move python code in nixos Module to external file

2024-01-17 14:02:37 +01:00
parent ed6eb50f7d
commit b5a12bc4ba
3 changed files with 141 additions and 51 deletions
--- a/nixosModules/clanCore/secrets/sops.nix
+++ b/nixosModules/clanCore/secrets/sops.nix
@@ -26,57 +26,7 @@ in
    clanCore.secretsDirectory = "/run/secrets";
    clanCore.secretsPrefix = config.clanCore.machineName + "-";
    system.clan = lib.mkIf (config.clanCore.secrets != { }) {
-
-      secretsModule = pkgs.writeText "sops.py" ''
-        from pathlib import Path
-
-        from clan_cli.secrets.folders import sops_secrets_folder
-        from clan_cli.secrets.secrets import decrypt_secret, encrypt_secret, has_secret
-        from clan_cli.secrets.sops import generate_private_key
-        from clan_cli.secrets.machines import has_machine, add_machine
-        from clan_cli.machines.machines import Machine
-
-
-        class SecretStore:
-            def __init__(self, machine: Machine) -> None:
-                self.machine = machine
-                if has_machine(self.machine.flake_dir, self.machine.name):
-                    return
-                priv_key, pub_key = generate_private_key()
-                encrypt_secret(
-                    self.machine.flake_dir,
-                    sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-age.key",
-                    priv_key,
-                )
-                add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
-
-            def set(self, service: str, name: str, value: str):
-                encrypt_secret(
-                    self.machine.flake_dir,
-                    sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
-                    value,
-                    add_machines=[self.machine.name],
-                )
-
-            def get(self, service: str, name: str) -> bytes:
-                # TODO: add support for getting a secret
-                pass
-
-            def exists(self, service: str, name: str) -> bool:
-                return has_secret(
-                    self.machine.flake_dir,
-                    f"{self.machine.name}-{name}",
-                )
-
-            def upload(self, output_dir: Path, secrets: list[str, str]) -> None:
-                key_name = f"{self.machine.name}-age.key"
-                if not has_secret(self.machine.flake_dir, key_name):
-                    # skip uploading the secret, not managed by us
-                    return
-                key = decrypt_secret(self.machine.flake_dir, key_name)
-
-                (output_dir / "key.txt").write_text(key)
-      '';
+      secretsModule = ./sops/sops.py;
    };
    sops.secrets = builtins.mapAttrs
      (name: _: {