Merge pull request 'clanCore/vars/sops: only copy required secrets to store' (#3457) from vdbe/clan-core:clanCore/vars/sops/only-copy-used into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3457
2025-05-04 06:41:37 +00:00
parent e8c85e3237 d445a353d5
commit 20ab5a67c1
4 changed files with 26 additions and 5 deletions
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -241,12 +241,30 @@ in
                      type = bool;
                      default = true;
                    };
+                    flakePath = lib.mkOption {
+                      description = ''
+                        The path to the file containing the content of the generated value.
+                        This will be set automatically
+                      '';
+                      type = nullOr str;
+                      default = null;
+                    };
                    path = lib.mkOption {
                      description = ''
                        The path to the file containing the content of the generated value.
                        This will be set automatically
                      '';
                      type = str;
+                      defaultText = ''
+                        builtins.path {
+                          name = "$${generator.config._module.args.name}_$${file.config._module.args.name}";
+                          path = file.config.inRepoPath;
+                        }
+                      '';
+                      default = builtins.path {
+                        name = "${generator.config._module.args.name}_${file.config._module.args.name}";
+                        path = file.config.flakePath;
+                      };
                    };
                    neededFor = lib.mkOption {
                      description = ''
--- a/nixosModules/clanCore/vars/public/in_repo.nix
+++ b/nixosModules/clanCore/vars/public/in_repo.nix
@@ -11,7 +11,7 @@ in
  config.clan.core.vars.settings = mkIf (config.clan.core.vars.settings.publicStore == "in_repo") {
    publicModule = "clan_cli.vars.public_modules.in_repo";
    fileModule = file: {
-      path = mkIf (file.config.secret == false) (
+      flakePath = mkIf (file.config.secret == false) (
        if file.config.share then
          (
            config.clan.core.settings.directory
@@ -25,9 +25,9 @@ in
      );
      value = mkIf (file.config.secret == false) (
        # dynamically adjust priority to allow overriding with mkDefault in case the file is not found
-        if (pathExists file.config.path) then
+        if (pathExists file.config.flakePath) then
          # if the file is found it should have normal priority
-          readFile file.config.path
+          readFile file.config.flakePath
        else
          # if the file is not found, we want to downgrade the priority, to allow overriding via mkDefault
          mkOptionDefault (
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -49,7 +49,10 @@ in
            mode
            neededForUsers
            ;
-          sopsFile = secretPath secret;
+          sopsFile = builtins.path {
+            name = "${secret.generator}_${secret.name}";
+            path = secretPath secret;
+          };
          format = "binary";
        };
      }) (builtins.filter (x: builtins.pathExists (secretPath x)) vars)
--- a/pkgs/clan-cli/clan_cli/tests/test_vars.py
+++ b/pkgs/clan-cli/clan_cli/tests/test_vars.py
@@ -970,7 +970,7 @@ def test_dynamic_invalidation(
    custom_nix.write_text(
        """
        { config, ... }: let
-            p = config.clan.core.vars.generators.my_generator.files.my_value.path;
+            p = config.clan.core.vars.generators.my_generator.files.my_value.flakePath;
        in {
            clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null;
        }