From 27a3126d6836bc0d46c46a0353443d27cec5430b Mon Sep 17 00:00:00 2001
From: Pablo Ovelleiro Corral <mail@pablo.tools>
Date: Tue, 18 Feb 2025 06:03:31 +0100
Subject: [PATCH] Make store-backend configurable

---
 nixosModules/clanCore/vars/settings-opts.nix  | 11 ++++++++++
 .../vars/secret_modules/password_store.py     | 22 ++++++++++++++-----
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/nixosModules/clanCore/vars/settings-opts.nix b/nixosModules/clanCore/vars/settings-opts.nix
index dbd6b48df..49e65a7aa 100644
--- a/nixosModules/clanCore/vars/settings-opts.nix
+++ b/nixosModules/clanCore/vars/settings-opts.nix
@@ -14,6 +14,17 @@
     '';
   };
 
+  passBackend = lib.mkOption {
+    type = lib.types.enum [
+      "passage"
+      "pass"
+    ];
+    default = "pass";
+    description = ''
+      password-store backend to use. Valid options are `pass` and `passage`
+    '';
+  };
+
   secretModule = lib.mkOption {
     type = lib.types.str;
     internal = true;
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
index 9d111fb4b..31ee8d789 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -1,4 +1,5 @@
 import io
+import json
 import logging
 import os
 import tarfile
@@ -29,8 +30,17 @@ class SecretStore(StoreBase):
     def store_name(self) -> str:
         return "password_store"
 
+    @property
+    def _store_backend(self) -> str:
+        backend = json.loads(
+            self.machine.eval_nix("config.clan.core.vars.settings.passBackend")
+        )
+        return backend
+
     @property
     def _password_store_dir(self) -> str:
+        if self._store_backend == "passage":
+            return os.environ.get("PASSAGE_DIR", f"{os.environ['HOME']}/.passage/store")
         return os.environ.get(
             "PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
         )
@@ -46,9 +56,9 @@ class SecretStore(StoreBase):
     ) -> Path | None:
         run(
             nix_shell(
-                ["nixpkgs#pass"],
+                [f"nixpkgs#{self._store_backend}"],
                 [
-                    "pass",
+                    f"{self._store_backend}",
                     "insert",
                     "-m",
                     str(self.entry_dir(generator, var.name)),
@@ -61,9 +71,9 @@ class SecretStore(StoreBase):
     def get(self, generator: Generator, name: str) -> bytes:
         return run(
             nix_shell(
-                ["nixpkgs#pass"],
+                [f"nixpkgs#{self._store_backend}"],
                 [
-                    "pass",
+                    f"{self._store_backend}",
                     "show",
                     str(self.entry_dir(generator, name)),
                 ],
@@ -141,7 +151,7 @@ class SecretStore(StoreBase):
             # TODO get the path to the secrets from the machine
             [
                 "cat",
-                f"{self.machine.deployment['password-store']['secretLocation']}/.pass_info",
+                f"{self.machine.deployment['password-store']['secretLocation']}/.{self._store_backend}_info",
             ],
             RunOpts(log=Log.STDERR, check=False),
         ).stdout.strip()
@@ -211,7 +221,7 @@ class SecretStore(StoreBase):
                         out_file.parent.mkdir(parents=True, exist_ok=True)
                         out_file.write_bytes(self.get(generator, file.name))
 
-        (output_dir / ".pass_info").write_bytes(self.generate_hash())
+        (output_dir / f".{self._store_backend}_info").write_bytes(self.generate_hash())
 
     def upload(self, phases: list[str]) -> None:
         if "partitioning" in phases: