Don't decrypt if secrets haven't changed from previous activation

[winterqt]

Currently, agenix decrypts secrets every time the system is activated, even if the secrets haven't changed. Ideally, if the secrets haven't changed, the activation script would detect this and skip decrypting that secret. I can't really think of how this could be implemented though, hence the opening of this issue.

[ryantm]

I agree this is desirable, otherwise it triggers potential path change monitoring unnecessarily. It would still need to decrypt the secret, but it doesn't have to move it into place if the contents, group, user, and mode are unchanged.

[Radvendii]

I tried to implement this, and ran into the issue that the way things currently work by default (this seems to have been changed recently), all the secrets get put into /run/agenix.d/<generation>/ and then that directory gets symlinked to /run/agenix. Since the directory is all updated as a whole, I don't see a way to not update secrets that aren't changed.

[Radvendii]

If it's helpful to anyone else who's trying. my attempt looked like:

-    mv -f "$TMP_FILE" "$_truePath"
+
+    # only update the file if it's changed in some way
+    # NOTE: diff has opposite return value than expected
+    if ! [ -f $_truePath ] || \
+       ! diff -q $TMP_FILE $_truePath >/dev/null || \
+       [ "$(stat -c '%a' "$TMP_FILE")" -eq "$(stat -c '%a' "$_truePath")" ]
+    then mv -f "$TMP_FILE" "$_truePath"
+    fi

[erikarvstedt]

https://github.com/ryantm/agenix/pull/132 has a minimal implementation to only create new generations when a secret has changed.