feat: implement orphan removal for agenix generate

oddlama · Feb 26, 2024 · 8d42875 · 8d42875
1 parent 7828b0f
commit 8d42875
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/apps/generate.nix b/apps/generate.nix
@@ -214,12 +214,44 @@ in
     KNOWN_SECRETS=(
       ${concatStringsSep "\n" (map (x: escapeShellArg x.sourceFile) (attrValues secretsWithContext))}
     )
-    for secret in ''${POSITIONAL_ARGS[@]} ; do
-      for known in ''${KNOWN_SECRETS[@]} ; do
+    for secret in "''${POSITIONAL_ARGS[@]}" ; do
+      for known in "''${KNOWN_SECRETS[@]}" ; do
         [[ "$(realpath -m "$secret")" == "$(realpath -m "$known")" ]] && continue 2
       done
       die "Provided path matches no known secret: $secret"
     done
 
     ${orderedGenerationCommands}
+
+    # Remove orphaned files, first index all known files
+    declare -A KNOWN_SECRETS_SET
+    for known in "''${KNOWN_SECRETS[@]}" ; do
+      # Mark secret as known
+      KNOWN_SECRETS_SET["$known"]=true
+    done
+
+    # Iterate all files in generation directories and delete orphans
+    (
+      REMOVED_ORPHANS=0
+      shopt -s nullglob
+      for f in ${pkgs.lib.concatMapStrings (
+      x:
+        escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + "/* "
+    ) (attrValues nodes)}; do
+        if [[ "''${KNOWN_SECRETS_SET["$f"]-false}" == false ]]; then
+          rm -- "$f" || true
+          REMOVED_ORPHANS=$((REMOVED_ORPHANS + 1))
+        fi
+      done
+      if [[ "''${REMOVED_ORPHANS}" -gt 0 ]]; then
+        echo "[1;36m     Removed[m [0;33m''${REMOVED_ORPHANS} [0;36morphaned files in generation directories[m"
+
+        if [[ "$ADD_TO_GIT" == true ]]; then
+          git add ${pkgs.lib.concatMapStrings (
+      x:
+        escapeShellArg (relativeToFlake x.config.age.rekey.generatedSecretsDir) + " "
+    ) (attrValues nodes)}
+        fi
+      fi
+    )
   ''
diff --git a/apps/rekey.nix b/apps/rekey.nix
@@ -160,7 +160,7 @@
             fi
           done
           if [[ "''${REMOVED_ORPHANS}" -gt 0 ]]; then
-            echo "[1;36m    Removing[m [0;33m''${REMOVED_ORPHANS} [0;36morphaned files for [32m"${escapeShellArg hostName}" [90min ${escapeShellArg hostRekeyDir}[m"
+            echo "[1;36m     Removed[m [0;33m''${REMOVED_ORPHANS} [0;36morphaned files for [32m"${escapeShellArg hostName}" [90min ${escapeShellArg hostRekeyDir}[m"
           fi
         )