fix: move age identity to system config

queil · queil · commit 22a57efc5fef · 2025-08-23T17:45:27.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "rooz"
-version = "0.127.0"
+version = "0.128.0"
 edition = "2021"
 
 [dependencies]
diff --git a/src/api/crypt.rs b/src/api/crypt.rs
@@ -1,4 +1,5 @@
 use crate::api::CryptApi;
+use crate::config::config::SystemConfig;
 use crate::model::types::AnyError;
 use age::x25519::Identity;
 use bollard::models::MountTypeEnum::VOLUME;
@@ -7,7 +8,15 @@ use std::str::FromStr;
 
 pub const VOLUME_NAME: &'static str = "rooz-age-key-vol";
 
-impl<'a> CryptApi<'a> {
+impl SystemConfig {
+    pub fn age_identity(&self) -> Result<Identity, AnyError> {
+        Ok(age::x25519::Identity::from_str(
+            self.age_key.as_deref().unwrap(),
+        )?)
+    }
+}
+
+impl CryptApi {
     pub fn mount(&self, target: &str) -> Mount {
         Mount {
             typ: Some(VOLUME),
@@ -17,21 +26,7 @@ impl<'a> CryptApi<'a> {
         }
     }
 
-    pub async fn read_age_identity(&self) -> Result<Identity, AnyError> {
-        let work_dir = "/tmp/.age";
 
-        let result = self
-            .api
-            .container
-            .one_shot_output(
-                "read-age-key",
-                "cat /tmp/.age/age.key".into(),
-                Some(vec![self.mount(work_dir)]),
-                None,
-            )
-            .await?;
-        Ok(age::x25519::Identity::from_str(&result.data)?)
-    }
 
     pub fn encrypt(
         &self,
diff --git a/src/api/mod.rs b/src/api/mod.rs
@@ -31,8 +31,7 @@ pub struct VolumeApi<'a> {
     pub container: &'a ContainerApi<'a>,
 }
 
-pub struct CryptApi<'a> {
-    pub api: &'a Api<'a>,
+pub struct CryptApi {
 }
 
 pub struct Api<'a> {
@@ -50,12 +49,12 @@ pub struct GitApi<'a> {
 
 pub struct ConfigApi<'a> {
     pub api: &'a Api<'a>,
-    pub crypt: &'a CryptApi<'a>,
+    pub crypt: &'a CryptApi,
 }
 
 pub struct WorkspaceApi<'a> {
     pub api: &'a Api<'a>,
     pub git: &'a GitApi<'a>,
     pub config: &'a ConfigApi<'a>,
-    pub crypt: &'a CryptApi<'a>,
+    pub crypt: &'a CryptApi,
 }
diff --git a/src/cmd/config/edit.rs b/src/cmd/config/edit.rs
@@ -11,7 +11,7 @@ impl<'a> ConfigApi<'a> {
         let format = FileFormat::from_path(config_path);
         let body = fs::read_to_string(&config_path)?;
         let mut config = RoozCfg::deserialize_config(&body, format)?.unwrap();
-        let identity = self.crypt.read_age_identity().await?;
+        let identity = self.api.system_config.age_identity()?;
         self.decrypt(&mut config, &identity).await?;
         let decrypted_string = config.to_string(format)?;
         let (encrypted_config, edited_string) = self
diff --git a/src/cmd/init.rs b/src/cmd/init.rs
@@ -1,8 +1,9 @@
 use std::str::FromStr;
 
 use crate::{
-    api::{self, container, Api},
+    api::{container, Api},
     cli::InitParams,
+    config::config::SystemConfig,
     constants,
     model::{
         types::{AnyError, RunMode, RunSpec, VolumeResult},
@@ -58,9 +59,26 @@ impl<'a> Api<'a> {
     pub async fn init(&self, image: &str, uid: &str, spec: &InitParams) -> Result<(), AnyError> {
         let image_id = self.image.ensure(&image, false).await?.id;
 
+        let age_key = match spec.age_identity.clone() {
+            None => age::x25519::Identity::generate(),
+            Some(identity) => age::x25519::Identity::from_str(&identity)?,
+        };
         self.volume
             .ensure_mounts(
-                &vec![RoozVolume::system_config("/tmp/sys", None)],
+                &vec![RoozVolume::system_config_init(
+                    "/tmp/sys",
+                    SystemConfig {
+                        age_key: Some(age_key.to_string().expose_secret().to_string()),
+                        gitconfig: Some(
+                            r#"
+[core]
+  sshCommand = ssh -i /tmp/.ssh/id_ed25519 -o UserKnownHostsFile=/tmp/.ssh/known_hosts
+"#
+                            .trim()
+                            .to_string(),
+                        ),
+                    },
+                )?],
                 None,
                 Some(constants::ROOT_UID),
             )
@@ -101,57 +119,6 @@ impl<'a> Api<'a> {
                 println!("Rooz has been already initialized. Use --force to reinitialize.")
             }
         }
-
-        match self
-            .volume
-            .ensure_volume(
-                api::crypt::VOLUME_NAME.into(),
-                &RoozVolumeRole::AgeKey,
-                Some("age-key".into()),
-                spec.force,
-            )
-            .await?
-        {
-            VolumeResult::Created { .. } => {
-                let (key, pubkey) = match spec.age_identity.clone() {
-                    None => {
-                        let key = age::x25519::Identity::generate();
-                        let pubkey = key.to_public();
-                        (key, pubkey)
-                    }
-                    Some(identity) => {
-                        let key = age::x25519::Identity::from_str(&identity)?;
-                        let pubkey = key.to_public();
-                        (key, pubkey)
-                    }
-                };
-
-                let entrypoint = &format!(
-                    r#"mkdir -p /tmp/.age && \
-                        echo -n '{}' > /tmp/.age/age.key && \
-                        echo -n '{}' > /tmp/.age/age.pub && \
-                        chmod 400 /tmp/.age/age.key && \
-                        chown -R {} /tmp/.age
-                        "#,
-                    &key.to_string().expose_secret(),
-                    pubkey,
-                    &uid
-                );
-
-                self.execute_init(
-                    "rooz-init-age",
-                    entrypoint,
-                    api::crypt::VOLUME_NAME,
-                    "/tmp/.age",
-                    &image_id,
-                )
-                .await?;
-                println!("{}", pubkey);
-            }
-            VolumeResult::AlreadyExists => {
-                println!("Rooz has been already initialized. Use --force to reinitialize.")
-            }
-        }
         Ok(())
     }
 }
diff --git a/src/cmd/new.rs b/src/cmd/new.rs
@@ -1,7 +1,5 @@
 use std::fs;
 
-use age::x25519::Identity;
-
 use crate::{
     api::WorkspaceApi,
     cli::WorkParams,
@@ -30,13 +28,12 @@ impl<'a> WorkspaceApi<'a> {
         workspace_key: &str,
         force: bool,
         work_dir: &str,
-        identity: &Identity,
     ) -> Result<EnterSpec, AnyError> {
         if let Some(c) = &cli_config {
             cfg_builder.from_config(c);
         }
         cfg_builder.from_cli(cli_params, None);
-        self.config.decrypt(cfg_builder, identity).await?;
+        self.config.decrypt(cfg_builder, &self.api.system_config.age_identity()?).await?;
         cfg_builder.expand_vars()?;
 
         let cfg = RuntimeConfig::from(&*cfg_builder);
@@ -186,7 +183,6 @@ impl<'a> WorkspaceApi<'a> {
         cli_params: &WorkParams,
         cli_config_path: Option<ConfigSource>,
         ephemeral: bool,
-        identity: &Identity,
     ) -> Result<EnterSpec, AnyError> {
         let orig_uid = cli_params
             .uid
@@ -243,7 +239,6 @@ impl<'a> WorkspaceApi<'a> {
                     &workspace_key,
                     false,
                     work_dir,
-                    identity,
                 )
                 .await
             }
@@ -292,7 +287,6 @@ impl<'a> WorkspaceApi<'a> {
                         &workspace_key,
                         false,
                         work_dir,
-                        identity,
                     )
                     .await
                 }
@@ -305,13 +299,12 @@ impl<'a> WorkspaceApi<'a> {
     }
 
     pub async fn tmp(&self, spec: &WorkParams, root: bool, shell: &str) -> Result<(), AnyError> {
-        let identity = self.crypt.read_age_identity().await?;
         let EnterSpec {
             workspace,
             git_spec,
             config,
         } = self
-            .new(&id::random_suffix("tmp"), spec, None, true, &identity)
+            .new(&id::random_suffix("tmp"), spec, None, true)
             .await?;
 
         let working_dir = git_spec
diff --git a/src/cmd/update.rs b/src/cmd/update.rs
@@ -39,7 +39,7 @@ impl<'a> WorkspaceApi<'a> {
             UpdateMode::Purge => self.remove(&workspace_key, true).await?,
         };
 
-        let identity = self.crypt.read_age_identity().await?;
+        let identity = self.api.system_config.age_identity()?;
 
         if let Some(labels) = &container.labels {
             let config_source = &labels[labels::CONFIG_ORIGIN];
@@ -99,7 +99,6 @@ impl<'a> WorkspaceApi<'a> {
                     format,
                 }),
                 false,
-                &identity,
             )
             .await?;
         }
diff --git a/src/config/config.rs b/src/config/config.rs
@@ -349,6 +349,9 @@ impl RoozCfg {
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[serde(deny_unknown_fields)]
 pub struct SystemConfig {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub age_key: Option<String>,
+
     #[serde(skip_serializing_if = "Option::is_none")]
     pub gitconfig: Option<String>,
 }
@@ -357,4 +360,8 @@ impl SystemConfig {
     pub fn from_string(config: &str) -> Result<Self, AnyError> {
         Ok(serde_yaml::from_str(&config)?)
     }
+
+    pub fn to_string(config: &Self) -> Result<String, AnyError> {
+        Ok(serde_yaml::to_string(&config)?)
+    }
 }
diff --git a/src/main.rs b/src/main.rs
@@ -93,7 +93,7 @@ async fn main() -> Result<(), AnyError> {
             "ls /tmp/sys/rooz.config > /dev/null 2>&1 && cat /tmp/sys/rooz.config || echo ''"
                 .into(),
             Some(vec![
-                RoozVolume::system_config("/tmp/sys", None).to_mount(None)
+                RoozVolume::system_config_read("/tmp/sys").to_mount(None)
             ]),
             None,
         )
@@ -115,7 +115,7 @@ async fn main() -> Result<(), AnyError> {
         client: &docker,
     };
 
-    let crypt_api = CryptApi { api: &rooz };
+    let crypt_api = CryptApi { };
 
     let git_api = GitApi { api: &rooz };
 
@@ -159,10 +159,8 @@ async fn main() -> Result<(), AnyError> {
                     None => Ok(()),
                 }?;
 
-            let identity = crypt_api.read_age_identity().await?;
-
             workspace
-                .new(&name, &work, config_source, false, &identity)
+                .new(&name, &work, config_source, false,)
                 .await?;
             println!(
                 "\nThe workspace is ready. Run 'rooz enter {}' to enter.",
@@ -385,7 +383,7 @@ async fn main() -> Result<(), AnyError> {
                 .await?;
             volume_api
                 .ensure_mounts(
-                    &vec![RoozVolume::system_config("/tmp/sys", Some(config_string))],
+                    &vec![RoozVolume::system_config("/tmp/sys", config_string)],
                     None,
                     Some(constants::ROOT_UID),
                 )
diff --git a/src/model/volume.rs b/src/model/volume.rs

Original file line number	Diff line number	Diff line change
`@@ -31,8 +31,7 @@ pub struct VolumeApi<'a> {`
`31`	`31`	`pub container: &'a ContainerApi<'a>,`
`32`	`32`	`}`
`33`	`33`
`34`		`-pub struct CryptApi<'a> {`
`35`		`- pub api: &'a Api<'a>,`
	`34`	`+pub struct CryptApi {`
`36`	`35`	`}`
`37`	`36`
`38`	`37`	`pub struct Api<'a> {`
`@@ -50,12 +49,12 @@ pub struct GitApi<'a> {`
`50`	`49`
`51`	`50`	`pub struct ConfigApi<'a> {`
`52`	`51`	`pub api: &'a Api<'a>,`
`53`		`- pub crypt: &'a CryptApi<'a>,`
	`52`	`+ pub crypt: &'a CryptApi,`
`54`	`53`	`}`
`55`	`54`
`56`	`55`	`pub struct WorkspaceApi<'a> {`
`57`	`56`	`pub api: &'a Api<'a>,`
`58`	`57`	`pub git: &'a GitApi<'a>,`
`59`	`58`	`pub config: &'a ConfigApi<'a>,`
`60`		`- pub crypt: &'a CryptApi<'a>,`
	`59`	`+ pub crypt: &'a CryptApi,`
`61`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ impl<'a> WorkspaceApi<'a> {`
`39`	`39`	`UpdateMode::Purge => self.remove(&workspace_key, true).await?,`
`40`	`40`	`};`
`41`	`41`
`42`		`- let identity = self.crypt.read_age_identity().await?;`
	`42`	`+ let identity = self.api.system_config.age_identity()?;`
`43`	`43`
`44`	`44`	`if let Some(labels) = &container.labels {`
`45`	`45`	`let config_source = &labels[labels::CONFIG_ORIGIN];`
`@@ -99,7 +99,6 @@ impl<'a> WorkspaceApi<'a> {`
`99`	`99`	`format,`
`100`	`100`	`}),`
`101`	`101`	`false,`
`102`		`- &identity,`
`103`	`102`	`)`
`104`	`103`	`.await?;`
`105`	`104`	`}`
Original file line number	Diff line number	Diff line change
`@@ -349,6 +349,9 @@ impl RoozCfg {`
`349`	`349`	`#[derive(Debug, Serialize, Deserialize, Clone)]`
`350`	`350`	`#[serde(deny_unknown_fields)]`
`351`	`351`	`pub struct SystemConfig {`
	`352`	`+ #[serde(skip_serializing_if = "Option::is_none")]`
	`353`	`+ pub age_key: Option<String>,`
	`354`	`+`
`352`	`355`	`#[serde(skip_serializing_if = "Option::is_none")]`
`353`	`356`	`pub gitconfig: Option<String>,`
`354`	`357`	`}`
`@@ -357,4 +360,8 @@ impl SystemConfig {`
`357`	`360`	`pub fn from_string(config: &str) -> Result<Self, AnyError> {`
`358`	`361`	`Ok(serde_yaml::from_str(&config)?)`
`359`	`362`	`}`
	`363`	`+`
	`364`	`+ pub fn to_string(config: &Self) -> Result<String, AnyError> {`
	`365`	`+ Ok(serde_yaml::to_string(&config)?)`
	`366`	`+ }`
`360`	`367`	`}`