secrets: use CLAN_DIR instead of clanCore.clanDir for fact storage

2023-09-14 15:22:13 +02:00
parent 6b7301cefb
commit 0132abc547
6 changed files with 32 additions and 56 deletions
--- a/nixosModules/clanCore/secrets/default.nix
+++ b/nixosModules/clanCore/secrets/default.nix
@@ -59,10 +59,10 @@
                  description = ''
                    path to a fact which is generated by the generator
                  '';
-                  default = "${config.clanCore.clanDir}/machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}";
+                  default = "machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}";
                };
                value = lib.mkOption {
-                  default = builtins.readFile fact.config.path;
+                  default = builtins.readFile "${config.clanCore.clanDir}/fact.config.path";
                };
              };
            }));
--- a/nixosModules/clanCore/secrets/password-store.nix
+++ b/nixosModules/clanCore/secrets/password-store.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 let
-  passwordstoreDir = "$HOME/.password-store";
+  passwordstoreDir = "\${PASSWORD_STORE_DIR:-$HOME/.password-store}";
 in
 {
  options.clan.password-store.targetDirectory = lib.mkOption {
@@ -14,8 +14,8 @@ in
    system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
      #!/bin/sh
      set -efu
-      set -x # remove for prod

+      test -d "$CLAN_DIR"
      PATH=${lib.makeBinPath [
        pkgs.pass
      ]}:$PATH
@@ -36,7 +36,7 @@ in

          ${lib.concatMapStrings (fact: ''
            mkdir -p "$(dirname ${fact.path})"
-            cp "$facts"/${fact.name} ${fact.path}
+            cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path}
          '') (lib.attrValues v.facts)}

          ${lib.concatMapStrings (secret: ''
@@ -48,7 +48,6 @@ in
    system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
      #!/bin/sh
      set -efu
-      set -x # remove for prod

      target=$1

--- a/nixosModules/clanCore/secrets/sops.nix
+++ b/nixosModules/clanCore/secrets/sops.nix
@@ -25,7 +25,8 @@ in
    system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
      #!/bin/sh
      set -efu
-      set -x # remove for prod
+
+      test -d "$CLAN_DIR"

      PATH=$PATH:${lib.makeBinPath [
        config.clanCore.clanPkgs.clan-cli
@@ -55,7 +56,7 @@ in

          ${lib.concatMapStrings (fact: ''
            mkdir -p "$(dirname ${fact.path})"
-            cp "$facts"/${fact.name} ${fact.path}
+            cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path}
          '') (lib.attrValues v.facts)}

          ${lib.concatMapStrings (secret: ''