yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Make store-backend configurable

Browse Source
This commit is contained in:
Pablo Ovelleiro Corral
2025-02-18 06:03:31 +01:00
parent faee6c2a79
commit 27a3126d68
2 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
nixosModules/clanCore/vars/settings-opts.nix
View File

@@ -14,6 +14,17 @@
''; '';
}; };
passBackend = lib.mkOption {
type = lib.types.enum [
"passage"
"pass"
];
default = "pass";
description = ''
password-store backend to use. Valid options are `pass` and `passage`
'';
};
secretModule = lib.mkOption { secretModule = lib.mkOption {
type = lib.types.str; type = lib.types.str;
internal = true; internal = true;

22
pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
View File

@@ -1,4 +1,5 @@
import io import io
import json
import logging import logging
import os import os
import tarfile import tarfile
@@ -29,8 +30,17 @@ class SecretStore(StoreBase):
def store_name(self) -> str: def store_name(self) -> str:
return "password_store" return "password_store"
@property
def _store_backend(self) -> str:
backend = json.loads(
self.machine.eval_nix("config.clan.core.vars.settings.passBackend")
)
return backend
@property @property
def _password_store_dir(self) -> str: def _password_store_dir(self) -> str:
if self._store_backend == "passage":
return os.environ.get("PASSAGE_DIR", f"{os.environ['HOME']}/.passage/store")
return os.environ.get( return os.environ.get(
"PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store" "PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
) )
@@ -46,9 +56,9 @@ class SecretStore(StoreBase):
) -> Path | None: ) -> Path | None:
run( run(
nix_shell( nix_shell(
["nixpkgs#pass"], [f"nixpkgs#{self._store_backend}"],
[ [
"pass", f"{self._store_backend}",
"insert", "insert",
"-m", "-m",
str(self.entry_dir(generator, var.name)), str(self.entry_dir(generator, var.name)),
@@ -61,9 +71,9 @@ class SecretStore(StoreBase):
def get(self, generator: Generator, name: str) -> bytes: def get(self, generator: Generator, name: str) -> bytes:
return run( return run(
nix_shell( nix_shell(
["nixpkgs#pass"], [f"nixpkgs#{self._store_backend}"],
[ [
"pass", f"{self._store_backend}",
"show", "show",
str(self.entry_dir(generator, name)), str(self.entry_dir(generator, name)),
], ],
@@ -141,7 +151,7 @@ class SecretStore(StoreBase):
# TODO get the path to the secrets from the machine # TODO get the path to the secrets from the machine
[ [
"cat", "cat",
f"{self.machine.deployment['password-store']['secretLocation']}/.pass_info", f"{self.machine.deployment['password-store']['secretLocation']}/.{self._store_backend}_info",
], ],
RunOpts(log=Log.STDERR, check=False), RunOpts(log=Log.STDERR, check=False),
).stdout.strip() ).stdout.strip()
@@ -211,7 +221,7 @@ class SecretStore(StoreBase):
out_file.parent.mkdir(parents=True, exist_ok=True) out_file.parent.mkdir(parents=True, exist_ok=True)
out_file.write_bytes(self.get(generator, file.name)) out_file.write_bytes(self.get(generator, file.name))
(output_dir / ".pass_info").write_bytes(self.generate_hash()) (output_dir / f".{self._store_backend}_info").write_bytes(self.generate_hash())
def upload(self, phases: list[str]) -> None: def upload(self, phases: list[str]) -> None:
if "partitioning" in phases: if "partitioning" in phases: