Merge pull request 'pass-fixes' (#2476) from lassulus/clan-core:pass-fixes into main

2024-11-22 21:42:34 +00:00
parent 3651fefc54 19dce7694f
commit 0261d59053
2 changed files with 18 additions and 7 deletions
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -24,7 +24,7 @@ let
        mount --bind --make-private /run/secrets.tmp /run/secrets.tmp
        mount --bind --make-private /run/secrets /run/secrets
        tar -xf "$src" -C /run/secrets.tmp
-        move-mount --beneath --move /run/secrets.tmp /run/secrets
+        move-mount --beneath --move /run/secrets.tmp /run/secrets >/dev/null
        umount -R /run/secrets.tmp
        rmdir /run/secrets.tmp
        umount --lazy /run/secrets
@@ -44,7 +44,7 @@ in
      lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
        {
          fileModule = file: {
-            path = "/run/secrets/vars/${file.config.generatorName}/${file.config.name}";
+            path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
          };
          secretUploadDirectory = lib.mkDefault "/etc/secrets";
          secretModule = "clan_cli.vars.secret_modules.password_store";
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -126,7 +126,13 @@ class SecretStore(SecretStoreBase):

        # we sort the hashes to make sure that the order is always the same
        hashes.sort()
-        return b"\n".join(hashes)
+
+        manifest = []
+        for gen_name, generator in self.machine.vars_generators.items():
+            for f_name in generator["files"]:
+                manifest.append(f"{gen_name}/{f_name}".encode())
+        manifest += hashes
+        return b"\n".join(manifest)

    @override
    def needs_upload(self) -> bool:
@@ -147,13 +153,18 @@ class SecretStore(SecretStoreBase):
    def upload(self, output_dir: Path) -> None:
        with tarfile.open(output_dir / "secrets.tar.gz", "w:gz") as tar:
            for gen_name, generator in self.machine.vars_generators.items():
-                tar_dir = tarfile.TarInfo(name=gen_name)
-                tar_dir.type = tarfile.DIRTYPE
-                tar_dir.mode = 0o511
-                tar.addfile(tarinfo=tar_dir)
+                dir_exists = False
                for f_name, file in generator["files"].items():
                    if not file["deploy"]:
                        continue
+                    if not file["secret"]:
+                        continue
+                    if not dir_exists:
+                        tar_dir = tarfile.TarInfo(name=gen_name)
+                        tar_dir.type = tarfile.DIRTYPE
+                        tar_dir.mode = 0o511
+                        tar.addfile(tarinfo=tar_dir)
+                        dir_exists = True
                    tar_file = tarfile.TarInfo(name=f"{gen_name}/{f_name}")
                    content = self.get(gen_name, f_name, generator["share"])
                    tar_file.size = len(content)