move secret stores into clan_cli codebase
This commit is contained in:
lassulus
@@ -31,27 +31,10 @@
|
||||
the directory on the deployment server where secrets are uploaded
|
||||
'';
|
||||
};
|
||||
uploadSecrets = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
script to upload secrets to the deployment server
|
||||
'';
|
||||
default = "${pkgs.coreutils}/bin/true";
|
||||
};
|
||||
generateSecrets = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
script to generate secrets
|
||||
'';
|
||||
default = "${pkgs.coreutils}/bin/true";
|
||||
};
|
||||
secretsModule = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${pkgs.coreutils}/bin/true";
|
||||
type = lib.types.str;
|
||||
description = ''
|
||||
the module that generates secrets.
|
||||
A needs to define a python class SecretStore which implements the following methods:
|
||||
set, get, exists
|
||||
the python import path to the secrets module
|
||||
'';
|
||||
};
|
||||
secretsData = lib.mkOption {
|
||||
@@ -82,7 +65,7 @@
|
||||
# optimization for faster secret generate/upload and machines update
|
||||
config = {
|
||||
system.clan.deployment.data = {
|
||||
inherit (config.system.clan) uploadSecrets generateSecrets secretsModule secretsData;
|
||||
inherit (config.system.clan) secretsModule secretsData;
|
||||
inherit (config.clan.networking) deploymentAddress;
|
||||
inherit (config.clanCore) secretsUploadDirectory;
|
||||
};
|
||||
|
||||
@@ -6,7 +6,6 @@
|
||||
description = ''
|
||||
method to store secrets
|
||||
custom can be used to define a custom secret store.
|
||||
one would have to define system.clan.generateSecrets and system.clan.uploadSecrets
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
options.clan.password-store.targetDirectory = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
@@ -10,81 +10,7 @@
|
||||
config = lib.mkIf (config.clanCore.secretStore == "password-store") {
|
||||
clanCore.secretsDirectory = config.clan.password-store.targetDirectory;
|
||||
clanCore.secretsUploadDirectory = config.clan.password-store.targetDirectory;
|
||||
system.clan.secretsModule = pkgs.writeText "pass.py" ''
|
||||
import os
|
||||
import subprocess
|
||||
from clan_cli.machines.machines import Machine
|
||||
from pathlib import Path
|
||||
|
||||
|
||||
class SecretStore:
|
||||
def __init__(self, machine: Machine) -> None:
|
||||
self.machine = machine
|
||||
|
||||
def set(self, service: str, name: str, value: str):
|
||||
subprocess.run(
|
||||
["${pkgs.pass}/bin/pass", "insert", "-m", f"machines/{self.machine.name}/{name}"],
|
||||
input=value.encode("utf-8"),
|
||||
check=True,
|
||||
)
|
||||
|
||||
def get(self, service: str, name: str) -> str:
|
||||
return subprocess.run(
|
||||
["${pkgs.pass}/bin/pass", "show", f"machines/{self.machine.name}/{name}"],
|
||||
check=True,
|
||||
stdout=subprocess.PIPE,
|
||||
text=True,
|
||||
).stdout
|
||||
|
||||
def exists(self, service: str, name: str) -> bool:
|
||||
password_store = os.environ.get("PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store")
|
||||
secret_path = Path(password_store) / f"machines/{self.machine.name}/{name}.gpg"
|
||||
print(f"checking {secret_path}")
|
||||
return secret_path.exists()
|
||||
|
||||
def generate_hash(self) -> str:
|
||||
password_store = os.environ.get("PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store")
|
||||
hashes = []
|
||||
hashes.append(
|
||||
subprocess.run(
|
||||
["${pkgs.git}/bin/git", "-C", password_store, "log", "-1", "--format=%H", f"machines/{self.machine.name}"],
|
||||
stdout=subprocess.PIPE,
|
||||
text=True,
|
||||
).stdout.strip()
|
||||
)
|
||||
for symlink in Path(password_store).glob(f"machines/{self.machine.name}/**/*"):
|
||||
if symlink.is_symlink():
|
||||
hashes.append(
|
||||
subprocess.run(
|
||||
["${pkgs.git}/bin/git", "-C", password_store, "log", "-1", "--format=%H", symlink],
|
||||
stdout=subprocess.PIPE,
|
||||
text=True,
|
||||
).stdout.strip()
|
||||
)
|
||||
|
||||
# we sort the hashes to make sure that the order is always the same
|
||||
hashes.sort()
|
||||
return "\n".join(hashes)
|
||||
|
||||
def update_check(self):
|
||||
local_hash = self.generate_hash()
|
||||
remote_hash = self.machine.host.run(
|
||||
["cat", "${config.clan.password-store.targetDirectory}/.pass_info"],
|
||||
check=False,
|
||||
stdout=subprocess.PIPE,
|
||||
).stdout.strip()
|
||||
|
||||
if not remote_hash:
|
||||
print("remote hash is empty")
|
||||
return False
|
||||
|
||||
return local_hash == remote_hash
|
||||
|
||||
def upload(self, output_dir: Path, secrets: list[str, str]) -> None:
|
||||
for service, secret in secrets:
|
||||
(output_dir / secret).write_text(self.get(service, secret))
|
||||
(output_dir / ".pass_info").write_text(self.generate_hash())
|
||||
'';
|
||||
system.clan.secretsModule = "clan_cli.secrets.modules.password_store";
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@@ -25,9 +25,7 @@ in
|
||||
config = lib.mkIf (config.clanCore.secretStore == "sops") {
|
||||
clanCore.secretsDirectory = "/run/secrets";
|
||||
clanCore.secretsPrefix = config.clanCore.machineName + "-";
|
||||
system.clan = lib.mkIf (config.clanCore.secrets != { }) {
|
||||
secretsModule = ./sops/sops.py;
|
||||
};
|
||||
system.clan.secretsModule = "clan_cli.secrets.modules.sops";
|
||||
sops.secrets = builtins.mapAttrs
|
||||
(name: _: {
|
||||
sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
|
||||
|
||||
@@ -1,93 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
secretsDir = config.clanCore.clanDir + "/sops/secrets";
|
||||
groupsDir = config.clanCore.clanDir + "/sops/groups";
|
||||
|
||||
|
||||
# My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation?
|
||||
containsSymlink = path:
|
||||
builtins.pathExists path && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink");
|
||||
|
||||
containsMachine = parent: name: type:
|
||||
type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}";
|
||||
|
||||
containsMachineOrGroups = name: type:
|
||||
(containsMachine secretsDir name type) || lib.any (group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}") groups;
|
||||
|
||||
filterDir = filter: dir:
|
||||
lib.optionalAttrs (builtins.pathExists dir)
|
||||
(lib.filterAttrs filter (builtins.readDir dir));
|
||||
|
||||
groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir);
|
||||
secrets = filterDir containsMachineOrGroups secretsDir;
|
||||
in
|
||||
{
|
||||
config = lib.mkIf (config.clanCore.secretStore == "sops") {
|
||||
clanCore.secretsDirectory = "/run/secrets";
|
||||
clanCore.secretsPrefix = config.clanCore.machineName + "-";
|
||||
system.clan = lib.mkIf (config.clanCore.secrets != { }) {
|
||||
secretsModule = pkgs.writeText "sops.py" ''
|
||||
from pathlib import Path
|
||||
|
||||
from clan_cli.secrets.folders import sops_secrets_folder
|
||||
from clan_cli.secrets.secrets import decrypt_secret, encrypt_secret, has_secret
|
||||
from clan_cli.secrets.sops import generate_private_key
|
||||
from clan_cli.secrets.machines import has_machine, add_machine
|
||||
from clan_cli.machines.machines import Machine
|
||||
|
||||
|
||||
class SecretStore:
|
||||
def __init__(self, machine: Machine) -> None:
|
||||
self.machine = machine
|
||||
if has_machine(self.machine.flake_dir, self.machine.name):
|
||||
return
|
||||
priv_key, pub_key = generate_private_key()
|
||||
encrypt_secret(
|
||||
self.machine.flake_dir,
|
||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-age.key",
|
||||
priv_key,
|
||||
)
|
||||
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
|
||||
|
||||
def set(self, service: str, name: str, value: str):
|
||||
encrypt_secret(
|
||||
self.machine.flake_dir,
|
||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
|
||||
value,
|
||||
add_machines=[self.machine.name],
|
||||
)
|
||||
|
||||
def get(self, service: str, name: str) -> bytes:
|
||||
# TODO: add support for getting a secret
|
||||
pass
|
||||
|
||||
def exists(self, service: str, name: str) -> bool:
|
||||
return has_secret(
|
||||
self.machine.flake_dir,
|
||||
f"{self.machine.name}-{name}",
|
||||
)
|
||||
|
||||
def upload(self, output_dir: Path, secrets: list[str, str]) -> None:
|
||||
key_name = f"{self.machine.name}-age.key"
|
||||
if not has_secret(self.machine.flake_dir, key_name):
|
||||
# skip uploading the secret, not managed by us
|
||||
return
|
||||
key = decrypt_secret(self.machine.flake_dir, key_name)
|
||||
|
||||
(output_dir / "key.txt").write_text(key)
|
||||
'';
|
||||
};
|
||||
sops.secrets = builtins.mapAttrs
|
||||
(name: _: {
|
||||
sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
|
||||
format = "binary";
|
||||
})
|
||||
secrets;
|
||||
# To get proper error messages about missing secrets we need a dummy secret file that is always present
|
||||
sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
|
||||
|
||||
sops.age.keyFile = lib.mkIf (builtins.pathExists (config.clanCore.clanDir + "/sops/secrets/${config.clanCore.machineName}-age.key/secret"))
|
||||
(lib.mkDefault "/var/lib/sops-nix/key.txt");
|
||||
clanCore.secretsUploadDirectory = lib.mkDefault "/var/lib/sops-nix";
|
||||
};
|
||||
}
|
||||
@@ -1,47 +0,0 @@
|
||||
from pathlib import Path
|
||||
|
||||
from clan_cli.machines.machines import Machine
|
||||
from clan_cli.secrets.folders import sops_secrets_folder
|
||||
from clan_cli.secrets.machines import add_machine, has_machine
|
||||
from clan_cli.secrets.secrets import decrypt_secret, encrypt_secret, has_secret
|
||||
from clan_cli.secrets.sops import generate_private_key
|
||||
|
||||
|
||||
class SecretStore:
|
||||
def __init__(self, machine: Machine) -> None:
|
||||
self.machine = machine
|
||||
if has_machine(self.machine.flake_dir, self.machine.name):
|
||||
return
|
||||
priv_key, pub_key = generate_private_key()
|
||||
encrypt_secret(
|
||||
self.machine.flake_dir,
|
||||
sops_secrets_folder(self.machine.flake_dir)
|
||||
/ f"{self.machine.name}-age.key",
|
||||
priv_key,
|
||||
)
|
||||
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
|
||||
|
||||
def set(self, _service: str, name: str, value: str):
|
||||
encrypt_secret(
|
||||
self.machine.flake_dir,
|
||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
|
||||
value,
|
||||
add_machines=[self.machine.name],
|
||||
)
|
||||
|
||||
def get(self, _service: str, _name: str) -> bytes:
|
||||
raise NotImplementedError()
|
||||
|
||||
def exists(self, _service: str, name: str) -> bool:
|
||||
return has_secret(
|
||||
self.machine.flake_dir,
|
||||
f"{self.machine.name}-{name}",
|
||||
)
|
||||
|
||||
def upload(self, output_dir: Path, _secrets: list[str]) -> None:
|
||||
key_name = f"{self.machine.name}-age.key"
|
||||
if not has_secret(self.machine.flake_dir, key_name):
|
||||
# skip uploading the secret, not managed by us
|
||||
return
|
||||
key = decrypt_secret(self.machine.flake_dir, key_name)
|
||||
(output_dir / "key.txt").write_text(key)
|
||||
@@ -140,8 +140,6 @@ in
|
||||
toplevel = vmConfig.config.system.build.toplevel;
|
||||
regInfo = (pkgs.closureInfo { rootPaths = vmConfig.config.virtualisation.additionalPaths; });
|
||||
inherit (config.clan.virtualisation) memorySize cores graphics;
|
||||
generateSecrets = config.system.clan.generateSecrets;
|
||||
uploadSecrets = config.system.clan.uploadSecrets;
|
||||
});
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user