Implement `rpc_secret_file`

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -3,3 +3,4 @@
 /pki
 **/*.rs.bk
 *.swp
+/.direnv

doc/book/development/devenv.md

@@ -39,7 +39,7 @@ Now you can enter our nix-shell, all the required packages will be downloaded bu
 nix-shell
 ```
 
-You can use the traditionnal Rust development workflow:
+You can use the traditional Rust development workflow:
 
 ```bash
 cargo build  # compile the project

doc/book/reference-manual/configuration.md

@@ -96,7 +96,7 @@ Performance characteristics of the different DB engines are as follows:
 
 - Sled: the default database engine, which tends to produce
   large data files and also has performance issues, especially when the metadata folder
-  is on a traditionnal HDD and not on SSD.
+  is on a traditional HDD and not on SSD.
 - LMDB: the recommended alternative on 64-bit systems,
   much more space-efficiant and slightly faster. Note that the data format of LMDB is not portable
   between architectures, so for instance the Garage database of an x86-64
@@ -267,6 +267,10 @@ This key should be specified here in the form of a 32-byte hex-encoded
 random string. Such a string can be generated with a command
 such as `openssl rand -hex 32`.
 
+### `rpc_secret_file`
+
+Like `rpc_secret` above, just that this is the path to a file that Garage will try to read the secret from.
+
 ### `rpc_bind_addr`
 
 The address and port on which to bind for inter-cluster communcations

flake.lock

@@ -55,6 +55,21 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1665657542,
@@ -74,6 +89,7 @@
     "root": {
       "inputs": {
         "cargo2nix": "cargo2nix",
+        "flake-utils": "flake-utils_2",
         "nixpkgs": "nixpkgs"
       }
     },

flake.nix

@@ -7,22 +7,30 @@
     url = "github:Alexis211/cargo2nix/a7a61179b66054904ef6a195d8da736eaaa06c36";
     inputs.nixpkgs.follows = "nixpkgs";
   };
+  inputs.flake-utils.url = "github:numtide/flake-utils";
 
-  outputs = { self, nixpkgs, cargo2nix }: let
+  outputs = { self, nixpkgs, cargo2nix, flake-utils }:
-    git_version = self.lastModifiedDate;
+    let
-    compile = import ./nix/compile.nix;
+      git_version = self.lastModifiedDate;
-    forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
+      compile = import ./nix/compile.nix;
-  in
+    in flake-utils.lib.eachDefaultSystem (system:
-  {
+      let pkgs = nixpkgs.legacyPackages.${system};
-    packages = forAllSystems (system: {
+      in {
-      default = (compile {
+        packages = {
-        inherit system git_version;
+          default = (compile {
-        pkgsSrc = nixpkgs;
+            inherit system git_version;
-        cargo2nixOverlay = cargo2nix.overlays.default;
+            pkgsSrc = nixpkgs;
-        release = true;
+            cargo2nixOverlay = cargo2nix.overlays.default;
-      }).workspace.garage {
+            release = true;
-        compileMode = "build";
+          }).workspace.garage { compileMode = "build"; };
-      };
+        };
-    });
+        devShell = ((compile {
-  };
+          inherit system git_version;
+          pkgsSrc = nixpkgs;
+          cargo2nixOverlay = cargo2nix.overlays.default;
+          release = false;
+        }).workspaceShell {
+          packages = [ pkgs.rustfmt ];
+        });
+      });
 }

src/garage/main.rs

@@ -173,7 +173,7 @@ async fn cli_command(opt: Opt) -> Result<(), Error> {
 	let net_key_hex_str = opt
 		.rpc_secret
 		.as_ref()
-		.or_else(|| config.as_ref().map(|c| &c.rpc_secret))
+		.or_else(|| config.as_ref().and_then(|c| c.rpc_secret.as_ref()))
 		.ok_or("No RPC secret provided")?;
 	let network_key = NetworkKey::from_slice(
 		&hex::decode(net_key_hex_str).err_context("Invalid RPC secret key (bad hex)")?[..],

src/model/garage.rs

@@ -159,7 +159,7 @@ impl Garage {
 		};
 
 		let network_key = NetworkKey::from_slice(
-			&hex::decode(&config.rpc_secret).expect("Invalid RPC secret key")[..],
+			&hex::decode(&config.rpc_secret.as_ref().unwrap()).expect("Invalid RPC secret key")[..],
 		)
 		.expect("Invalid RPC secret key");
 

src/util/config.rs

@@ -34,7 +34,10 @@ pub struct Config {
 	pub compression_level: Option<i32>,
 
 	/// RPC secret key: 32 bytes hex encoded
-	pub rpc_secret: String,
+	pub rpc_secret: Option<String>,
+
+	/// Optional file where RPC secret key is read from
+	pub rpc_secret_file: Option<String>,
 
 	/// Address to bind for RPC
 	pub rpc_bind_addr: SocketAddr,
@@ -177,7 +180,26 @@ pub fn read_config(config_file: PathBuf) -> Result<Config, Error> {
 	let mut config = String::new();
 	file.read_to_string(&mut config)?;
 
-	Ok(toml::from_str(&config)?)
+	let mut parsed_config: Config = toml::from_str(&config)?;
+
+	match (&parsed_config.rpc_secret, &parsed_config.rpc_secret_file) {
+		(Some(_), _) => {}
+		(None, Some(rpc_secret_file_path_string)) => {
+			let mut rpc_secret_file = std::fs::OpenOptions::new()
+				.read(true)
+				.open(rpc_secret_file_path_string)?;
+			let mut rpc_secret_from_file = String::new();
+			rpc_secret_file.read_to_string(&mut rpc_secret_from_file)?;
+			// trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
+			//           also editors sometimes add a trailing newline
+			parsed_config.rpc_secret = Some(String::from(rpc_secret_from_file.trim_end()));
+		}
+		(None, None) => {
+			return Err("either `rpc_secret` or `rpc_secret_file` needs to be set".into())
+		}
+	};
+
+	Ok(parsed_config)
 }
 
 fn default_compression() -> Option<i32> {