Reapply + Fix "vars: fix - upload machines own secrets only"

This reverts commit 0cd29daf88.
2024-08-23 14:44:55 +02:00
parent 23a9e35c66
commit 1a27bfa8a8
4 changed files with 40 additions and 28 deletions
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -10,17 +10,12 @@ let

  inherit (import ./funcs.nix { inherit lib; }) listVars;

-  varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine";
+  inherit (config.clan.core) machineName;
+
+  varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine/${machineName}";
  varsDirShared = config.clan.core.clanDir + "/sops/vars/shared";

-  varsUnfiltered = (listVars varsDirMachines) ++ (listVars varsDirShared);
-  filterVars =
-    vars:
-    builtins.elem vars.machine [
-      config.clan.core.machineName
-      "shared"
-    ];
-  vars = lib.filter filterVars varsUnfiltered;
+  vars = (listVars varsDirMachines) ++ (listVars varsDirShared);

 in
 {
@@ -28,7 +23,7 @@ in
    # Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
    fileModule = file: {
      path = lib.mkIf file.config.secret (
-        config.sops.secrets.${"${config.clan.core.machineName}/${file.config.generatorName}/${file.config.name}"}.path
+        config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
          or "/no-such-path"
      );
    };
@@ -39,7 +34,7 @@ in
  config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {
    secrets = lib.listToAttrs (
      flip map vars (secret: {
-        name = secret.id;
+        name = "vars/${secret.generator}/${secret.name}";
        value = {
          sopsFile = secret.sopsFile;
          format = "binary";
@@ -51,7 +46,7 @@ in
      lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" ""))
    );
    age.keyFile = lib.mkIf (builtins.pathExists (
-      config.clan.core.clanDir + "/sops/secrets/${config.clan.core.machineName}-age.key/secret"
+      config.clan.core.clanDir + "/sops/secrets/${machineName}-age.key/secret"
    )) (lib.mkDefault "/var/lib/sops-nix/key.txt");
  };
 }
--- a/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix
@@ -21,12 +21,12 @@ in
  };

  test_listSecrets = {
-    expr = listVars ./populated/vars;
+    expr = listVars ./populated/vars/my_machine;
    expected = [
      {
-        machine = "my_machine";
        generator = "my_generator";
        name = "my_secret";
+        sopsFile = "${./populated/vars/my_machine}/my_generator/my_secret/secret";
      }
    ];
  };
--- a/nixosModules/clanCore/vars/secret/sops/funcs.nix
+++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix
@@ -14,17 +14,12 @@ rec {

  listVars =
    varsDir:
-    flip concatMap (readDirNames varsDir) (
-      machine_name:
-      flip concatMap (readDirNames (varsDir + "/${machine_name}")) (
-        generator_name:
-        flip map (readDirNames (varsDir + "/${machine_name}/${generator_name}")) (secret_name: {
-          machine = machine_name;
-          generator = generator_name;
-          name = secret_name;
-          id = "${machine_name}/${generator_name}/${secret_name}";
-          sopsFile = "${varsDir}/${machine_name}/${generator_name}/${secret_name}/secret";
-        })
-      )
+    flip concatMap (readDirNames (varsDir)) (
+      generator_name:
+      flip map (readDirNames (varsDir + "/${generator_name}")) (secret_name: {
+        generator = generator_name;
+        name = secret_name;
+        sopsFile = "${varsDir}/${generator_name}/${secret_name}/secret";
+      })
    );
 }