From 53f78d795921d46d2436670ac2e9f46aac301116 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 22 Nov 2024 22:10:14 +0100 Subject: [PATCH 1/5] clan-cli password-store: silence move-mount output --- nixosModules/clanCore/vars/secret/password-store.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixosModules/clanCore/vars/secret/password-store.nix b/nixosModules/clanCore/vars/secret/password-store.nix index ccfee34ed..873b1fb00 100644 --- a/nixosModules/clanCore/vars/secret/password-store.nix +++ b/nixosModules/clanCore/vars/secret/password-store.nix @@ -24,7 +24,7 @@ let mount --bind --make-private /run/secrets.tmp /run/secrets.tmp mount --bind --make-private /run/secrets /run/secrets tar -xf "$src" -C /run/secrets.tmp - move-mount --beneath --move /run/secrets.tmp /run/secrets + move-mount --beneath --move /run/secrets.tmp /run/secrets >/dev/null umount -R /run/secrets.tmp rmdir /run/secrets.tmp umount --lazy /run/secrets From 2c839ae768fc2290c473d5788e495e6fefc22af3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 22 Nov 2024 22:10:38 +0100 Subject: [PATCH 2/5] cli password-store: skip uploading non secret files --- pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py index 50bb3101d..14c04ad33 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py @@ -154,6 +154,8 @@ class SecretStore(SecretStoreBase): for f_name, file in generator["files"].items(): if not file["deploy"]: continue + if not file["secret"]: + continue tar_file = tarfile.TarInfo(name=f"{gen_name}/{f_name}") content = self.get(gen_name, f_name, generator["share"]) tar_file.size = len(content) From 52b2b1c350634ffa9728d170f7665b1cb904e13f Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 22 Nov 2024 22:11:33 +0100 Subject: [PATCH 3/5] password-store: include filenames in manifest for upload check --- .../clan_cli/vars/secret_modules/password_store.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py index 14c04ad33..936226668 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py @@ -126,7 +126,13 @@ class SecretStore(SecretStoreBase): # we sort the hashes to make sure that the order is always the same hashes.sort() - return b"\n".join(hashes) + + manifest = [] + for gen_name, generator in self.machine.vars_generators.items(): + for f_name in generator["files"]: + manifest.append(f"{gen_name}/{f_name}".encode()) + manifest += hashes + return b"\n".join(manifest) @override def needs_upload(self) -> bool: From fe4bf1c815b73eb81500c882f5baa8def2f798ed Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 22 Nov 2024 22:30:06 +0100 Subject: [PATCH 4/5] core password-store: fix secret location --- nixosModules/clanCore/vars/secret/password-store.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixosModules/clanCore/vars/secret/password-store.nix b/nixosModules/clanCore/vars/secret/password-store.nix index 873b1fb00..518f8dd2e 100644 --- a/nixosModules/clanCore/vars/secret/password-store.nix +++ b/nixosModules/clanCore/vars/secret/password-store.nix @@ -44,7 +44,7 @@ in lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store") { fileModule = file: { - path = "/run/secrets/vars/${file.config.generatorName}/${file.config.name}"; + path = "/run/secrets/${file.config.generatorName}/${file.config.name}"; }; secretUploadDirectory = lib.mkDefault "/etc/secrets"; secretModule = "clan_cli.vars.secret_modules.password_store"; From 22c5e8ca8b1e1d6257cc9efc5d0bde7c8400ac30 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 22 Nov 2024 22:30:36 +0100 Subject: [PATCH 5/5] cli password-store: upload generators folder only if it has secrets --- .../clan_cli/vars/secret_modules/password_store.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py index 936226668..4af78b6ad 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py @@ -153,15 +153,18 @@ class SecretStore(SecretStoreBase): def upload(self, output_dir: Path) -> None: with tarfile.open(output_dir / "secrets.tar.gz", "w:gz") as tar: for gen_name, generator in self.machine.vars_generators.items(): - tar_dir = tarfile.TarInfo(name=gen_name) - tar_dir.type = tarfile.DIRTYPE - tar_dir.mode = 0o511 - tar.addfile(tarinfo=tar_dir) + dir_exists = False for f_name, file in generator["files"].items(): if not file["deploy"]: continue if not file["secret"]: continue + if not dir_exists: + tar_dir = tarfile.TarInfo(name=gen_name) + tar_dir.type = tarfile.DIRTYPE + tar_dir.mode = 0o511 + tar.addfile(tarinfo=tar_dir) + dir_exists = True tar_file = tarfile.TarInfo(name=f"{gen_name}/{f_name}") content = self.get(gen_name, f_name, generator["share"]) tar_file.size = len(content)