From 8337a3ec4198589766afe9ec6c85dd4ca84a2e86 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Wed, 27 Nov 2024 13:32:00 +0100
Subject: [PATCH 1/3] vars: remove secretsUploadDirectory from common module

---
 nixosModules/clanCore/vars/default.nix         |  2 +-
 .../clanCore/vars/secret/password-store.nix    | 18 ++++++++++++++----
 .../clanCore/vars/secret/sops/default.nix      |  1 -
 nixosModules/clanCore/vars/settings-opts.nix   |  8 --------
 pkgs/clan-cli/clan_cli/machines/machines.py    |  4 ----
 .../vars/secret_modules/password_store.py      |  5 ++++-
 pkgs/clan-cli/clan_cli/vars/upload.py          | 12 +++++++++---
 7 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/nixosModules/clanCore/vars/default.nix b/nixosModules/clanCore/vars/default.nix
index db8b8744c..0bfd072ca 100644
--- a/nixosModules/clanCore/vars/default.nix
+++ b/nixosModules/clanCore/vars/default.nix
@@ -55,7 +55,7 @@ in
           );
         }
       );
-      inherit (config.clan.core.vars.settings) secretUploadDirectory secretModule publicModule;
+      inherit (config.clan.core.vars.settings) secretModule publicModule;
     };
     inherit (config.clan.core.networking) targetHost buildHost;
     inherit (config.clan.core.deployment) requireExplicitUpdate;
diff --git a/nixosModules/clanCore/vars/secret/password-store.nix b/nixosModules/clanCore/vars/secret/password-store.nix
index f743460aa..d7d97f17b 100644
--- a/nixosModules/clanCore/vars/secret/password-store.nix
+++ b/nixosModules/clanCore/vars/secret/password-store.nix
@@ -39,7 +39,18 @@ let
     || (options.services ? userborn && config.services.userborn.enable);
 in
 {
+  options.clan.vars.password-store = {
+    secretLocation = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/secret-vars";
+      description = ''
+        location where the tarball with the password-store secrets will be uploaded to and the manifest
+      '';
+    };
+  };
   config = {
+    system.clan.deployment.data.password-store.secretLocation =
+      config.clan.vars.password-store.secretLocation;
     clan.core.vars.settings =
       lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
         {
@@ -48,7 +59,6 @@ in
             lib.mkIf file.config.secret {
               path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
             };
-          secretUploadDirectory = lib.mkDefault "/etc/secret-vars";
           secretModule = "clan_cli.vars.secret_modules.password_store";
         };
     system.activationScripts.setupSecrets =
@@ -66,13 +76,13 @@ in
             ]
             ''
               [ -e /run/current-system ] || echo setting up secrets...
-              ${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz
+              ${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz
             ''
           // lib.optionalAttrs (config.system ? dryActivationScript) {
             supportsDryActivation = true;
           }
         );
-    systemd.services.sops-install-secrets =
+    systemd.services.pass-install-secrets =
       lib.mkIf
         (
           (config.clan.core.vars.settings.secretStore == "password-store")
@@ -86,7 +96,7 @@ in
           serviceConfig = {
             Type = "oneshot";
             ExecStart = [
-              "${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz"
+              "${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz"
             ];
             RemainAfterExit = true;
           };
diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix
index a3c024fa5..106f2f6d2 100644
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -32,7 +32,6 @@ in
       );
     };
     secretModule = "clan_cli.vars.secret_modules.sops";
-    secretUploadDirectory = lib.mkDefault "/var/lib/sops-nix";
   };
 
   config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {
diff --git a/nixosModules/clanCore/vars/settings-opts.nix b/nixosModules/clanCore/vars/settings-opts.nix
index b94894c2c..cad13d0f4 100644
--- a/nixosModules/clanCore/vars/settings-opts.nix
+++ b/nixosModules/clanCore/vars/settings-opts.nix
@@ -22,14 +22,6 @@
     '';
   };
 
-  secretUploadDirectory = lib.mkOption {
-    type = lib.types.path;
-    description = ''
-      The directory where secrets are uploaded into, This is backend specific.
-      This is usally set by the secret store backend.
-    '';
-  };
-
   # TODO: see if this is the right approach. Maybe revert to secretPathFunction
   fileModule = lib.mkOption {
     type = lib.types.deferredModule;
diff --git a/pkgs/clan-cli/clan_cli/machines/machines.py b/pkgs/clan-cli/clan_cli/machines/machines.py
index 367ad405e..b9965d83b 100644
--- a/pkgs/clan-cli/clan_cli/machines/machines.py
+++ b/pkgs/clan-cli/clan_cli/machines/machines.py
@@ -178,10 +178,6 @@ class Machine:
     def secrets_upload_directory(self) -> str:
         return self.deployment["facts"]["secretUploadDirectory"]
 
-    @property
-    def secret_vars_upload_directory(self) -> str:
-        return self.deployment["vars"]["secretUploadDirectory"]
-
     @property
     def flake_dir(self) -> Path:
         if self.flake.is_local():
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
index 80db0c624..fd108f9b7 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -137,7 +137,10 @@ class SecretStore(SecretStoreBase):
         local_hash = self.generate_hash()
         remote_hash = self.machine.target_host.run(
             # TODO get the path to the secrets from the machine
-            ["cat", f"{self.machine.secret_vars_upload_directory}/.pass_info"],
+            [
+                "cat",
+                f"{self.machine.deployment["password-store"]["secretLocation"]}/.pass_info",
+            ],
             log=Log.STDERR,
             check=False,
         ).stdout.strip()
diff --git a/pkgs/clan-cli/clan_cli/vars/upload.py b/pkgs/clan-cli/clan_cli/vars/upload.py
index 8c78974e1..1b1cd7733 100644
--- a/pkgs/clan-cli/clan_cli/vars/upload.py
+++ b/pkgs/clan-cli/clan_cli/vars/upload.py
@@ -5,6 +5,7 @@ from pathlib import Path
 from tempfile import TemporaryDirectory
 
 from clan_cli.completions import add_dynamic_completer, complete_machines
+from clan_cli.errors import ClanError
 from clan_cli.machines.machines import Machine
 from clan_cli.ssh.upload import upload
 
@@ -21,9 +22,14 @@ def upload_secret_vars(machine: Machine) -> None:
     with TemporaryDirectory(prefix="vars-upload-") as tempdir:
         secret_dir = Path(tempdir)
         secret_store.upload(secret_dir)
-        upload(
-            machine.target_host, secret_dir, Path(machine.secret_vars_upload_directory)
-        )
+        if secret_store.store_name == "password-store":
+            upload_dir = Path(machine.deployment["password-store"]["secretLocation"])
+            upload(machine.target_host, secret_dir, upload_dir)
+        elif secret_store.store_name == "sops":
+            pass
+        else:
+            msg = "upload function used on unsuitable secret_store"
+            raise ClanError(msg)
 
 
 def upload_command(args: argparse.Namespace) -> None:

From 0e4f967dadf332c4cb1d28037048a6b4a8463122 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Thu, 28 Nov 2024 16:38:47 +0100
Subject: [PATCH 2/3] vars: use vars in option descriptions

---
 nixosModules/clanCore/vars/settings-opts.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixosModules/clanCore/vars/settings-opts.nix b/nixosModules/clanCore/vars/settings-opts.nix
index cad13d0f4..fbd019ba7 100644
--- a/nixosModules/clanCore/vars/settings-opts.nix
+++ b/nixosModules/clanCore/vars/settings-opts.nix
@@ -10,7 +10,7 @@
     default = "sops";
     description = ''
       method to store secret facts
-      custom can be used to define a custom secret fact store.
+      custom can be used to define a custom secret var store.
     '';
   };
 
@@ -41,8 +41,8 @@
     ];
     default = "in_repo";
     description = ''
-      method to store public facts.
-      custom can be used to define a custom public fact store.
+      method to store public vars.
+      custom can be used to define a custom public vars store.
     '';
   };
 

From cdfcc42107afee452c332c14b6b45a9246dd3a71 Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Thu, 28 Nov 2024 16:39:01 +0100
Subject: [PATCH 3/3] vars: remove dead option

---
 nixosModules/clanCore/vars/settings-opts.nix | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/nixosModules/clanCore/vars/settings-opts.nix b/nixosModules/clanCore/vars/settings-opts.nix
index fbd019ba7..dbd6b48df 100644
--- a/nixosModules/clanCore/vars/settings-opts.nix
+++ b/nixosModules/clanCore/vars/settings-opts.nix
@@ -53,12 +53,4 @@
       the python import path to the public module
     '';
   };
-
-  publicDirectory = lib.mkOption {
-    type = lib.types.path;
-    description = ''
-      The directory where public facts are stored.
-      This is usally set by the public store backend.
-    '';
-  };
 }