfg) 67 67 + // }, 68 68 + // }, 69 69 + { 70 70 + Name: "export", 71 71 + Aliases: []string{"e"}, 72 72 + Usage: "Export all secrets to a single file", 73 73 + Flags: []cli.Flag{ 74 74 + &cli.StringFlag{ 75 75 + Name: "app", 76 76 + Aliases: []string{"a"}, 77 77 + Usage: "app to export secrets for", 78 78 + Destination: &appName, 79 79 + }, 80 80 + &cli.BoolFlag{ 81 81 + Name: "dry-run", 82 82 + Aliases: []string{"d"}, 83 83 + Value: false, 84 84 + Usage: "only print what would be exported", 85 85 + Destination: &dryRun, 86 86 + }, 87 87 + &cli.BoolFlag{ 88 88 + Name: "force", 89 89 + Aliases: []string{"f"}, 90 90 + Value: false, 91 91 + Usage: "ignore state file", 92 92 + Destination: &force, 93 93 + }, 94 94 + }, 95 95 + Action: func(ctx context.Context, cmd *cli.Command) error { 96 96 + rtx, err := config.BuildRuntimeContext(config.RuntimeOptions{ 97 97 + ConfigPath: configPath, 98 98 + StatePath: statePath, 99 99 + IdentityPath: identityPath, 100 100 + DryRun: dryRun, 101 101 + Force: force, 102 102 + AppName: appName, 103 103 + Verbose: verbose, 104 104 + }) 36 105 if err != nil { 37 37 - log.Fatalf("failed to load config: %v", err) 106 106 + log.Fatalf("failed to build runtime context: %v", err) 38 107 } 39 39 - return process.ProcessApps(cfg) 40 40 - }, 41 41 - }, 42 42 - { 43 43 - Name: "validate", 44 44 - Aliases: []string{"v"}, 45 45 - Usage: "Validate configuration and secret integrity", 46 46 - Action: func(ctx context.Context, cmd *cli.Command) error { 108 108 + if appName != "" { 109 109 + return processor.SyncApp(rtx) 110 110 + } 111 111 + return processor.SyncApps(rtx) 112 112 + }, 113 113 + }, 114 114 + { 115 115 + Name: "encrypt", 116 116 + Aliases: []string{"enc"}, 117 117 + Usage: "Encrypt a file", 118 118 + Flags: []cli.Flag{ 119 119 + &cli.StringFlag{ 120 120 + Name: "input", 121 121 + Usage: "path to input file", 122 122 + Destination: &inputPath, 123 123 + }, 124 124 + &cli.StringFlag{ 125 125 + Name: "output", 126 126 + Usage: "path to output file", 127 127 + Destination: &outputPath, 128 128 + }, 129 129 + }, 130 130 + Action: func(ctx context.Context, cmd *cli.Command) error { 131 131 + fmt.Println("encrypting file", inputPath) 132 132 + fmt.Println("writing to", outputPath) 133 133 + return nil 134 134 + }, 135 135 + }, 136 136 + { 137 137 + Name: "validate", 138 138 + Aliases: []string{"v"}, 139 139 + Usage: "Validate configuration and secret integrity", 140 140 + Action: func(ctx context.Context, cmd *cli.Command) error { 47 141 cfg, err := config.Load(configPath) 48 142 if err != nil { 49 143 log.Fatalf("failed to load config: %v", err) 50 144 } 51 51 - return process.Validate(cfg) 52 52 - }, 53 53 - }, 54 54 - }, 55 55 - } 145 145 + return processor.Validate(cfg) 146 146 + }, 147 147 + }, 148 148 + }, 149 149 + } 56 150 57 57 - if err := cmd.Run(context.Background(), os.Args); err != nil { 58 58 - log.Fatal(err) 59 59 - } 151 151 + if err := cmd.Run(context.Background(), os.Args); err != nil { 152 152 + log.Fatal(err) 153 153 + } 60 154 }

+57

internal/cache/repocache.go

reviewed

··· 1 1 + package cache 2 2 + 3 3 + import ( 4 4 + "sync" 5 5 + 6 6 + "github.com/aottr/nox/internal/gitrepo" 7 7 + "github.com/go-git/go-git/v5/plumbing/object" 8 8 + ) 9 9 + 10 10 + type RepoKey struct { 11 11 + Repo string 12 12 + Branch string 13 13 + } 14 14 + 15 15 + type RepoCache struct { 16 16 + mu sync.RWMutex 17 17 + repos map[RepoKey]*object.Tree 18 18 + } 19 19 + 20 20 + var ( 21 21 + GlobalCache = &RepoCache{ 22 22 + repos: make(map[RepoKey]*object.Tree), 23 23 + } 24 24 + ) 25 25 + 26 26 + func (c *RepoCache) Get(key RepoKey) (*object.Tree, bool) { 27 27 + c.mu.RLock() 28 28 + defer c.mu.RUnlock() 29 29 + tree, exists := c.repos[key] 30 30 + return tree, exists 31 31 + } 32 32 + 33 33 + func (c *RepoCache) Set(key RepoKey, tree *object.Tree) { 34 34 + c.mu.Lock() 35 35 + defer c.mu.Unlock() 36 36 + c.repos[key] = tree 37 37 + } 38 38 + 39 39 + func (c *RepoCache) FetchRepo(key RepoKey, token *string) (*object.Tree, error) { 40 40 + r, err := gitrepo.CloneRepoInMemory(gitrepo.GitFetchOptions{ 41 41 + RepoURL: key.Repo, 42 42 + Branch: key.Branch, 43 43 + Token: token, 44 44 + }) 45 45 + if err != nil { 46 46 + return nil, err 47 47 + } 48 48 + 49 49 + c.Set(key, r.Tree) 50 50 + return r.Tree, nil 51 51 + } 52 52 + 53 53 + func ClearRepoCache() { 54 54 + GlobalCache.mu.Lock() 55 55 + defer GlobalCache.mu.Unlock() 56 56 + GlobalCache.repos = make(map[RepoKey]*object.Tree) 57 57 + }

+85

internal/config/context.go

reviewed

··· 1 1 + package config 2 2 + 3 3 + import ( 4 4 + "fmt" 5 5 + "io" 6 6 + "log" 7 7 + "os" 8 8 + 9 9 + "filippo.io/age" 10 10 + "github.com/aottr/nox/internal/crypto" 11 11 + "github.com/aottr/nox/internal/state" 12 12 + ) 13 13 + 14 14 + type RuntimeOptions struct { 15 15 + ConfigPath string 16 16 + StatePath string 17 17 + IdentityPath string 18 18 + DryRun bool 19 19 + Force bool 20 20 + Verbose bool 21 21 + AppName string 22 22 + } 23 23 + 24 24 + type RuntimeContext struct { 25 25 + Config *Config 26 26 + State *state.State 27 27 + Identities []age.Identity 28 28 + App *string 29 29 + Logger *log.Logger 30 30 + DryRun bool 31 31 + Force bool 32 32 + Verbose bool 33 33 + } 34 34 + 35 35 + func BuildRuntimeContext(opts RuntimeOptions) (*RuntimeContext, error) { 36 36 + 37 37 + cfg, err := Load(opts.ConfigPath) 38 38 + if err != nil { 39 39 + return nil, err 40 40 + } 41 41 + 42 42 + if opts.StatePath != "" { 43 43 + state.SetPath(opts.StatePath) 44 44 + } 45 45 + st, err := state.Load() 46 46 + if err != nil { 47 47 + return nil, err 48 48 + } 49 49 + 50 50 + identityPath := opts.IdentityPath 51 51 + if identityPath == "" { 52 52 + identityPath = cfg.AgeKeyPath 53 53 + } 54 54 + ids, err := crypto.LoadAgeIdentities(identityPath) 55 55 + if err != nil { 56 56 + return nil, err 57 57 + } 58 58 + 59 59 + var app *string 60 60 + if opts.AppName != "" { 61 61 + if _, exists := cfg.Apps[opts.AppName]; exists { 62 62 + app = &opts.AppName 63 63 + } else { 64 64 + return nil, fmt.Errorf("app '%s' not found in configuration", opts.AppName) 65 65 + } 66 66 + } 67 67 + 68 68 + var logger *log.Logger 69 69 + if opts.Verbose { 70 70 + logger = log.New(os.Stdout, "", log.LstdFlags) 71 71 + } else { 72 72 + logger = log.New(io.Discard, "", 0) 73 73 + } 74 74 + 75 75 + return &RuntimeContext{ 76 76 + Config: cfg, 77 77 + State: st, 78 78 + Identities: ids, 79 79 + App: app, 80 80 + Logger: logger, 81 81 + DryRun: opts.DryRun, 82 82 + Force: opts.Force, 83 83 + Verbose: opts.Verbose, 84 84 + }, nil 85 85 + }

+2 -35

internal/crypto/decrypt.go

reviewed

··· 9 9 "filippo.io/age" 10 10 ) 11 11 12 12 - func DecryptAgeFile(inputPath, outputPath, identityPath string) error { 13 13 - identityFile, err := os.ReadFile(identityPath) 14 14 - if err != nil { 15 15 - return fmt.Errorf("failed to read identity: %w", err) 16 16 - } 17 17 - 18 18 - identities, err := age.ParseIdentities(bytes.NewReader(identityFile)) 19 19 - if err != nil { 20 20 - return fmt.Errorf("failed to parse identities: %w", err) 21 21 - } 22 22 - 23 23 - in, err := os.Open(inputPath) 24 24 - if err != nil { 25 25 - return fmt.Errorf("failed to open encrypted file: %w", err) 26 26 - } 27 27 - defer in.Close() 28 28 - 29 29 - r, err := age.Decrypt(in, identities...) 30 30 - if err != nil { 31 31 - return fmt.Errorf("failed to decrypt: %w", err) 32 32 - } 33 33 - 34 34 - out, err := os.Create(outputPath) 35 35 - if err != nil { 36 36 - return fmt.Errorf("failed to create output: %w", err) 37 37 - } 38 38 - defer out.Close() 39 39 - 40 40 - if _, err := io.Copy(out, r); err != nil { 41 41 - return fmt.Errorf("failed to write: %w", err) 42 42 - } 43 43 - 44 44 - return nil 45 45 - } 46 46 - 12 12 + // DecryptFile decrypts the given file using the given identities 47 13 func DecryptFile(inputPath string, identities []age.Identity) ([]byte, error) { 48 14 data, err := os.ReadFile(inputPath) 49 15 if err != nil { ··· 52 18 return DecryptBytes(data, identities) 53 19 } 54 20 21 21 + // DecryptBytes decrypts the given bytes using the given identities 55 22 func DecryptBytes(encrypted []byte, identities []age.Identity) ([]byte, error) { 56 23 57 24 dec, err := age.Decrypt(bytes.NewReader(encrypted), identities...)

-113

internal/process/gitsync.go

reviewed

··· 1 1 - package process 2 2 - 3 3 - import ( 4 4 - "fmt" 5 5 - "log" 6 6 - "os" 7 7 - 8 8 - "github.com/aottr/nox/internal/config" 9 9 - "github.com/aottr/nox/internal/crypto" 10 10 - "github.com/aottr/nox/internal/gitrepo" 11 11 - "github.com/aottr/nox/internal/state" 12 12 - "github.com/go-git/go-git/v5/plumbing/object" 13 13 - ) 14 14 - 15 15 - // ProcessApps clones and decrypts configured app secrets efficiently. 16 16 - func ProcessApps(cfg *config.Config) error { 17 17 - type repoKey struct { 18 18 - Repo string 19 19 - Branch string 20 20 - } 21 21 - 22 22 - clones := map[repoKey]*object.Tree{} 23 23 - 24 24 - identities, err := crypto.LoadAgeIdentities(cfg.AgeKeyPath) 25 25 - if err != nil { 26 26 - return fmt.Errorf("Failed to load age identities: %w", err) 27 27 - } 28 28 - 29 29 - st, err := state.Load() 30 30 - if err != nil { 31 31 - return fmt.Errorf("Failed to load state: %w", err) 32 32 - } 33 33 - 34 34 - for appName, app := range cfg.Apps { 35 35 - 36 36 - fmt.Printf("Processing app %s\n", appName) 37 37 - 38 38 - repoUrl := app.Repo 39 39 - if repoUrl == "" { 40 40 - repoUrl = cfg.DefaultRepo 41 41 - } 42 42 - key := repoKey{Repo: repoUrl, Branch: app.Branch} 43 43 - 44 44 - clone, ok := clones[key] 45 45 - if !ok { 46 46 - repo, err := gitrepo.CloneRepoInMemory(gitrepo.GitFetchOptions{ 47 47 - RepoURL: repoUrl, 48 48 - Branch: app.Branch, 49 49 - }) 50 50 - if err != nil { 51 51 - log.Printf("Clone failed for %s/%s: %v", repoUrl, app.Branch, err) 52 52 - continue 53 53 - } 54 54 - clone = repo.Tree 55 55 - clones[key] = clone 56 56 - } 57 57 - 58 58 - for _, file := range app.Files { 59 59 - content, err := gitrepo.GetFileContentFromTree(clone, file.Path) 60 60 - if err != nil { 61 61 - log.Printf("Failed to get file %s: %v", file, err) 62 62 - continue 63 63 - } 64 64 - 65 65 - hash := state.HashContent(content) 66 66 - cacheKey := state.GenerateKey(appName, file.Path) 67 67 - 68 68 - if prevHash, ok := st.Data[cacheKey]; ok && prevHash == hash { 69 69 - log.Printf("File %s is up to date", file.Path) 70 70 - continue 71 71 - } 72 72 - 73 73 - plaintext, err := crypto.DecryptBytes(content, identities) 74 74 - if err != nil { 75 75 - log.Printf("Failed to decrypt file %s: %v", file.Path, err) 76 76 - continue 77 77 - } 78 78 - 79 79 - outPath := file.Output 80 80 - // if outPath == "" { 81 81 - // // Default output filename if none specified, e.g. replace .age with .env 82 82 - // outPath = filepath.Base(fileCfg.Path) 83 83 - // if filepath.Ext(outPath) == ".age" { 84 84 - // outPath = outPath[:len(outPath)-4] + ".env" 85 85 - // } 86 86 - // } 87 87 - 88 88 - // if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil { 89 89 - // log.Printf("Failed to create directories for %s: %v", outPath, err) 90 90 - // continue 91 91 - // } 92 92 - 93 93 - if err := os.WriteFile(outPath, plaintext, 0600); err != nil { 94 94 - log.Printf("Failed to write decrypted file to %s: %v", outPath, err) 95 95 - continue 96 96 - } 97 97 - 98 98 - log.Printf("decrypted %s for app %s (size: %d bytes)", file, appName, len(plaintext)) 99 99 - 100 100 - st.Data[cacheKey] = hash 101 101 - st.Touch() 102 102 - 103 103 - log.Printf("Decrypted file %s", file) 104 104 - } 105 105 - 106 106 - } 107 107 - 108 108 - if err := state.Save(st); err != nil { 109 109 - return fmt.Errorf("Failed to save state: %w", err) 110 110 - } 111 111 - 112 112 - return nil 113 113 - }

+1 -1

internal/process/validate.go internal/processor/validate.go

reviewed

··· 1 1 - package process 1 1 + package processor 2 2 3 3 import ( 4 4 "fmt"

+35

internal/processor/file.go

reviewed

··· 1 1 + package processor 2 2 + 3 3 + import ( 4 4 + "fmt" 5 5 + "os" 6 6 + "path/filepath" 7 7 + 8 8 + "github.com/aottr/nox/internal/config" 9 9 + ) 10 10 + 11 11 + type FileProcessorOptions struct { 12 12 + CreateDir bool 13 13 + } 14 14 + 15 15 + func WriteToFile(data []byte, file config.FileConfig, opts *FileProcessorOptions) error { 16 16 + path := file.Output 17 17 + if path == "" { 18 18 + // Default output filename if none specified, e.g. replace .age with .env 19 19 + path = filepath.Base(file.Path) 20 20 + fmt.Println(path) 21 21 + if filepath.Ext(path) == ".age" { 22 22 + path = path[:len(path)-4] + ".env" 23 23 + } 24 24 + } 25 25 + if opts.CreateDir { 26 26 + if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil { 27 27 + return fmt.Errorf("failed to create directories for %s: %w", path, err) 28 28 + } 29 29 + } 30 30 + 31 31 + if err := os.WriteFile(path, data, 0600); err != nil { 32 32 + return fmt.Errorf("failed to write decrypted file to %s: %w", path, err) 33 33 + } 34 34 + return nil 35 35 + }

+92

internal/processor/gitsync.go

reviewed

··· 1 1 + package processor 2 2 + 3 3 + import ( 4 4 + "fmt" 5 5 + 6 6 + "github.com/aottr/nox/internal/cache" 7 7 + "github.com/aottr/nox/internal/config" 8 8 + "github.com/aottr/nox/internal/crypto" 9 9 + "github.com/aottr/nox/internal/gitrepo" 10 10 + "github.com/aottr/nox/internal/state" 11 11 + ) 12 12 + 13 13 + func SyncApp(ctx *config.RuntimeContext) error { 14 14 + 15 15 + cfg, appName, identities, st := ctx.Config, ctx.App, ctx.Identities, ctx.State 16 16 + 17 17 + if appName == nil { 18 18 + return fmt.Errorf("app name is required") 19 19 + } 20 20 + 21 21 + // retrieve app config and repository 22 22 + app := cfg.Apps[*appName] 23 23 + repoUrl := app.Repo 24 24 + if repoUrl == "" { 25 25 + repoUrl = cfg.DefaultRepo 26 26 + } 27 27 + key := cache.RepoKey{Repo: repoUrl, Branch: app.Branch} 28 28 + repo, exists := cache.GlobalCache.Get(key) 29 29 + if !exists { 30 30 + var err error 31 31 + repo, err = cache.GlobalCache.FetchRepo(key, nil) 32 32 + if err != nil { 33 33 + return fmt.Errorf("failed to fetch repo for app %s: %w", *appName, err) 34 34 + } 35 35 + } 36 36 + 37 37 + // iterate over files and decrypt 38 38 + for _, file := range app.Files { 39 39 + content, err := gitrepo.GetFileContentFromTree(repo, file.Path) 40 40 + if err != nil { 41 41 + return fmt.Errorf("failed to get file %s: %w", file, err) 42 42 + } 43 43 + 44 44 + hash := state.HashContent(content) 45 45 + cacheKey := state.GenerateKey(*appName, file.Path) 46 46 + 47 47 + // skip if file is up to date and force is not set 48 48 + if !ctx.Force { 49 49 + if prevHash, ok := st.Data[cacheKey]; ok && prevHash == hash { 50 50 + ctx.Logger.Printf("file %s is up to date", file.Path) 51 51 + continue 52 52 + } 53 53 + } 54 54 + 55 55 + // decrypt file 56 56 + plaintext, err := crypto.DecryptBytes(content, identities) 57 57 + if err != nil { 58 58 + ctx.Logger.Printf("failed to decrypt file %s: %v", file.Path, err) 59 59 + continue 60 60 + } 61 61 + 62 62 + // skip writing file if dry run is set 63 63 + if ctx.DryRun { 64 64 + ctx.Logger.Printf("❌ dry run, not writing file %s", file.Output) 65 65 + fmt.Println(string(plaintext)) 66 66 + continue 67 67 + } 68 68 + WriteToFile(plaintext, file, &FileProcessorOptions{CreateDir: true}) 69 69 + 70 70 + ctx.Logger.Printf("decrypted %s for app %s (size: %d bytes)", file, *appName, len(plaintext)) 71 71 + 72 72 + // update state 73 73 + st.Data[cacheKey] = hash 74 74 + st.Touch() 75 75 + } 76 76 + 77 77 + if err := state.Save(st); err != nil { 78 78 + return fmt.Errorf("failed to save state: %w", err) 79 79 + } 80 80 + return nil 81 81 + } 82 82 + 83 83 + func SyncApps(ctx *config.RuntimeContext) error { 84 84 + for appName := range ctx.Config.Apps { 85 85 + ctx.App = &appName 86 86 + ctx.Logger.Printf("Processing app: %s\n", appName) 87 87 + if err := SyncApp(ctx); err != nil { 88 88 + return err 89 89 + } 90 90 + } 91 91 + return nil 92 92 + }