From 020dcff707252fa93884036eebf7b02e53d54a43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 10 Jan 2024 17:42:13 +0100
Subject: [PATCH] allow ssh key import to fail

We import ssh keys by default if openssh is enabled.
However if users are using age keys while using sops to deploy ssh keys we have
a catch-22.
While users could use lib.mkForce to empty the list, this is not intuitive
---
 pkgs/sops-install-secrets/main.go | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index 34756de..0faff0e 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -613,15 +613,19 @@ func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) erro
 	for _, p := range keyPaths {
 		sshKey, err := os.ReadFile(p)
 		if err != nil {
-			return fmt.Errorf("Cannot read ssh key '%s': %w", p, err)
+			fmt.Fprintf(os.Stderr, "Cannot read ssh key '%s': %s\n", p, err)
+			continue
 		}
 		gpgKey, err := sshkeys.SSHPrivateKeyToPGP(sshKey)
+		fmt.Fprintf(os.Stderr, "Cannot write secring: %s\n", err)
 		if err != nil {
-			return err
+			fmt.Fprintf(os.Stderr, "%s\n", err)
+			continue
 		}
 
 		if err := gpgKey.SerializePrivate(secring, nil); err != nil {
-			return fmt.Errorf("Cannot write secring: %w", err)
+			fmt.Fprintf(os.Stderr, "Cannot write secring: %s\n", err)
+			continue
 		}
 
 		if logcfg.KeyImport {
@@ -637,21 +641,25 @@ func importAgeSSHKeys(logcfg loggingConfig, keyPaths []string, ageFile os.File)
 		// Read the key
 		sshKey, err := os.ReadFile(p)
 		if err != nil {
-			return fmt.Errorf("Cannot read ssh key '%s': %w", p, err)
+			fmt.Fprintf(os.Stderr, "Cannot read ssh key '%s': %s\n", p, err)
+			continue
 		}
 		// Convert the key to age
 		privKey, pubKey, err := agessh.SSHPrivateKeyToAge(sshKey)
 		if err != nil {
-			return fmt.Errorf("Cannot convert ssh key '%s': %w", p, err)
+			fmt.Fprintf(os.Stderr, "Cannot convert ssh key '%s': %s\n", p, err)
+			continue
 		}
 		// Append it to the file
 		_, err = ageFile.WriteString(*privKey + "\n")
 		if err != nil {
-			return fmt.Errorf("Cannot write key to age file: %w", err)
+			fmt.Fprintf(os.Stderr, "Cannot write key to age file: %s\n", err)
+			continue
 		}
 
 		if logcfg.KeyImport {
-			fmt.Printf("%s: Imported %s as age key with fingerprint %s\n", path.Base(os.Args[0]), p, *pubKey)
+			fmt.Fprintf(os.Stderr, "%s: Imported %s as age key with fingerprint %s\n", path.Base(os.Args[0]), p, *pubKey)
+			continue
 		}
 	}