add client side decryption

.github/workflows/build_image.yml

@@ -6,7 +6,6 @@ on:
   push:
     paths:
         - 'odysseus/Dockerfile'
-        - 'odysseus/compose.yml'
 
 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
@@ -47,7 +46,7 @@ jobs:
             ODY_TPU_ROOT_PASSWORD: ${{ secrets.ODY_TPU_ROOT_PASSWORD }}
             ODY_IROH_ROOT_PASSWORD: ${{ secrets.ODY_IROH_ROOT_PASSWORD }}
             MASTER_PASSWORD: ${{ secrets.ODY_MASTER_PASSWORD }}
-        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> PASSWORDS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --cipher-algo AES256 PASSWORDS.env
+        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> SECRETS.env; done && gpg --batch --symmetric --passphrase "$MASTER_PASSWORD" --cipher-algo AES256 SECRETS.env
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.

odysseus/Dockerfile

@@ -37,13 +37,14 @@ RUN apt-get install -y \
 # add all buildroot files there
 WORKDIR /home/odysseus/build
 
-RUN  git clone https://gitlab.com/buildroot.org/buildroot.git && cd ./buildroot && git checkout 96d0d677790e659b822761b50561b0316b4abf43
+RUN  git clone https://gitlab.com/buildroot.org/buildroot.git && cd ./buildroot && git checkout 2024.02
 
 
 WORKDIR /home/odysseus/outputs/
 COPY ./docker_scripts /home/odysseus/scripts
 RUN echo "source /home/odysseus/scripts/setup_env.sh" >> ~/.bashrc
 
-COPY ./PASSWORDS.env.gpg /home/odysseus/
+# install password using wildcard so failures arent deadly
+COPY ./SECRETS.env.* /home/odysseus/
 
 ENTRYPOINT "/bin/bash"

odysseus/compose.yml

@@ -19,6 +19,9 @@ services:
         environment:
             - BR2_DL_DIR=/home/odysseus/shared_data/dl 
             - BR2_CCACHE_DIR=/home/odysseus/shared_data/ccache
+            - ODY_TPU_ROOT_PASSWORD=password
+            - ODY_IROH_ROOT_PASSWORD=password
+            - ODY_AP_ROOT_PASSWORD=password
 
 volumes:
     shared_data:

odysseus/docker_scripts/load-secrets.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+eval "$(gpg -d --cipher-algo AES256 /home/odysseus/PASSWORDS.env.gpg)"

odysseus/docker_scripts/setup_env.sh

@@ -1,9 +1,7 @@
 #!/bin/bash
 
 alias make-current="/home/odysseus/scripts/make-current.sh"
-
-# for password exposure to defconfigs
-set -o allexport && source /run/secrets/ody_passwords && set +o allexport
+alias load-secrets="/home/odysseus/scripts/load-secrets.sh"
 
 # for each defconfig make output subdirectory
 make -C /home/odysseus/build/buildroot O=/home/odysseus/outputs/tpu BR2_EXTERNAL=/home/odysseus/build/odysseus_tree raspberrypi4_64_tpu_defconfig