From f0a3eaca96cb22c45361ff25f546dfb996dd8789 Mon Sep 17 00:00:00 2001 From: DavHau Date: Fri, 23 Aug 2024 14:44:55 +0200 Subject: [PATCH] Reapply + Fix "vars: fix - upload machines own secrets only" This reverts commit cb860f9a036428ac0715345115501117228f7421. --- .../clanCore/vars/secret/sops/default.nix | 19 +++++--------- .../vars/secret/sops/eval-tests/default.nix | 4 +-- .../clanCore/vars/secret/sops/funcs.nix | 19 +++++--------- pkgs/clan-cli/tests/test_vars_deployment.py | 26 +++++++++++++++++-- 4 files changed, 40 insertions(+), 28 deletions(-) diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix index 43c0983d1..c5ca2d8fa 100644 --- a/nixosModules/clanCore/vars/secret/sops/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/default.nix @@ -10,17 +10,12 @@ let inherit (import ./funcs.nix { inherit lib; }) listVars; - varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine"; + inherit (config.clan.core) machineName; + + varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine/${machineName}"; varsDirShared = config.clan.core.clanDir + "/sops/vars/shared"; - varsUnfiltered = (listVars varsDirMachines) ++ (listVars varsDirShared); - filterVars = - vars: - builtins.elem vars.machine [ - config.clan.core.machineName - "shared" - ]; - vars = lib.filter filterVars varsUnfiltered; + vars = (listVars varsDirMachines) ++ (listVars varsDirShared); in { @@ -28,7 +23,7 @@ in # Before we generate a secret we cannot know the path yet, so we need to set it to an empty string fileModule = file: { path = lib.mkIf file.config.secret ( - config.sops.secrets.${"${config.clan.core.machineName}/${file.config.generatorName}/${file.config.name}"}.path + config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path or "/no-such-path" ); }; @@ -39,7 +34,7 @@ in config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") { secrets = lib.listToAttrs ( flip map vars (secret: { - name = secret.id; + name = "vars/${secret.generator}/${secret.name}"; value = { sopsFile = secret.sopsFile; format = "binary"; @@ -51,7 +46,7 @@ in lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")) ); age.keyFile = lib.mkIf (builtins.pathExists ( - config.clan.core.clanDir + "/sops/secrets/${config.clan.core.machineName}-age.key/secret" + config.clan.core.clanDir + "/sops/secrets/${machineName}-age.key/secret" )) (lib.mkDefault "/var/lib/sops-nix/key.txt"); }; } diff --git a/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix b/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix index d775350a0..7d25f3ce4 100644 --- a/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix @@ -21,12 +21,12 @@ in }; test_listSecrets = { - expr = listVars ./populated/vars; + expr = listVars ./populated/vars/my_machine; expected = [ { - machine = "my_machine"; generator = "my_generator"; name = "my_secret"; + sopsFile = "${./populated/vars/my_machine}/my_generator/my_secret/secret"; } ]; }; diff --git a/nixosModules/clanCore/vars/secret/sops/funcs.nix b/nixosModules/clanCore/vars/secret/sops/funcs.nix index 4b6dded74..68153e4a8 100644 --- a/nixosModules/clanCore/vars/secret/sops/funcs.nix +++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix @@ -14,17 +14,12 @@ rec { listVars = varsDir: - flip concatMap (readDirNames varsDir) ( - machine_name: - flip concatMap (readDirNames (varsDir + "/${machine_name}")) ( - generator_name: - flip map (readDirNames (varsDir + "/${machine_name}/${generator_name}")) (secret_name: { - machine = machine_name; - generator = generator_name; - name = secret_name; - id = "${machine_name}/${generator_name}/${secret_name}"; - sopsFile = "${varsDir}/${machine_name}/${generator_name}/${secret_name}/secret"; - }) - ) + flip concatMap (readDirNames (varsDir)) ( + generator_name: + flip map (readDirNames (varsDir + "/${generator_name}")) (secret_name: { + generator = generator_name; + name = secret_name; + sopsFile = "${varsDir}/${generator_name}/${secret_name}/secret"; + }) ); } diff --git a/pkgs/clan-cli/tests/test_vars_deployment.py b/pkgs/clan-cli/tests/test_vars_deployment.py index f59c2cf1b..c69a65b79 100644 --- a/pkgs/clan-cli/tests/test_vars_deployment.py +++ b/pkgs/clan-cli/tests/test_vars_deployment.py @@ -1,3 +1,4 @@ +import json from pathlib import Path import pytest @@ -8,6 +9,8 @@ from helpers.nixos_config import nested_dict from helpers.vms import qga_connect, run_vm_in_thread, wait_vm_down from root import CLAN_CORE +from clan_cli.nix import nix_eval, run + @pytest.mark.impure def test_vm_deployment( @@ -32,10 +35,29 @@ def test_vm_deployment( monkeypatch.chdir(flake.path) sops_setup.init() cli.run(["vars", "generate", "my_machine"]) + # check sops secrets not empty + sops_secrets = json.loads( + run( + nix_eval( + [ + f"{flake.path}#nixosConfigurations.my_machine.config.sops.secrets", + ] + ) + ).stdout.strip() + ) + assert sops_secrets != dict() + my_secret_path = run( + nix_eval( + [ + f"{flake.path}#nixosConfigurations.my_machine.config.clan.core.vars.generators.my_generator.files.my_secret.path", + ] + ) + ).stdout.strip() + assert "no-such-path" not in my_secret_path run_vm_in_thread("my_machine") qga = qga_connect("my_machine") - qga.run("ls /run/secrets/my_machine/my_generator/my_secret", check=True) - _, out, _ = qga.run("cat /run/secrets/my_machine/my_generator/my_secret") + qga.run("ls /run/secrets/vars/my_generator/my_secret", check=True) + _, out, _ = qga.run("cat /run/secrets/vars/my_generator/my_secret", check=True) assert out == "hello\n" qga.exec_cmd("poweroff") wait_vm_down("my_machine")