clanCore/vars/sops: only copy required secrets to store

Create a store path per in repo secret/var to be copied, this prevents unused secrets from being leaked. For example the `root-password` generator contains both the hashed and unhashed password but only the hash is used.
2025-05-01 00:29:01 +02:00
parent 47203d849e
commit b08a2bdb75
3 changed files with 27 additions and 4 deletions
--- a/nixosModules/clanCore/vars/interface.nix
+++ b/nixosModules/clanCore/vars/interface.nix
@@ -241,12 +241,35 @@ in
                      type = bool;
                      default = true;
                    };
+                    flakePath = lib.mkOption {
+                      description = ''
+                        The path to the file containing the content of the generated value.
+                        This will be set automatically
+                      '';
+                      type = nullOr str;
+                      default = null;
+                    };
                    path = lib.mkOption {
                      description = ''
                        The path to the file containing the content of the generated value.
                        This will be set automatically
                      '';
                      type = str;
+                      defaultText = ''
+                        (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}"
+                          { }
+                          ''\''
+                            cp $${file.config.inRepoPath} $out
+                          ''\''
+                        ).outPath;
+                      '';
+                      default =
+                        (pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}"
+                          { }
+                          ''
+                            cp ${file.config.flakePath} $out
+                          ''
+                        ).outPath;
                    };
                    neededFor = lib.mkOption {
                      description = ''
--- a/nixosModules/clanCore/vars/public/in_repo.nix
+++ b/nixosModules/clanCore/vars/public/in_repo.nix
@@ -11,7 +11,7 @@ in
  config.clan.core.vars.settings = mkIf (config.clan.core.vars.settings.publicStore == "in_repo") {
    publicModule = "clan_cli.vars.public_modules.in_repo";
    fileModule = file: {
-      path = mkIf (file.config.secret == false) (
+      flakePath = mkIf (file.config.secret == false) (
        if file.config.share then
          (
            config.clan.core.settings.directory
@@ -25,9 +25,9 @@ in
      );
      value = mkIf (file.config.secret == false) (
        # dynamically adjust priority to allow overriding with mkDefault in case the file is not found
-        if (pathExists file.config.path) then
+        if (pathExists file.config.flakePath) then
          # if the file is found it should have normal priority
-          readFile file.config.path
+          readFile file.config.flakePath
        else
          # if the file is not found, we want to downgrade the priority, to allow overriding via mkDefault
          mkOptionDefault (
--- a/pkgs/clan-cli/clan_cli/tests/test_vars.py
+++ b/pkgs/clan-cli/clan_cli/tests/test_vars.py
@@ -970,7 +970,7 @@ def test_dynamic_invalidation(
    custom_nix.write_text(
        """
        { config, ... }: let
-            p = config.clan.core.vars.generators.my_generator.files.my_value.path;
+            p = config.clan.core.vars.generators.my_generator.files.my_value.flakePath;
        in {
            clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null;
        }