From a569a1d147a2bb8699354547a9c89566d138e567 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 2 Nov 2025 16:01:43 +0100
Subject: [PATCH] Fix vars upload for public vars with neededFor
 activation/partitioning

When vars are marked with neededFor="activation" or "partitioning", they
need to be available early in the boot process. However, the populate_dir
methods in both sops and password_store secret backends were only calling
self.get() which only retrieves secret vars from the .../secret path.

This caused public vars (stored at .../value) to fail with "Secret does
not exist" errors when trying to upload them.

The fix uses file.value property instead, which properly delegates to the
correct store (SecretStore or FactStore) based on whether the file is
marked as secret or public.

Fixes affected all neededFor phases in both backends:
- sops: activation and partitioning phases
- password_store: activation and partitioning phases
---
 pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py | 4 ++--
 pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py           | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
index ad76e6f3e..f40aab411 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
@@ -245,7 +245,7 @@ class SecretStore(StoreBase):
                             output_dir / "activation" / generator.name / file.name
                         )
                         out_file.parent.mkdir(parents=True, exist_ok=True)
-                        out_file.write_bytes(self.get(generator, file.name))
+                        out_file.write_bytes(file.value)
         if "partitioning" in phases:
             for generator in vars_generators:
                 for file in generator.files:
@@ -254,7 +254,7 @@ class SecretStore(StoreBase):
                             output_dir / "partitioning" / generator.name / file.name
                         )
                         out_file.parent.mkdir(parents=True, exist_ok=True)
-                        out_file.write_bytes(self.get(generator, file.name))
+                        out_file.write_bytes(file.value)
 
         hash_data = self.generate_hash(machine)
         if hash_data:
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
index c09358d10..1e3b8a860 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
@@ -246,7 +246,7 @@ class SecretStore(StoreBase):
                         )
                         # chmod after in case it doesn't have u+w
                         target_path.touch(mode=0o600)
-                        target_path.write_bytes(self.get(generator, file.name))
+                        target_path.write_bytes(file.value)
                         target_path.chmod(file.mode)
 
         if "partitioning" in phases:
@@ -260,7 +260,7 @@ class SecretStore(StoreBase):
                         )
                         # chmod after in case it doesn't have u+w
                         target_path.touch(mode=0o600)
-                        target_path.write_bytes(self.get(generator, file.name))
+                        target_path.write_bytes(file.value)
                         target_path.chmod(file.mode)
 
     @override