yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'remove secretsUploadDirectory from common module' (#2509) from lassulus/clan-core:no-secrets-upload-dir into main

Browse Source
This commit is contained in:
clan-bot
2024-11-28 15:46:51 +00:00
parent ad95265773 748053154e
commit a97d719a52
7 changed files with 31 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixosModules/clanCore/vars/default.nix
View File

@@ -55,7 +55,7 @@ in
); );
} }
); );
inherit (config.clan.core.vars.settings) secretUploadDirectory secretModule publicModule; inherit (config.clan.core.vars.settings) secretModule publicModule;
}; };
inherit (config.clan.core.networking) targetHost buildHost; inherit (config.clan.core.networking) targetHost buildHost;
inherit (config.clan.core.deployment) requireExplicitUpdate; inherit (config.clan.core.deployment) requireExplicitUpdate;

18
nixosModules/clanCore/vars/secret/password-store.nix
View File

@@ -39,7 +39,18 @@ let
|| (options.services ? userborn && config.services.userborn.enable); || (options.services ? userborn && config.services.userborn.enable);
in in
{ {
options.clan.vars.password-store = {
secretLocation = lib.mkOption {
type = lib.types.path;
default = "/etc/secret-vars";
description = ''
location where the tarball with the password-store secrets will be uploaded to and the manifest
'';
};
};
config = { config = {
system.clan.deployment.data.password-store.secretLocation =
config.clan.vars.password-store.secretLocation;
clan.core.vars.settings = clan.core.vars.settings =
lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store") lib.mkIf (config.clan.core.vars.settings.secretStore == "password-store")
{ {
@@ -48,7 +59,6 @@ in
lib.mkIf file.config.secret { lib.mkIf file.config.secret {
path = "/run/secrets/${file.config.generatorName}/${file.config.name}"; path = "/run/secrets/${file.config.generatorName}/${file.config.name}";
}; };
secretUploadDirectory = lib.mkDefault "/etc/secret-vars";
secretModule = "clan_cli.vars.secret_modules.password_store"; secretModule = "clan_cli.vars.secret_modules.password_store";
}; };
system.activationScripts.setupSecrets = system.activationScripts.setupSecrets =
@@ -66,13 +76,13 @@ in
] ]
'' ''
[ -e /run/current-system ] || echo setting up secrets... [ -e /run/current-system ] || echo setting up secrets...
${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz ${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz
'' ''
// lib.optionalAttrs (config.system ? dryActivationScript) { // lib.optionalAttrs (config.system ? dryActivationScript) {
supportsDryActivation = true; supportsDryActivation = true;
} }
); );
systemd.services.sops-install-secrets = systemd.services.pass-install-secrets =
lib.mkIf lib.mkIf
( (
(config.clan.core.vars.settings.secretStore == "password-store") (config.clan.core.vars.settings.secretStore == "password-store")
@@ -86,7 +96,7 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = [ ExecStart = [
"${installSecretTarball}/bin/install-secret-tarball ${config.clan.core.vars.settings.secretUploadDirectory}/secrets.tar.gz" "${installSecretTarball}/bin/install-secret-tarball ${config.clan.password-store.secretTarballLocation}/secrets.tar.gz"
]; ];
RemainAfterExit = true; RemainAfterExit = true;
}; };

1
nixosModules/clanCore/vars/secret/sops/default.nix
View File

@@ -32,7 +32,6 @@ in
); );
}; };
secretModule = "clan_cli.vars.secret_modules.sops"; secretModule = "clan_cli.vars.secret_modules.sops";
secretUploadDirectory = lib.mkDefault "/var/lib/sops-nix";
}; };
config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") { config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {

22
nixosModules/clanCore/vars/settings-opts.nix
View File

@@ -10,7 +10,7 @@
default = "sops"; default = "sops";
description = '' description = ''
method to store secret facts method to store secret facts
custom can be used to define a custom secret fact store. custom can be used to define a custom secret var store.
''; '';
}; };
@@ -22,14 +22,6 @@
''; '';
}; };
secretUploadDirectory = lib.mkOption {
type = lib.types.path;
description = ''
The directory where secrets are uploaded into, This is backend specific.
This is usally set by the secret store backend.
'';
};
# TODO: see if this is the right approach. Maybe revert to secretPathFunction # TODO: see if this is the right approach. Maybe revert to secretPathFunction
fileModule = lib.mkOption { fileModule = lib.mkOption {
type = lib.types.deferredModule; type = lib.types.deferredModule;
@@ -49,8 +41,8 @@
]; ];
default = "in_repo"; default = "in_repo";
description = '' description = ''
method to store public facts. method to store public vars.
custom can be used to define a custom public fact store. custom can be used to define a custom public vars store.
''; '';
}; };
@@ -61,12 +53,4 @@
the python import path to the public module the python import path to the public module
''; '';
}; };
publicDirectory = lib.mkOption {
type = lib.types.path;
description = ''
The directory where public facts are stored.
This is usally set by the public store backend.
'';
};
} }

4
pkgs/clan-cli/clan_cli/machines/machines.py
View File

@@ -178,10 +178,6 @@ class Machine:
def secrets_upload_directory(self) -> str: def secrets_upload_directory(self) -> str:
return self.deployment["facts"]["secretUploadDirectory"] return self.deployment["facts"]["secretUploadDirectory"]
@property
def secret_vars_upload_directory(self) -> str:
return self.deployment["vars"]["secretUploadDirectory"]
@property @property
def flake_dir(self) -> Path: def flake_dir(self) -> Path:
if self.flake.is_local(): if self.flake.is_local():

5
pkgs/clan-cli/clan_cli/vars/secret_modules/password_store.py
View File

@@ -136,7 +136,10 @@ class SecretStore(SecretStoreBase):
local_hash = self.generate_hash() local_hash = self.generate_hash()
remote_hash = self.machine.target_host.run( remote_hash = self.machine.target_host.run(
# TODO get the path to the secrets from the machine # TODO get the path to the secrets from the machine
["cat", f"{self.machine.secret_vars_upload_directory}/.pass_info"], [
"cat",
f"{self.machine.deployment["password-store"]["secretLocation"]}/.pass_info",
],
log=Log.STDERR, log=Log.STDERR,
check=False, check=False,
).stdout.strip() ).stdout.strip()

12
pkgs/clan-cli/clan_cli/vars/upload.py
View File

@@ -5,6 +5,7 @@ from pathlib import Path
from tempfile import TemporaryDirectory from tempfile import TemporaryDirectory
from clan_cli.completions import add_dynamic_completer, complete_machines from clan_cli.completions import add_dynamic_completer, complete_machines
from clan_cli.errors import ClanError
from clan_cli.machines.machines import Machine from clan_cli.machines.machines import Machine
from clan_cli.ssh.upload import upload from clan_cli.ssh.upload import upload
@@ -21,9 +22,14 @@ def upload_secret_vars(machine: Machine) -> None:
with TemporaryDirectory(prefix="vars-upload-") as tempdir: with TemporaryDirectory(prefix="vars-upload-") as tempdir:
secret_dir = Path(tempdir) secret_dir = Path(tempdir)
secret_store.upload(secret_dir) secret_store.upload(secret_dir)
upload( if secret_store.store_name == "password-store":
machine.target_host, secret_dir, Path(machine.secret_vars_upload_directory) upload_dir = Path(machine.deployment["password-store"]["secretLocation"])
) upload(machine.target_host, secret_dir, upload_dir)
elif secret_store.store_name == "sops":
pass
else:
msg = "upload function used on unsuitable secret_store"
raise ClanError(msg)
def upload_command(args: argparse.Namespace) -> None: def upload_command(args: argparse.Namespace) -> None: