Skip to content

fix(enroll): ninth audit — compose guards, sed verification, sops check, harmonia push, cache priority#181

Merged
mdheller merged 1 commit into
mainfrom
fix/enroll-ninth-audit
Jun 16, 2026
Merged

fix(enroll): ninth audit — compose guards, sed verification, sops check, harmonia push, cache priority#181
mdheller merged 1 commit into
mainfrom
fix/enroll-ninth-audit

Conversation

@mdheller

@mdheller mdheller commented Jun 16, 2026

Copy link
Copy Markdown
Member

Findings and fixes

# Finding Severity Fix
1 COMPOSE_FILE never validated before docker-compose up — missing file gives generic error Medium [[ -f COMPOSE_FILE ]] guard with diagnostic
2 sed -i substitutions not verified — silent no-op if .env.example keys renamed; Foreman boots with placeholder passwords High Pre-check keys exist; post-check substitution landed
3 Python3 substring search 'sops' in d for encrypted check — a YAML comment fools it Low grep -q '^sops:' — matches the actual YAML key, drops python3 dependency
4 nix build silent for up to 15 min — no operator visibility, encourages Ctrl-C Medium info "Build log: ... (tail -f to follow)" before build
5 nix build --print-out-paths multi-line output not guarded — embedded newline breaks [[ -e CLOSURE ]] Low Pipe through head -1
6 Harmonia push uses CLOSURE (step-10 build) not CURRENT_GEN (active system) when they differ Medium Push CURRENT_GEN first when it diverges, then CLOSURE
7 sops-nix-activate "ok" is false positive when unit doesn't exist — is-failed exits 1 for absent units Medium Also check /run/secrets/katello-password exists as ground truth
8 nix-cache-info Priority: 40 matches cache.nixos.org — local cache not preferred Medium Priority: 30 — lower number = higher nix priority

Notes

  • Priority change (finding 8) takes effect on next enrollment/re-run — existing enrolled machines need sudo bash scripts/enroll.sh to re-sign
  • Active system push (finding 6) only fires when CURRENT_GEN != CLOSURE; normal path is unchanged

Test plan

  • bash -n scripts/enroll.sh — no syntax errors
  • Remove FOREMAN_ADMIN_PASSWORD= from .env.example → die with template-changed message
  • Rename key in example → sed no-op → post-check die fires
  • Create plaintext secrets.yaml with a # sops disabled comment → re-encryption triggered correctly
  • Verify Priority: 30 in written nix-cache-info after enrollment
  • Verify active system path pushed to harmonia when CURRENT_GEN diverges
  • Full physical M2 enroll run (P0 test)

@mdheller
fix(enroll): ninth audit — compose guards, sed verification, sops che…
5921c4a 
…ck, harmonia push, cache priority

- COMPOSE_FILE existence check: validate the docker-compose YAML exists
  before `docker-compose up`; previously a missing file gave a generic
  "No such file" with no enrollment-specific context

- sed substitution verification: grep-check that FOREMAN_ADMIN_PASSWORD
  and KATELLO_PG_PASSWORD keys exist in .env.example before substituting,
  then confirm the substitution landed; sed exits 0 silently on no-match,
  which would leave Foreman running with placeholder passwords

- Replace python3 sops check with grep: `grep -q '^sops:'` is more
  accurate than substring search for 'sops' — a YAML comment containing
  the word would fool the old check; also drops the python3 dependency

- nix build progress hint: print BUILD_LOG path before the build so
  operators know where to tail -f during the silent 5-15 min build;
  nixos-rebuild steps stream to terminal but nix build was fully silent

- nix build head -1: pipe --print-out-paths through head -1 to guard
  against multi-output derivations; embedded newline in CLOSURE would
  cause [[ -e ]] and nix copy to fail with a confusing path error

- Push active system to harmonia: when CURRENT_GEN differs from CLOSURE
  (nixos-rebuild fetched a cached derivation), push CURRENT_GEN first so
  the actually-running system is always in harmonia; previously only
  CLOSURE was pushed, leaving the active system absent from the cache

- sops-nix-activate ground-truth check: test for /run/secrets/katello-password
  existence in addition to is-failed state; is-failed exits 1 (not-failed)
  when a unit doesn't exist, producing a false "ok" if sops-nix isn't
  configured or the service name changes

- nix-cache-info Priority 30: local harmonia cache now has higher nix
  priority than cache.nixos.org (Priority 40); previously both were 40
  and nix raced them, defeating the purpose of a local cache
@mdheller mdheller merged commit 31bf3af into main Jun 16, 2026
@mdheller mdheller deleted the fix/enroll-ninth-audit branch June 16, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mdheller