dls: basic offline store ops

Cargo.lock

@@ -90,9 +90,9 @@ checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
 
 [[package]]
 name = "async-compression"
-version = "0.4.41"
+version = "0.4.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d0f9ee0f6e02ffd7ad5816e9464499fba7b3effd01123b515c41d1697c43dad1"
+checksum = "e79b3f8a79cccc2898f31920fc69f304859b3bd567490f75ebf51ae1c792a9ac"
 dependencies = [
  "compression-codecs",
  "compression-core",
@@ -161,9 +161,9 @@ checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
 [[package]]
 name = "cc"
-version = "1.2.60"
+version = "1.2.62"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "43c5703da9466b66a946814e1adf53ea2c90f10063b86290cc9eb67ce3478a20"
+checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -218,9 +218,9 @@ dependencies = [
 
 [[package]]
 name = "clap_complete"
-version = "4.6.2"
+version = "4.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ff7a1dccbdd8b078c2bdebff47e404615151534d5043da397ec50286816f9cb"
+checksum = "e3e962dae2b1e5007fe9e3db363ddc43a8bf25546d279f7a8a4401204690e80c"
 dependencies = [
  "clap",
  "clap_lex",
@@ -254,9 +254,9 @@ checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
 
 [[package]]
 name = "compression-codecs"
-version = "0.4.37"
+version = "0.4.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb7b51a7d9c967fc26773061ba86150f19c50c0d65c887cb1fbe295fd16619b7"
+checksum = "ce2548391e9c1929c21bf6aa2680af86fe4c1b33e6cea9ac1cfeec0bd11218cf"
 dependencies = [
  "compression-core",
  "zstd",
@@ -265,9 +265,9 @@ dependencies = [
 
 [[package]]
 name = "compression-core"
-version = "0.4.31"
+version = "0.4.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75984efb6ed102a0d42db99afb6c1948f0380d1d91808d5529916e6c08b49d8d"
+checksum = "cc14f565cf027a105f7a44ccf9e5b424348421a1d8952a8fc9d499d313107789"
 
 [[package]]
 name = "constant_time_eq"
@@ -310,7 +310,7 @@ dependencies = [
 
 [[package]]
 name = "dkl"
-version = "1.2.0"
+version = "1.2.1"
 dependencies = [
  "async-compression",
  "base32",
@@ -324,6 +324,7 @@ dependencies = [
  "fastrand",
  "futures",
  "futures-util",
+ "getrandom 0.4.2",
  "glob",
  "hex",
  "human-units",
@@ -338,7 +339,7 @@ dependencies = [
  "rust-argon2",
  "serde",
  "serde_json",
- "serde_yaml",
+ "serde_yaml_ng",
  "signal-hook",
  "tabled",
  "thiserror",
@@ -572,9 +573,9 @@ dependencies = [
 
 [[package]]
 name = "hashbrown"
-version = "0.17.0"
+version = "0.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
 
 [[package]]
 name = "heck"
@@ -820,9 +821,9 @@ dependencies = [
 
 [[package]]
 name = "idna_adapter"
-version = "1.2.1"
+version = "1.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3acae9609540aa318d1bc588455225fb2085b9ed0c4f6bd0d9d5bcd86f1a0344"
+checksum = "cb68373c0d6620ef8105e855e7745e18b0d00d3bdb07fb532e434244cdb9a714"
 dependencies = [
  "icu_normalizer",
  "icu_properties",
@@ -841,7 +842,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
 dependencies = [
  "equivalent",
- "hashbrown 0.17.0",
+ "hashbrown 0.17.1",
  "serde",
  "serde_core",
 ]
@@ -852,16 +853,6 @@ version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
-[[package]]
-name = "iri-string"
-version = "0.7.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
-dependencies = [
- "memchr",
- "serde",
-]
-
 [[package]]
 name = "is_executable"
 version = "1.0.5"
@@ -885,9 +876,9 @@ checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "jiff"
-version = "0.2.23"
+version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a3546dc96b6d42c5f24902af9e2538e82e39ad350b0c766eb3fbf2d8f3d8359"
+checksum = "f00b5dbd620d61dfdcb6007c9c1f6054ebd75319f163d886a9055cec1155073d"
 dependencies = [
  "jiff-static",
  "log",
@@ -898,9 +889,9 @@ dependencies = [
 
 [[package]]
 name = "jiff-static"
-version = "0.2.23"
+version = "0.2.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2a8c8b344124222efd714b73bb41f8b5120b27a7cc1c75593a6ff768d9d05aa4"
+checksum = "e000de030ff8022ea1da3f466fbb0f3a809f5e51ed31f6dd931c35181ad8e6d7"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -919,9 +910,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.95"
+version = "0.3.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2964e92d1d9dc3364cae4d718d93f227e3abb088e747d92e0395bfdedf1c12ca"
+checksum = "67df7112613f8bfd9150013a0314e196f4800d3201ae742489d999db2f979f08"
 dependencies = [
  "cfg-if",
  "futures-util",
@@ -937,9 +928,9 @@ checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
 
 [[package]]
 name = "libc"
-version = "0.2.185"
+version = "0.2.186"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
+checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
 
 [[package]]
 name = "linux-raw-sys"
@@ -1014,9 +1005,9 @@ dependencies = [
 
 [[package]]
 name = "nix"
-version = "0.31.2"
+version = "0.31.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
+checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -1047,15 +1038,14 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
 [[package]]
 name = "openssl"
-version = "0.10.77"
+version = "0.10.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfe4646e360ec77dff7dde40ed3d6c5fee52d156ef4a62f53973d38294dad87f"
+checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542"
 dependencies = [
  "bitflags",
  "cfg-if",
  "foreign-types",
  "libc",
- "once_cell",
  "openssl-macros",
  "openssl-sys",
 ]
@@ -1079,9 +1069,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.113"
+version = "0.9.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ad2f2c0eba47118757e4c6d2bff2838f3e0523380021356e7875e858372ce644"
+checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781"
 dependencies = [
  "cc",
  "libc",
@@ -1142,9 +1132,9 @@ checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 
 [[package]]
 name = "portable-atomic-util"
-version = "0.2.6"
+version = "0.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "091397be61a01d4be58e7841595bd4bfedb15f1cd54977d79b8271e94ed799a3"
+checksum = "c2a106d1259c23fac8e543272398ae0e3c0b8d33c88ed73d0cc71b0f1d902618"
 dependencies = [
  "portable-atomic",
 ]
@@ -1251,9 +1241,9 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
 [[package]]
 name = "reqwest"
-version = "0.13.2"
+version = "0.13.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
+checksum = "62e0021ea2c22aed41653bc7e1419abb2c97e038ff2c33d0e1309e49a97deec0"
 dependencies = [
  "base64",
  "bytes",
@@ -1289,20 +1279,20 @@ dependencies = [
 
 [[package]]
 name = "rpassword"
-version = "7.4.0"
+version = "7.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "66d4c8b64f049c6721ec8ccec37ddfc3d641c4a7fca57e8f2a89de509c73df39"
+checksum = "5ac5b223d9738ef56e0b98305410be40fa0941bf6036c56f1506751e43552d64"
 dependencies = [
  "libc",
  "rtoolbox",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
 name = "rtoolbox"
-version = "0.0.4"
+version = "0.0.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "327b72899159dfae8060c51a1f6aebe955245bcd9cc4997eed0f623caea022e4"
+checksum = "50a0e551c1e27e1731aba276dbeaeac73f53c7cd34d1bda485d02bd1e0f36844"
 dependencies = [
  "libc",
  "windows-sys 0.59.0",
@@ -1335,9 +1325,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-pki-types"
-version = "1.14.0"
+version = "1.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be040f8b0a225e40375822a563fa9524378b9d63112f53e19ffff34df5d33fdd"
+checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9"
 dependencies = [
  "zeroize",
 ]
@@ -1436,10 +1426,10 @@ dependencies = [
 ]
 
 [[package]]
-name = "serde_yaml"
+name = "serde_yaml_ng"
-version = "0.9.34+deprecated"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+checksum = "7b4db627b98b36d4203a7b458cf3573730f2bb591b28871d916dfa9efabfd41f"
 dependencies = [
  "indexmap",
  "itoa",
@@ -1617,9 +1607,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.52.0"
+version = "1.52.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a91135f59b1cbf38c91e73cf3386fca9bb77915c45ce2771460c9d92f0f3d776"
+checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
 dependencies = [
  "bytes",
  "libc",
@@ -1682,20 +1672,20 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
 dependencies = [
  "bitflags",
  "bytes",
  "futures-util",
  "http",
  "http-body",
- "iri-string",
  "pin-project-lite",
  "tower",
  "tower-layer",
  "tower-service",
+ "url",
 ]
 
 [[package]]
@@ -1806,11 +1796,11 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
 
 [[package]]
 name = "wasip2"
-version = "1.0.2+wasi-0.2.9"
+version = "1.0.3+wasi-0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
 dependencies = [
- "wit-bindgen",
+ "wit-bindgen 0.57.1",
 ]
 
 [[package]]
@@ -1819,14 +1809,14 @@ version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
 dependencies = [
- "wit-bindgen",
+ "wit-bindgen 0.51.0",
 ]
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.118"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0bf938a0bacb0469e83c1e148908bd7d5a6010354cf4fb73279b7447422e3a89"
+checksum = "49ace1d07c165b0864824eee619580c4689389afa9dc9ed3a4c75040d82e6790"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -1837,9 +1827,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.68"
+version = "0.4.71"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f371d383f2fb139252e0bfac3b81b265689bf45b6874af544ffa4c975ac1ebf8"
+checksum = "96492d0d3ffba25305a7dc88720d250b1401d7edca02cc3bcd50633b424673b8"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -1847,9 +1837,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.118"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eeff24f84126c0ec2db7a449f0c2ec963c6a49efe0698c4242929da037ca28ed"
+checksum = "8e68e6f4afd367a562002c05637acb8578ff2dea1943df76afb9e83d177c8578"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -1857,9 +1847,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.118"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d08065faf983b2b80a79fd87d8254c409281cf7de75fc4b773019824196c904"
+checksum = "d95a9ec35c64b2a7cb35d3fead40c4238d0940c86d107136999567a4703259f2"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -1870,9 +1860,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.118"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5fd04d9e306f1907bd13c6361b5c6bfc7b3b3c095ed3f8a9246390f8dbdee129"
+checksum = "c4e0100b01e9f0d03189a92b96772a1fb998639d981193d7dbab487302513441"
 dependencies = [
  "unicode-ident",
 ]
@@ -1926,9 +1916,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.95"
+version = "0.3.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f2dfbb17949fa2088e5d39408c48368947b86f7834484e87b73de55bc14d97d"
+checksum = "4b572dff8bcf38bad0fa19729c89bb5748b2b9b1d8be70cf90df697e3a8f32aa"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -2180,6 +2170,12 @@ dependencies = [
  "wit-bindgen-rust-macro",
 ]
 
+[[package]]
+name = "wit-bindgen"
+version = "0.57.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e"
+
 [[package]]
 name = "wit-bindgen-core"
 version = "0.51.0"

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "dkl"
-version = "1.2.0"
+version = "1.2.1"
 edition = "2024"
 
 [profile.release]
@@ -23,6 +23,7 @@ eyre = "0.6.12"
 fastrand = "2.3.0"
 futures = "0.3.31"
 futures-util = "0.3.31"
+getrandom = "0.4.2"
 glob = "0.3.2"
 hex = "0.4.3"
 human-units = "0.5.3"
@@ -37,7 +38,7 @@ rpassword = "7.4.0"
 rust-argon2 = "3.0.0"
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"
-serde_yaml = "0.9.34"
+serde_yaml = { version = "0.10.0", package = "serde_yaml_ng" }
 signal-hook = "0.4.4"
 tabled = "0.20.0"
 thiserror = "2.0.12"

Dockerfile

@@ -1,4 +1,4 @@
-from mcluseau/rust:1.94.0 as build
+from mcluseau/rust:1.95.0 as build
 
 workdir /app
 copy . .
@@ -10,6 +10,6 @@ run \
  && find target/release -maxdepth 1 -type f -executable -exec cp -v {} /dist/ +
 
 # ------------------------------------------------------------------------
-from alpine:3.23
+from alpine:3.23.4
 copy --from=build /dist/ /bin/
 

src/apply.rs

@@ -1,12 +1,20 @@
-use eyre::Result;
+use eyre::{Result, format_err};
 use log::info;
 use std::path::Path;
 use tokio::fs;
 
-use crate::base64_decode;
+use crate::{base64_decode, File};
 
-pub async fn files(files: &[crate::File], root: &str, dry_run: bool) -> Result<()> {
+pub async fn files(files: &[File], root: &str, dry_run: bool) -> Result<()> {
-    for file in files {
+    for f in files {
+        if let Err(e) = file(f, root, dry_run).await {
+            return Err(format_err!("{}: {e}", f.path))
+        }
+    }
+    Ok(())
+}
+
+pub async fn file(file: &File, root: &str, dry_run: bool) -> Result<()> {
         let path = chroot(root, &file.path);
         let path = Path::new(&path);
 
@@ -14,8 +22,12 @@ pub async fn files(files: &[crate::File], root: &str, dry_run: bool) -> Result<(
             fs::create_dir_all(parent).await?;
         }
 
-        use crate::FileKind as K;
+        use crate::{FileKind as K, FilePart as P};
-        match &file.kind {
+        match file.kind().as_ref() {
+            K::Skip => {
+                info!("{}: kind is skip", file.path);
+                return Ok(())
+            },
             K::Content(content) => {
                 if dry_run {
                     info!(
@@ -39,35 +51,50 @@ pub async fn files(files: &[crate::File], root: &str, dry_run: bool) -> Result<(
                     fs::write(path, content).await?
                 }
             }
-            K::Dir(true) => {
+            K::Parts(parts) => {
+                let mut assembly = Vec::new();
+                for part in parts {
+                    match part {
+                        P::Content(content) => assembly.extend(content.as_bytes()),
+                        P::Content64(content) => assembly.extend(base64_decode(content)?),
+                    }
+                }
+                if dry_run {
+                    info!(
+                        "would create {} ({} bytes from parts)",
+                        file.path,
+                        assembly.len()
+                    );
+                } else {
+                    fs::write(path, assembly).await?
+                }
+            }
+            K::Dir => {
                 if dry_run {
                     info!("would create {} (directory)", file.path);
                 } else {
                     fs::create_dir(path).await?;
                 }
             }
-            K::Dir(false) => {} // shouldn't happen, but semantic is to ignore
             K::Symlink(tgt) => {
                 if dry_run {
                     info!("would create {} (symlink to {})", file.path, tgt);
                 } else {
+                    let _ = fs::remove_file(path).await; // we're ln --force
                     fs::symlink(tgt, path).await?;
                 }
             }
         }
 
         if dry_run {
-            continue;
+            return Ok(());
         }
 
-        match file.kind {
+        if !file.is_symlink() {
-            K::Symlink(_) => {}
+             set_perms(path, file.mode).await?;
-            _ => set_perms(path, file.mode).await?,
         }
 
         info!("created {}", file.path);
-    }
-
         Ok(())
     }
 

src/bin/dls.rs

@@ -3,6 +3,7 @@ use clap::{CommandFactory, Parser, Subcommand};
 use eyre::format_err;
 use futures_util::Stream;
 use futures_util::StreamExt;
+use std::path::PathBuf;
 use std::time::{Duration, SystemTime};
 use tokio::fs;
 use tokio::io::{AsyncWrite, AsyncWriteExt};
@@ -40,6 +41,11 @@ enum Command {
     Hash {
         salt: String,
     },
+    Store {
+        store_path: PathBuf,
+        #[command(subcommand)]
+        op: StoreOp,
+    },
 }
 
 #[derive(Subcommand)]
@@ -96,6 +102,12 @@ enum ClusterCommand {
     },
 }
 
+#[derive(Subcommand)]
+enum StoreOp {
+    Get { data_path: PathBuf },
+    Set { data_path: PathBuf, value: String },
+}
+
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> eyre::Result<()> {
     clap_complete::CompleteEnv::with_factory(Cli::command).complete();
@@ -231,6 +243,18 @@ async fn main() -> eyre::Result<()> {
             println!("hash (hex):    {}", hex::encode(&hash));
             println!("hash (base64): {}", dkl::base64_encode(&hash));
         }
+        C::Store { store_path, op } => {
+            let mut s = dls::store::Store::new(store_path);
+            s.unlock(&std::env::var("DLS_STORE_PW").unwrap()).await?;
+
+            match op {
+                StoreOp::Get { data_path } => {
+                    let mut data = std::io::Cursor::new(s.read(data_path).await?);
+                    tokio::io::copy(&mut data, &mut tokio::io::stdout()).await?;
+                }
+                StoreOp::Set { data_path, value } => s.write(data_path, value.as_bytes()).await?,
+            }
+        }
     };
 
     Ok(())

src/bootstrap.rs

@@ -250,4 +250,10 @@ pub struct Bootstrap {
     pub dev: String,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub seed: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub seed_ca: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub seed_servername: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub seed_proxy: Option<String>,
 }

src/dls/store.rs

@@ -1,4 +1,13 @@
-pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]> {
+use openssl::symm::Mode;
+use std::borrow::Cow;
+use std::path::{Path, PathBuf};
+use tokio::{fs, io::AsyncWriteExt};
+
+pub type Salt = [u8; 16];
+pub type Key = [u8; 32];
+pub type Hash = Vec<u8>;
+
+pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {
     let hash = argon2::hash_raw(
         passphrase.as_bytes(),
         salt,
@@ -6,12 +15,191 @@ pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]>
             variant: argon2::Variant::Argon2id,
             hash_length: 32,
             time_cost: 1,
-            mem_cost: 65536,
+            mem_cost: 64 << 10,
             thread_mode: argon2::ThreadMode::Parallel,
             lanes: 4,
             ..Default::default()
         },
-    )?;
+    )
+    .map_err(Error::Hash)?;
 
-    unsafe { Ok(hash.try_into().unwrap_unchecked()) }
+    Ok(hash.try_into().unwrap())
+}
+
+pub struct Store {
+    path: PathBuf,
+    key: Option<Key>,
+}
+
+impl Store {
+    pub fn new(path: impl Into<PathBuf>) -> Self {
+        Self {
+            path: path.into(),
+            key: None,
+        }
+    }
+
+    pub async fn unlock(&mut self, passphrase: &str) -> Result<()> {
+        let keys = self.read_keys().await?;
+
+        let salt = keys.salt;
+
+        let user_key = hash_password(&salt, passphrase)?;
+        let user_hash = openssl::sha::sha512(&user_key);
+
+        for nk in keys.keys {
+            if nk.hash != user_hash {
+                continue;
+            }
+
+            // build iv+data from salt
+            let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len());
+            enc_data.extend_from_slice(&salt);
+            enc_data.extend_from_slice(&nk.enc_key);
+
+            let key = crypt(&enc_data, &user_key, Mode::Decrypt)?;
+            let key = key.try_into().map_err(|_| Error::InvalidKey)?;
+
+            self.key = Some(key);
+            return Ok(());
+        }
+
+        Err(Error::KeyNotFound)
+    }
+
+    pub async fn read(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
+        let enc_data = self.read_file(path.as_ref().with_extension("data")).await?;
+        self.decrypt(&enc_data)
+    }
+    pub async fn read_to_string(&self, path: impl AsRef<Path>) -> Result<String> {
+        let path = path.as_ref();
+        String::from_utf8(self.read(path).await?).map_err(|_| Error::InvalidUtf8(path.into()))
+    }
+
+    pub async fn write(&self, path: impl AsRef<Path>, data: &[u8]) -> Result<()> {
+        let enc_data = self.encrypt(data)?;
+        safe_write(self.path.join(&path).with_extension("data"), &enc_data).await
+    }
+
+    async fn read_keys(&self) -> Result<Keys<'_>> {
+        let keys = self.read_file(".keys").await?;
+        let Some(keys) = keys.strip_prefix(b"{json}") else {
+            return Err(Error::InvalidKeys);
+        };
+
+        serde_json::from_slice(keys).map_err(Error::KeysParse)
+    }
+
+    async fn read_file(&self, subpath: impl AsRef<Path>) -> Result<Vec<u8>> {
+        let path = self.path.join(subpath);
+        fs::read(&path).await.map_err(|e| Error::Read(path, e))
+    }
+
+    fn encrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
+        self.crypt(src, Mode::Encrypt)
+    }
+    fn decrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
+        self.crypt(src, Mode::Decrypt)
+    }
+    fn crypt(&self, src: &[u8], mode: Mode) -> Result<Vec<u8>> {
+        let key = self.key.as_ref().ok_or(Error::NotUnlocked)?;
+        crypt(src, key, mode)
+    }
+}
+
+async fn safe_write(path: impl AsRef<Path>, contents: &[u8]) -> Result<()> {
+    let path = path.as_ref();
+    let tmp = path.with_added_extension("new");
+
+    let tmp_err = |e| Error::Write(tmp.clone(), e);
+
+    let mut file = fs::OpenOptions::new()
+        .create(true)
+        .truncate(true)
+        .write(true)
+        .open(&tmp)
+        .await
+        .map_err(tmp_err)?;
+
+    file.write_all(contents).await.map_err(tmp_err)?;
+    file.sync_all().await.map_err(tmp_err)?;
+    file.shutdown().await.map_err(tmp_err)?;
+
+    fs::rename(tmp, &path)
+        .await
+        .map_err(|e| Error::Write(path.into(), e))
+}
+
+fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result<Vec<u8>> {
+    use openssl::symm::{Cipher, Crypter};
+
+    let mut iv = [0u8; 16];
+    let mut dst: Vec<u8>;
+    let crypt_dst: &mut [u8];
+
+    match mode {
+        Mode::Encrypt => {
+            getrandom::fill(&mut iv).unwrap();
+            dst = vec![0u8; iv.len() + src.len()];
+            dst[..iv.len()].copy_from_slice(&iv);
+            crypt_dst = &mut dst[iv.len()..];
+        }
+        Mode::Decrypt => {
+            iv = src[..iv.len()]
+                .try_into()
+                .map_err(|_| Error::DecryptInputToSmall)?;
+            src = &src[iv.len()..];
+            dst = vec![0u8; src.len()];
+            crypt_dst = &mut dst;
+        }
+    }
+
+    let cipher = Cipher::aes_256_cfb128();
+    Crypter::new(cipher, mode, key, Some(&iv))
+        .expect("Failed to init AES")
+        .update(src, crypt_dst)
+        .expect("AES CFB encrypt/decrypt failed");
+
+    Ok(dst)
+}
+
+pub type Result<T> = std::result::Result<T, Error>;
+
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    #[error("hash error: {0}")]
+    Hash(argon2::Error),
+    #[error("read {0} failed: {1}")]
+    Read(PathBuf, std::io::Error),
+    #[error("write {0} failed: {1}")]
+    Write(PathBuf, std::io::Error),
+    #[error("read {0} failed: invalid UTF-8")]
+    InvalidUtf8(PathBuf),
+    #[error("invalid keys data")]
+    InvalidKeys,
+    #[error("invalid key")]
+    InvalidKey,
+    #[error("keys parse error: {0}")]
+    KeysParse(serde_json::Error),
+    #[error("key not found")]
+    KeyNotFound,
+    #[error("store not unlocked")]
+    NotUnlocked,
+    #[error("decrypt input too small")]
+    DecryptInputToSmall,
+}
+
+#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+struct Keys<'t> {
+    salt: Salt,
+    keys: Vec<NamedKey<'t>>,
+}
+
+#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+struct NamedKey<'t> {
+    name: Cow<'t, str>,
+    hash: Hash,
+    enc_key: Key,
 }

src/dynlay.rs

@@ -1,4 +1,4 @@
-use eyre::{Result, format_err};
+use eyre::{format_err, Result};
 use log::{debug, error, info, warn};
 use std::path::PathBuf;
 use tokio::{fs, io::AsyncWriteExt, process::Command};
@@ -60,7 +60,7 @@ impl<'t> Dynlay<'t> {
 
         // mount layer
         info!("mounting layer");
-        sudo("mount", &["-t", "squashfs", lay_path, &mount_path_str]).await?;
+        sudo("mount", &[lay_path, &mount_path_str]).await?;
 
         let mut paths = spawn_walk_dir(mount_path.clone());
         while let Some(result) = paths.recv().await {

src/lib.rs

@@ -1,3 +1,5 @@
+use std::borrow::Cow;
+
 pub mod apply;
 pub mod bootstrap;
 pub mod cgroup;
@@ -56,22 +58,45 @@ pub struct User {
     pub gid: Option<u32>,
 }
 
-#[derive(Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
+#[derive(Default, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
 pub struct File {
     pub path: String,
     #[serde(skip_serializing_if = "Option::is_none")]
     pub mode: Option<u32>,
-    #[serde(flatten)]
+    pub kind: Option<FileKind>,
-    pub kind: FileKind,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub content: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub content64: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub symlink: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub parts: Option<Vec<FilePart>>,
+    #[serde(default, skip_serializing_if = "is_false")]
+    pub dir: bool,
 }
 
-#[derive(Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
+fn is_false(b: &bool) -> bool {
+    !b
+}
+
+#[derive(Default, Debug, Clone, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
 #[serde(rename_all = "lowercase")]
 pub enum FileKind {
+    #[default]
+    Skip,
     Content(String),
     Content64(String),
+    Parts(Vec<FilePart>),
     Symlink(String),
-    Dir(bool),
+    Dir,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, serde::Deserialize, serde::Serialize)]
+#[serde(rename_all = "lowercase")]
+pub enum FilePart {
+    Content(String),
+    Content64(String),
 }
 
 // ------------------------------------------------------------------------
@@ -86,11 +111,40 @@ impl Config {
 }
 
 pub fn base64_decode(s: &str) -> Result<Vec<u8>, base64::DecodeError> {
-    use base64::{Engine as _, prelude::BASE64_STANDARD_NO_PAD as B64};
+    use base64::{prelude::BASE64_STANDARD_NO_PAD as B64, Engine as _};
     B64.decode(s.trim_end_matches('='))
 }
 
 pub fn base64_encode(b: &[u8]) -> String {
-    use base64::{Engine as _, prelude::BASE64_STANDARD as B64};
+    use base64::{prelude::BASE64_STANDARD as B64, Engine as _};
     B64.encode(b)
 }
+
+impl<'t> File {
+    pub fn kind(&'t self) -> Cow<'t, FileKind> {
+        self.kind.as_ref().map(Cow::Borrowed).unwrap_or_else(|| {
+            use FileKind::*;
+            Cow::Owned(if let Some(ref s) = self.content {
+                Content(s.clone())
+            } else if let Some(ref s) = self.content64 {
+                Content64(s.clone())
+            } else if let Some(ref s) = self.symlink {
+                Symlink(s.clone())
+            } else if let Some(ref p) = self.parts {
+                Parts(p.clone())
+            } else if self.dir {
+                Dir
+            } else {
+                Skip
+            })
+        })
+    }
+
+    pub fn is_symlink(&self) -> bool {
+        if let Some(ref kind) = self.kind {
+            matches!(kind, FileKind::Symlink(_))
+        } else {
+            self.symlink.is_some()
+        }
+    }
+}