From bffb0afb486f289c4ed326e3927012e0e6d85c88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 19 Jul 2020 23:23:38 +0100
Subject: [PATCH 1/2] fix replace existing files

---
 pkgs/sops-install-secrets/main.go        | 16 ++++++++++++----
 pkgs/sops-install-secrets/main_test.go   |  7 ++++++-
 pkgs/sops-install-secrets/nixos-test.nix | 19 ++++++++++++++++++-
 3 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index 8612ec9..d5ff75c 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -115,16 +115,24 @@ func readManifest(path string) (*manifest, error) {
 
 func symlinkSecret(targetFile string, secret *secret) error {
 	for {
-		currentLinkTarget, err := os.Readlink(secret.Path)
+		stat, err := os.Lstat(secret.Path)
 		if os.IsNotExist(err) {
 			if err := os.Symlink(targetFile, secret.Path); err != nil {
 				return fmt.Errorf("Cannot create symlink '%s': %s", secret.Path, err)
 			}
 			return nil
 		} else if err != nil {
-			return fmt.Errorf("Cannot read symlink: '%s'", err)
-		} else if currentLinkTarget == targetFile {
-			return nil
+			return fmt.Errorf("Cannot stat '%s'", err)
+		}
+		if stat.Mode()&os.ModeSymlink == os.ModeSymlink {
+			linkTarget, err := os.Readlink(secret.Path)
+			if os.IsNotExist(err) {
+				continue
+			} else if err != nil {
+				return fmt.Errorf("Cannot read symlink: '%s'", err)
+			} else if linkTarget == targetFile {
+				return nil
+			}
 		}
 		if err := os.Remove(secret.Path); err != nil {
 			return fmt.Errorf("Cannot override %s", secret.Path)
diff --git a/pkgs/sops-install-secrets/main_test.go b/pkgs/sops-install-secrets/main_test.go
index 895b3e4..abb6b22 100644
--- a/pkgs/sops-install-secrets/main_test.go
+++ b/pkgs/sops-install-secrets/main_test.go
@@ -186,13 +186,18 @@ func testSSHKey(t *testing.T) {
 	testdir := newTestDir(t)
 	defer testdir.Remove()
 
+	target := path.Join(testdir.path, "existing-target")
+	file, err := os.Create(target)
+	ok(t, err)
+	file.Close()
+
 	s := secret{
 		Name:            "test",
 		Key:             "test_key",
 		Owner:           "nobody",
 		Group:           "nogroup",
 		SopsFile:        path.Join(assets, "secrets.yaml"),
-		Path:            path.Join(testdir.path, "test-target"),
+		Path:            target,
 		Mode:            "0400",
 		RestartServices: []string{"affected-service"},
 		ReloadServices:  make([]string, 0),
diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix
index 06a78af..73147fe 100644
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@@ -34,10 +34,16 @@
      sops.gnupgHome = "/run/gpghome";
      sops.defaultSopsFile = ./test-assets/secrets.yaml;
      sops.secrets.test_key.owner = config.users.users.someuser.name;
+     sops.secrets.existing-file = {
+       key = "test_key";
+       path = "/run/existing-file";
+     };
      # must run before sops
      system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
        cp -r ${./test-assets/gnupghome} /run/gpghome
        chmod -R 700 /run/gpghome
+
+       touch /run/existing-file
      '';
      # Useful for debugging
      #environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
@@ -48,11 +54,22 @@
      #};
   };
   testScript = ''
+    def assertEqual(exp: str, act: str) -> None:
+        if exp != act:
+            raise Exception(f"'{exp}' != '{act}'")
+
+
     start_all()
-    server.succeed("cat /run/secrets/test_key | grep -q test_value")
+
+    value = server.succeed("cat /run/secrets/test_key")
+    assertEqual("test_value", value)
+
     server.succeed("runuser -u someuser -G keys -- cat /run/secrets/test_key >&2")
     # should have no permission to read the file
     server.fail("runuser -u someuser -- cat /run/secrets/test_key >&2")
+
+    target = server.succeed("readlink -f /run/existing-file")
+    assertEqual("/run/secrets.d/1/existing-file", target.strip())
   '';
  } {
    inherit pkgs;

From 16c3c3e39c9e7dec36e52a4f3669266a7ead4d73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 19 Jul 2020 23:24:44 +0100
Subject: [PATCH 2/2] README.md: add more placeholder

---
 README.md | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 579a637..f4a98f1 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,12 @@ key management APIs such as AWS KMS, GCP KMS, Azure Key Vault or Hashicorp's vau
 
 ### 1. Install nix-sops
 
-TODO
+- Install via niv
+- Install via nix-channel
+- Install via fetchTarball
+- Install via krops
+
+Than add <sops-nix/modules/sops>
 
 ### 2. Generate a GPG key for yourself
 
@@ -261,7 +266,7 @@ $ ls -la /run/secrets
 lrwxrwxrwx 16 root 12 Jul  6:23  /run/secrets -> /run/secrets.d/1
 ```
 
-## Permissions & Owner
+## Permissions & Owner & services
 
 TODO