vars: remove secretsUploadDirectory from common module

nixosModules/clanCore/vars/default.nix

@@ -55,7 +55,7 @@ in
           );
         }
       );
-      inherit (config.clan.core.vars.settings) secretUploadDirectory secretModule publicModule;
+      inherit (config.clan.core.vars.settings) secretModule publicModule;
     };
     inherit (config.clan.core.networking) targetHost buildHost;
     inherit (config.clan.core.deployment) requireExplicitUpdate;

nixosModules/clanCore/vars/secret/password-store.nix

@@ -39,7 +39,18 @@ let
     || (options.services ? userborn && config.services.userborn.enable);
 in
 {
+  options.clan.vars.password-store = {
+    secretLocation = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/secret-vars";
+      description = ''
+        location where the tarball with the password-store secrets will be uploaded to and the manifest
+      '';
+    };
+  };
   config = {
+    system.clan.deployment.data.password-store.secretLocation =
+      config.clan.vars.password-store.secretLocation;
     clan.core.vars.settings =
       lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
         {
@@ -48,7 +59,6 @@ in
             lib.mkIf file.config.secret {
               path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
             };
-          secretUploadDirectory = lib.mkDefault "/etc/secret-vars";
           secretModule = "clan_cli.vars.secret_modules.password_store";
         };
     system.activationScripts.setupSecrets =
@@ -66,13 +76,13 @@ in
             ]
             ''
               [ -e /run/current-system ] || echo setting up secrets...
-              ${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz
+              ${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz
             ''
           // lib.optionalAttrs (config.system ? dryActivationScript) {
             supportsDryActivation = true;
           }
         );
-    systemd.services.sops-install-secrets =
+    systemd.services.pass-install-secrets =
       lib.mkIf
         (
           (config.clan.core.vars.settings.secretStore == "password-store")
@@ -86,7 +96,7 @@ in
           serviceConfig = {
             Type = "oneshot";
             ExecStart = [
-              "${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz"
+              "${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz"
             ];
             RemainAfterExit = true;
           };

nixosModules/clanCore/vars/secret/sops/default.nix

@@ -32,7 +32,6 @@ in
       );
     };
     secretModule = "clan_cli.vars.secret_modules.sops";
-    secretUploadDirectory = lib.mkDefault "/var/lib/sops-nix";
   };
 
   config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {

nixosModules/clanCore/vars/settings-opts.nix

@@ -22,14 +22,6 @@
     '';
   };
 
-  secretUploadDirectory = lib.mkOption {
-    type = lib.types.path;
-    description = ''
-      The directory where secrets are uploaded into, This is backend specific.
-      This is usally set by the secret store backend.
-    '';
-  };
-
   # TODO: see if this is the right approach. Maybe revert to secretPathFunction
   fileModule = lib.mkOption {
     type = lib.types.deferredModule;

pkgs/clan-cli/clan_cli/machines/machines.py

@@ -178,10 +178,6 @@ class Machine:
     def secrets_upload_directory(self) -> str:
         return self.deployment["facts"]["secretUploadDirectory"]
 
-    @property
-    def secret_vars_upload_directory(self) -> str:
-        return self.deployment["vars"]["secretUploadDirectory"]
-
     @property
     def flake_dir(self) -> Path:
         if self.flake.is_local():

pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py

@@ -137,7 +137,10 @@ class SecretStore(SecretStoreBase):
         local_hash = self.generate_hash()
         remote_hash = self.machine.target_host.run(
             # TODO get the path to the secrets from the machine
-            ["cat", f"{self.machine.secret_vars_upload_directory}/.pass_info"],
+            [
+                "cat",
+                f"{self.machine.deployment["password-store"]["secretLocation"]}/.pass_info",
+            ],
             log=Log.STDERR,
             check=False,
         ).stdout.strip()

pkgs/clan-cli/clan_cli/vars/upload.py

@@ -5,6 +5,7 @@ from pathlib import Path
 from tempfile import TemporaryDirectory
 
 from clan_cli.completions import add_dynamic_completer, complete_machines
+from clan_cli.errors import ClanError
 from clan_cli.machines.machines import Machine
 from clan_cli.ssh.upload import upload
 
@@ -21,9 +22,14 @@ def upload_secret_vars(machine: Machine) -> None:
     with TemporaryDirectory(prefix="vars-upload-") as tempdir:
         secret_dir = Path(tempdir)
         secret_store.upload(secret_dir)
-        upload(
+        if secret_store.store_name == "password-store":
-            machine.target_host, secret_dir, Path(machine.secret_vars_upload_directory)
+            upload_dir = Path(machine.deployment["password-store"]["secretLocation"])
-        )
+            upload(machine.target_host, secret_dir, upload_dir)
+        elif secret_store.store_name == "sops":
+            pass
+        else:
+            msg = "upload function used on unsuitable secret_store"
+            raise ClanError(msg)
 
 
 def upload_command(args: argparse.Namespace) -> None: