add age encrypted secrets in binary

9 files changed, 107 insertions, 6 deletions

diff --git a/.ageboxreg.yml b/.ageboxreg.yml
index 8cdf1ac..3212f3b 100644
--- a/.ageboxreg.yml
+++ b/.ageboxreg.yml
@@ -1,3 +1,4 @@
 file_ids:
-- prod.env
+- dev.toml
+- prod.toml
 version: "1"
diff --git a/dev.toml.agebox b/dev.toml.agebox
new file mode 100644
index 0000000..1989b72
--- /dev/null
+++ b/dev.toml.agebox
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 wo5T/g BnFfGb48JE4goOzqwUvZWLCAJ/vf8G2rtZutL7mfoQc
+5d4+i/uGRkHCSUrTB0o2d0eSmdM/lBthnWD456deRB8
+-> ssh-ed25519 +GzdqQ hTsdxkTluOiwfyRwXLXlwvClMWSEtHjnZwd0kGt67Tk
+m2OT4MGHOmoLt7sDQWqGugVl+fXqTvXWphEGPbkHJs8
+-> ssh-ed25519 juKS7A td9YKXjh/DbK8vnAkK9mil7Vk8UXs0IieA7ylO8ID0s
+9AdnwdeQwYAtY3yPgXalFa7KZCO5gSVQ96RywOk7tnM
+-> X25519 1OVcu/1thO7JEc8JSE/nhcZg6xREHATIKzhW6uAnEEs
+XbKwvmPdfdSwnFm5XzYz43XxkXxa10ZmyFRPvSm0Xnw
+--- owhb71cQZqfFSUW2RNrIqU8DfL6A6I8WEz8I6NcO1ZA
+��]�<YC4m@�RA�h ����T�>��R(��7%V�utц,b��q5Cb�o��
·�\�14�|��2�Ed��u�u�ImO���'*0,����6�I�ެ�\���]����ͻ���Q߹b�1ۼx�" }�Î�
\ No newline at end of file
diff --git a/go.mod b/go.mod
index 0be922c..091453d 100644
--- a/go.mod
+++ b/go.mod
@@ -13,6 +13,8 @@ require (
 )
 
 require (
+	filippo.io/age v1.2.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
diff --git a/go.sum b/go.sum
index dfc411a..c866565 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,7 @@
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/a-h/templ v0.2.513 h1:ZmwGAOx4NYllnHy+FTpusc4+c5msoMpPIYX0Oy3dNqw=
 github.com/a-h/templ v0.2.513/go.mod h1:9gZxTLtRzM3gQxO8jr09Na0v8/jfliS97S9W5SScanM=
 github.com/a-h/templ v0.3.819 h1:KDJ5jTFN15FyJnmSmo2gNirIqt7hfvBD2VXVDTySckM=
diff --git a/internal/secrets/secrets.go b/internal/secrets/secrets.go
new file mode 100644
index 0000000..684456f
--- /dev/null
+++ b/internal/secrets/secrets.go
@@ -0,0 +1,49 @@
+package secrets
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"strings"
+
+	"filippo.io/age"
+)
+
+func DecryptSecret(secret string) (string, error) {
+	homepath, err := os.UserHomeDir()
+	if err != nil {
+		fmt.Println("could not get home dir")
+		os.Exit(1)
+	}
+
+	sshFolder := path.Join(homepath, ".ssh")
+	entries, err := os.ReadDir(sshFolder)
+
+	var identities []*age.X25519Identity
+	for _, file := range entries {
+		if !strings.HasSuffix(".pub", file.Name()) {
+			keybytes, err := os.ReadFile(path.Join(sshFolder, file.Name()))
+			identity, err := age.ParseX25519Identity(strings.TrimSpace(string(keybytes)))
+			if err != nil {
+				continue
+			}
+			identities = append(identities, identity)
+		}
+	}
+
+	if len(identities) == 0 {
+		return "", fmt.Errorf("could not parse any identities")
+	}
+
+	for _, id := range identities {
+		result, err := age.Decrypt(strings.NewReader(secret), id)
+		if err != nil {
+			continue
+		}
+		b, _ := io.ReadAll(result)
+		return string(b), nil
+	}
+
+	return "", fmt.Errorf("could not find identity")
+}
diff --git a/keys b/keys
index 8c4b2ba..2fa419b 100644
--- a/keys
+++ b/keys
@@ -1,3 +1,4 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF+pkr+e063obZgcWOXYGhnkzed2F54T/OcYtXC1otZ+
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICJnVLRCQuUf9jMYHIUe76NoLEJ9ze8XvLc8LCTdwy9a
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+vVPYDhP1IvZG7SLfST6Nk1bgBDxUt+BzyfCoa7b//
+age1f7l3qe00y2qcw3c9efdrdp6qne8gm0dldp4wptyhq3jp6hf3t4usspnzgg
diff --git a/main.go b/main.go
index ae6a684..b24e683 100644
--- a/main.go
+++ b/main.go
@@ -2,18 +2,22 @@ package main
 
 import (
 	"bufio"
+	_ "embed"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"path"
 	"time"
+	"tinygram/internal/secrets"
 
+	"github.com/BurntSushi/toml"
 	"github.com/google/uuid"
 	"github.com/gorilla/sessions"
 	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
+	"github.com/labstack/gommon/log"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 )
@@ -24,25 +28,53 @@ type Post struct {
 	ImageID     string
 }
 
+type Config struct {
+	SessionSecret    string
+	DbPath           string
+	AssetPath        string
+	PasswordFilepath string
+}
+
+//go:embed prod.toml.agebox
+var prodenv string
+
+//go:embed dev.toml.agebox
+var devenv string
+
+var config Config
+
 func main() {
 
-	dbPath := os.Getenv("DB_PATH")
+	secret, err := secrets.DecryptSecret(devenv)
+	if err != nil {
+		log.Errorf("could not decrypt a secret", err)
+		os.Exit(1)
+	}
+	fmt.Println(secret)
+
+	_, err = toml.Decode(secret, &config)
+	if err != nil {
+		fmt.Printf("could not parse config %v\n", err)
+		os.Exit(1)
+	}
+
+	dbPath := config.DbPath
 	if dbPath == "" {
 		dbPath = "tinygram.db"
 	}
 
-	sessionSecret := os.Getenv("SESSION_SECRET")
+	sessionSecret := config.SessionSecret
 	if sessionSecret == "" {
 		fmt.Println("NEED TO PROVIDE A SECRET")
-		return
+		os.Exit(1)
 	}
 
-	passwordFilePath := os.Getenv("PASSWORD_FILE_PATH")
+	passwordFilePath := config.PasswordFilepath
 	if passwordFilePath == "" {
 		passwordFilePath = "password.txt"
 	}
 
-	assetsPath := os.Getenv("ASSETS_PATH")
+	assetsPath := config.AssetPath
 	if assetsPath == "" {
 		assetsPath = "assets"
 	}
@@ -67,6 +99,7 @@ func main() {
 
 	if err != nil {
 		fmt.Printf("opening db: %v", err)
+		return
 	}
 
 	e.Static("/static", assetsPath)
diff --git a/prod.env.agebox b/prod.env.agebox
deleted file mode 100644
index bf1d545..0000000
--- a/prod.env.agebox
+++ /dev/null
diff --git a/prod.toml.agebox b/prod.toml.agebox
new file mode 100644
index 0000000..0b89ad6
--- /dev/null
+++ b/prod.toml.agebox