From 5e7d7c251e90c5fb8edda37b2a6f466236b78704 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 28 Nov 2023 13:31:18 +0100 Subject: [PATCH 1/4] add sops command to sync keys with secrets --- pkgs/clan-cli/clan_cli/secrets/key.py | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/pkgs/clan-cli/clan_cli/secrets/key.py b/pkgs/clan-cli/clan_cli/secrets/key.py index 0875d84b5..41c893a48 100644 --- a/pkgs/clan-cli/clan_cli/secrets/key.py +++ b/pkgs/clan-cli/clan_cli/secrets/key.py @@ -1,8 +1,16 @@ import argparse +from pathlib import Path from .. import tty from ..errors import ClanError -from .sops import default_sops_key_path, generate_private_key, get_public_key +from .folders import sops_secrets_folder +from .secrets import collect_keys_for_path, list_secrets +from .sops import ( + default_sops_key_path, + generate_private_key, + get_public_key, + update_keys, +) def generate_key() -> str: @@ -34,6 +42,16 @@ def show_command(args: argparse.Namespace) -> None: print(show_key()) +def update_command(args: argparse.Namespace) -> None: + flake_dir = Path(args.flake) + for name in list_secrets(flake_dir): + secret_path = sops_secrets_folder(flake_dir) / name + update_keys( + secret_path, + list(sorted(collect_keys_for_path(secret_path))), + ) + + def register_key_parser(parser: argparse.ArgumentParser) -> None: subparser = parser.add_subparsers( title="command", @@ -47,3 +65,6 @@ def register_key_parser(parser: argparse.ArgumentParser) -> None: parser_show = subparser.add_parser("show", help="show age public key") parser_show.set_defaults(func=show_command) + + parser_update = subparser.add_parser("update", help="re-encrypt all secrets with current keys (useful when changing keys)") + parser_update.set_defaults(func=update_command) From 7d770465d5b23d3d2abf9f2077e116fbbf49135f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 28 Nov 2023 13:31:50 +0100 Subject: [PATCH 2/4] test: add ipv6 example without port --- pkgs/clan-cli/tests/test_ssh_remote.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/clan-cli/tests/test_ssh_remote.py b/pkgs/clan-cli/tests/test_ssh_remote.py index ec727f58a..df7017711 100644 --- a/pkgs/clan-cli/tests/test_ssh_remote.py +++ b/pkgs/clan-cli/tests/test_ssh_remote.py @@ -7,6 +7,9 @@ def test_parse_ipv6() -> None: host = parse_deployment_address("foo", "[fe80::1%eth0]:2222") assert host.host == "fe80::1%eth0" assert host.port == 2222 + host = parse_deployment_address("foo", "[fe80::1%eth0]") + assert host.host == "fe80::1%eth0" + assert host.port is None def test_run(host_group: HostGroup) -> None: From 61c5cb58e3c9df86ad58b908be9280170ca5067b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 28 Nov 2023 15:23:14 +0100 Subject: [PATCH 3/4] install: fix secrets upload --- pkgs/clan-cli/clan_cli/machines/install.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/clan-cli/clan_cli/machines/install.py b/pkgs/clan-cli/clan_cli/machines/install.py index d3a10f43e..fc036fa99 100644 --- a/pkgs/clan-cli/clan_cli/machines/install.py +++ b/pkgs/clan-cli/clan_cli/machines/install.py @@ -18,7 +18,13 @@ def install_nixos(machine: Machine) -> None: with TemporaryDirectory() as tmpdir_: tmpdir = Path(tmpdir_) - machine.run_upload_secrets(tmpdir / machine.secrets_upload_directory) + upload_dir = machine.secrets_upload_directory + + if upload_dir.startswith("/"): + upload_dir = upload_dir[1:] + upload_dir = tmpdir / upload_dir + upload_dir.mkdir(parents=True) + machine.run_upload_secrets(upload_dir) subprocess.run( nix_shell( From 39617bbf03abb26f9346ab8a15e90bf9ab5a410a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 28 Nov 2023 15:23:35 +0100 Subject: [PATCH 4/4] run_upload_secrets: don't swallow stdout output --- pkgs/clan-cli/clan_cli/machines/machines.py | 1 - pkgs/clan-cli/clan_cli/secrets/key.py | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/clan-cli/clan_cli/machines/machines.py b/pkgs/clan-cli/clan_cli/machines/machines.py index db6b974e4..265dbab7b 100644 --- a/pkgs/clan-cli/clan_cli/machines/machines.py +++ b/pkgs/clan-cli/clan_cli/machines/machines.py @@ -73,7 +73,6 @@ class Machine: proc = subprocess.run( [self.upload_secrets], env=env, - stdout=subprocess.PIPE, text=True, ) diff --git a/pkgs/clan-cli/clan_cli/secrets/key.py b/pkgs/clan-cli/clan_cli/secrets/key.py index 41c893a48..733c960ed 100644 --- a/pkgs/clan-cli/clan_cli/secrets/key.py +++ b/pkgs/clan-cli/clan_cli/secrets/key.py @@ -66,5 +66,8 @@ def register_key_parser(parser: argparse.ArgumentParser) -> None: parser_show = subparser.add_parser("show", help="show age public key") parser_show.set_defaults(func=show_command) - parser_update = subparser.add_parser("update", help="re-encrypt all secrets with current keys (useful when changing keys)") + parser_update = subparser.add_parser( + "update", + help="re-encrypt all secrets with current keys (useful when changing keys)", + ) parser_update.set_defaults(func=update_command)