From f3e32ce827c9079b02a84e68375da2187c9c7260 Mon Sep 17 00:00:00 2001 From: vdbe Date: Thu, 1 May 2025 00:29:01 +0200 Subject: [PATCH 1/2] clanCore/vars/sops: only copy required secrets to store Create a store path per in repo secret/var to be copied, this prevents unused secrets from being leaked. For example the `root-password` generator contains both the hashed and unhashed password but only the hash is used. --- nixosModules/clanCore/vars/interface.nix | 23 +++++++++++++++++++ nixosModules/clanCore/vars/public/in_repo.nix | 6 ++--- pkgs/clan-cli/clan_cli/tests/test_vars.py | 2 +- 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix index 0c33045e2..03fbc8555 100644 --- a/nixosModules/clanCore/vars/interface.nix +++ b/nixosModules/clanCore/vars/interface.nix @@ -241,12 +241,35 @@ in type = bool; default = true; }; + flakePath = lib.mkOption { + description = '' + The path to the file containing the content of the generated value. + This will be set automatically + ''; + type = nullOr str; + default = null; + }; path = lib.mkOption { description = '' The path to the file containing the content of the generated value. This will be set automatically ''; type = str; + defaultText = '' + (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}" + { } + ''\'' + cp $${file.config.inRepoPath} $out + ''\'' + ).outPath; + ''; + default = + (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}" + { } + '' + cp ${file.config.flakePath} $out + '' + ).outPath; }; neededFor = lib.mkOption { description = '' diff --git a/nixosModules/clanCore/vars/public/in_repo.nix b/nixosModules/clanCore/vars/public/in_repo.nix index 5551d515c..676d67f56 100644 --- a/nixosModules/clanCore/vars/public/in_repo.nix +++ b/nixosModules/clanCore/vars/public/in_repo.nix @@ -11,7 +11,7 @@ in config.clan.core.vars.settings = mkIf (config.clan.core.vars.settings.publicStore == "in_repo") { publicModule = "clan_cli.vars.public_modules.in_repo"; fileModule = file: { - path = mkIf (file.config.secret == false) ( + flakePath = mkIf (file.config.secret == false) ( if file.config.share then ( config.clan.core.settings.directory @@ -25,9 +25,9 @@ in ); value = mkIf (file.config.secret == false) ( # dynamically adjust priority to allow overriding with mkDefault in case the file is not found - if (pathExists file.config.path) then + if (pathExists file.config.flakePath) then # if the file is found it should have normal priority - readFile file.config.path + readFile file.config.flakePath else # if the file is not found, we want to downgrade the priority, to allow overriding via mkDefault mkOptionDefault ( diff --git a/pkgs/clan-cli/clan_cli/tests/test_vars.py b/pkgs/clan-cli/clan_cli/tests/test_vars.py index 503984d3c..a58354473 100644 --- a/pkgs/clan-cli/clan_cli/tests/test_vars.py +++ b/pkgs/clan-cli/clan_cli/tests/test_vars.py @@ -970,7 +970,7 @@ def test_dynamic_invalidation( custom_nix.write_text( """ { config, ... }: let - p = config.clan.core.vars.generators.my_generator.files.my_value.path; + p = config.clan.core.vars.generators.my_generator.files.my_value.flakePath; in { clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null; } From 26f336cf69a756a504acf2a553a2a751e44ad1b9 Mon Sep 17 00:00:00 2001 From: vdbe Date: Thu, 1 May 2025 15:49:36 +0200 Subject: [PATCH 2/2] clanCore/vars/sops: add sops & switch to builtins.path --- nixosModules/clanCore/vars/interface.nix | 21 +++++++------------ .../clanCore/vars/secret/sops/default.nix | 5 ++++- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/nixosModules/clanCore/vars/interface.nix b/nixosModules/clanCore/vars/interface.nix index 03fbc8555..018295a8e 100644 --- a/nixosModules/clanCore/vars/interface.nix +++ b/nixosModules/clanCore/vars/interface.nix @@ -256,20 +256,15 @@ in ''; type = str; defaultText = '' - (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}" - { } - ''\'' - cp $${file.config.inRepoPath} $out - ''\'' - ).outPath; + builtins.path { + name = "$${generator.config._module.args.name}_$${file.config._module.args.name}"; + path = file.config.inRepoPath; + } ''; - default = - (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}" - { } - '' - cp ${file.config.flakePath} $out - '' - ).outPath; + default = builtins.path { + name = "${generator.config._module.args.name}_${file.config._module.args.name}"; + path = file.config.flakePath; + }; }; neededFor = lib.mkOption { description = '' diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix index 51604e96d..79fd32531 100644 --- a/nixosModules/clanCore/vars/secret/sops/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/default.nix @@ -49,7 +49,10 @@ in mode neededForUsers ; - sopsFile = secretPath secret; + sopsFile = builtins.path { + name = "${secret.generator}_${secret.name}"; + path = secretPath secret; + }; format = "binary"; }; }) (builtins.filter (x: builtins.pathExists (secretPath x)) vars)