yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'some minor secrets fixups' (#780) from lassulus-secrets-fixes into main

Browse Source
This commit is contained in:
clan-bot
2024-01-30 11:13:35 +00:00
parent a0ebf882c5 961eb26335
commit b99f569973
4 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
nixosModules/clanCore/secrets/default.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
{ {
options.clanCore.secretStore = lib.mkOption { options.clanCore.secretStore = lib.mkOption {
type = lib.types.enum [ "sops" "password-store" "custom" ]; type = lib.types.enum [ "sops" "password-store" "custom" ];
@@ -69,8 +69,18 @@
readOnly = true; readOnly = true;
internal = true; internal = true;
default = '' default = ''
export PATH="${lib.makeBinPath config.path}" set -eu -o pipefail
set -efu -o pipefail
export PATH="${lib.makeBinPath config.path}:${pkgs.coreutils}/bin"
# prepare sandbox user
mkdir -p /etc
cp ${pkgs.runCommand "fake-etc" {} ''
export PATH="${pkgs.coreutils}/bin"
mkdir -p $out
cp /etc/* $out/
''}/* /etc/
${config.script} ${config.script}
''; '';
}; };

4
pkgs/clan-cli/clan_cli/secrets/generate.py
View File

@@ -56,6 +56,8 @@ def generate_secrets(machine: Machine) -> None:
"--bind", str(facts_dir), str(facts_dir), "--bind", str(facts_dir), str(facts_dir),
"--bind", str(secrets_dir), str(secrets_dir), "--bind", str(secrets_dir), str(secrets_dir),
"--unshare-all", "--unshare-all",
"--unshare-user",
"--uid", "1000",
"--", "--",
"bash", "-c", machine.secrets_data[service]["generator"] "bash", "-c", machine.secrets_data[service]["generator"]
], ],
@@ -72,7 +74,7 @@ def generate_secrets(machine: Machine) -> None:
msg = f"did not generate a file for '{secret}' when running the following command:\n" msg = f"did not generate a file for '{secret}' when running the following command:\n"
msg += machine.secrets_data[service]["generator"] msg += machine.secrets_data[service]["generator"]
raise ClanError(msg) raise ClanError(msg)
secret_store.set(service, secret, secret_file.read_text()) secret_store.set(service, secret, secret_file.read_bytes())
# store facts # store facts
for name, fact_path in machine.secrets_data[service]["facts"].items(): for name, fact_path in machine.secrets_data[service]["facts"].items():
fact_file = facts_dir / name fact_file = facts_dir / name

4
pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
View File

@@ -10,13 +10,13 @@ class SecretStore:
def __init__(self, machine: Machine) -> None: def __init__(self, machine: Machine) -> None:
self.machine = machine self.machine = machine
def set(self, service: str, name: str, value: str) -> None: def set(self, service: str, name: str, value: bytes) -> None:
subprocess.run( subprocess.run(
nix_shell( nix_shell(
["nixpkgs#pass"], ["nixpkgs#pass"],
["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"], ["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"],
), ),
input=value.encode("utf-8"), input=value,
check=True, check=True,
) )

4
pkgs/clan-cli/clan_cli/secrets/modules/sops.py
View File

@@ -28,11 +28,11 @@ class SecretStore:
) )
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False) add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
def set(self, _service: str, name: str, value: str) -> None: def set(self, _service: str, name: str, value: bytes) -> None:
encrypt_secret( encrypt_secret(
self.machine.flake_dir, self.machine.flake_dir,
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}", sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
value, value.decode(),
add_machines=[self.machine.name], add_machines=[self.machine.name],
) )