yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'secrets: add git support when updating secrets' (#862) from Mic92-target_host into main

Browse Source
This commit is contained in:
clan-bot
2024-02-20 11:45:13 +00:00
parent 413e172cbd 77c84e7471
commit 7091b09fa7
1 changed files with 40 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
pkgs/clan-cli/clan_cli/secrets/secrets.py
View File

@@ -8,6 +8,7 @@ from typing import IO
from .. import tty from .. import tty
from ..errors import ClanError from ..errors import ClanError
from ..git import commit_files
from .folders import ( from .folders import (
list_objects, list_objects,
sops_groups_folder, sops_groups_folder,
@@ -63,42 +64,58 @@ def encrypt_secret(
key = ensure_sops_key(flake_dir) key = ensure_sops_key(flake_dir)
keys = set([]) keys = set([])
files_to_commit = []
for user in add_users: for user in add_users:
allow_member( files_to_commit.append(
users_folder(flake_dir, secret.name), allow_member(
sops_users_folder(flake_dir), users_folder(flake_dir, secret.name),
user, sops_users_folder(flake_dir),
False, user,
False,
)
) )
for machine in add_machines: for machine in add_machines:
allow_member( files_to_commit.append(
machines_folder(flake_dir, secret.name), allow_member(
sops_machines_folder(flake_dir), machines_folder(flake_dir, secret.name),
machine, sops_machines_folder(flake_dir),
False, machine,
False,
)
) )
for group in add_groups: for group in add_groups:
allow_member( files_to_commit.append(
groups_folder(flake_dir, secret.name), allow_member(
sops_groups_folder(flake_dir), groups_folder(flake_dir, secret.name),
group, sops_groups_folder(flake_dir),
False, group,
False,
)
) )
keys = collect_keys_for_path(secret) keys = collect_keys_for_path(secret)
if key.pubkey not in keys: if key.pubkey not in keys:
keys.add(key.pubkey) keys.add(key.pubkey)
allow_member( files_to_commit.append(
users_folder(flake_dir, secret.name), allow_member(
sops_users_folder(flake_dir), users_folder(flake_dir, secret.name),
key.username, sops_users_folder(flake_dir),
False, key.username,
False,
)
) )
encrypt_file(secret / "secret", value, list(sorted(keys))) secret_path = secret / "secret"
encrypt_file(secret_path, value, list(sorted(keys)))
files_to_commit.append(secret_path)
commit_files(
files_to_commit,
flake_dir,
f"Update secret {secret.name}",
)
def remove_secret(flake_dir: Path, secret: str) -> None: def remove_secret(flake_dir: Path, secret: str) -> None:
@@ -139,7 +156,7 @@ def list_directory(directory: Path) -> str:
def allow_member( def allow_member(
group_folder: Path, source_folder: Path, name: str, do_update_keys: bool = True group_folder: Path, source_folder: Path, name: str, do_update_keys: bool = True
) -> None: ) -> Path:
source = source_folder / name source = source_folder / name
if not source.exists(): if not source.exists():
msg = f"Cannot encrypt {group_folder.parent.name} for '{name}' group. '{name}' group does not exist in {source_folder}: " msg = f"Cannot encrypt {group_folder.parent.name} for '{name}' group. '{name}' group does not exist in {source_folder}: "
@@ -160,6 +177,7 @@ def allow_member(
group_folder.parent, group_folder.parent,
list(sorted(collect_keys_for_path(group_folder.parent))), list(sorted(collect_keys_for_path(group_folder.parent))),
) )
return user_target
def disallow_member(group_folder: Path, name: str) -> None: def disallow_member(group_folder: Path, name: str) -> None: