yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

secrets: fix: don't generate secrets if no secrets are defined

Browse Source
This commit is contained in:
DavHau
2023-10-06 18:34:49 +02:00
parent 5ab0840939
commit c5b2e9b5f3
3 changed files with 36 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixosModules/clanCore/flake-module.nix
View File

@@ -66,12 +66,14 @@
description = '' description = ''
script to upload secrets to the deployment server script to upload secrets to the deployment server
''; '';
default = "${pkgs.coreutils}/bin/true";
}; };
generateSecrets = lib.mkOption { generateSecrets = lib.mkOption {
type = lib.types.path; type = lib.types.path;
description = '' description = ''
script to generate secrets script to generate secrets
''; '';
default = "${pkgs.coreutils}/bin/true";
}; };
vm.config = lib.mkOption { vm.config = lib.mkOption {
type = lib.types.attrs; type = lib.types.attrs;

64
nixosModules/clanCore/secrets/password-store.nix
View File

@@ -13,44 +13,46 @@ in
config = lib.mkIf (config.clanCore.secretStore == "password-store") { config = lib.mkIf (config.clanCore.secretStore == "password-store") {
clanCore.secretsDirectory = config.clan.password-store.targetDirectory; clanCore.secretsDirectory = config.clan.password-store.targetDirectory;
clanCore.secretsUploadDirectory = config.clan.password-store.targetDirectory; clanCore.secretsUploadDirectory = config.clan.password-store.targetDirectory;
system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' system.clan.generateSecrets = lib.mkIf (config.clanCore.secrets != { }) (
#!/bin/sh pkgs.writeScript "generate-secrets" ''
set -efu #!/bin/sh
set -efu
test -d "$CLAN_DIR" test -d "$CLAN_DIR"
PATH=${lib.makeBinPath [ PATH=${lib.makeBinPath [
pkgs.pass pkgs.pass
]}:$PATH ]}:$PATH
# TODO maybe initialize password store if it doesn't exist yet # TODO maybe initialize password store if it doesn't exist yet
${lib.foldlAttrs (acc: n: v: '' ${lib.foldlAttrs (acc: n: v: ''
${acc} ${acc}
# ${n} # ${n}
# if any of the secrets are missing, we regenerate all connected facts/secrets # if any of the secrets are missing, we regenerate all connected facts/secrets
(if ! (${lib.concatMapStringsSep " && " (x: "test -e ${passwordstoreDir}/machines/${config.clanCore.machineName}/${x.name}.gpg >/dev/null") (lib.attrValues v.secrets)}); then (if ! (${lib.concatMapStringsSep " && " (x: "test -e ${passwordstoreDir}/machines/${config.clanCore.machineName}/${x.name}.gpg >/dev/null") (lib.attrValues v.secrets)}); then
tmpdir=$(mktemp -d) tmpdir=$(mktemp -d)
trap "rm -rf $tmpdir" EXIT trap "rm -rf $tmpdir" EXIT
cd $tmpdir cd $tmpdir
facts=$(mktemp -d) facts=$(mktemp -d)
trap "rm -rf $facts" EXIT trap "rm -rf $facts" EXIT
secrets=$(mktemp -d) secrets=$(mktemp -d)
trap "rm -rf $secrets" EXIT trap "rm -rf $secrets" EXIT
( ${v.generator} ) ( ${v.generator} )
${lib.concatMapStrings (fact: '' ${lib.concatMapStrings (fact: ''
mkdir -p "$CLAN_DIR"/"$(dirname ${fact.path})" mkdir -p "$CLAN_DIR"/"$(dirname ${fact.path})"
cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path} cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path}
'') (lib.attrValues v.facts)} '') (lib.attrValues v.facts)}
${lib.concatMapStrings (secret: '' ${lib.concatMapStrings (secret: ''
cat "$secrets"/${secret.name} | pass insert -m machines/${config.clanCore.machineName}/${secret.name} cat "$secrets"/${secret.name} | pass insert -m machines/${config.clanCore.machineName}/${secret.name}
'') (lib.attrValues v.secrets)} '') (lib.attrValues v.secrets)}
fi) fi)
'') "" config.clanCore.secrets} '') "" config.clanCore.secrets}
''; ''
);
system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" '' system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
#!/bin/sh #!/bin/sh
set -efu set -efu

2
nixosModules/clanCore/secrets/sops.nix
View File

@@ -25,7 +25,7 @@ in
config = lib.mkIf (config.clanCore.secretStore == "sops") { config = lib.mkIf (config.clanCore.secretStore == "sops") {
clanCore.secretsDirectory = "/run/secrets"; clanCore.secretsDirectory = "/run/secrets";
clanCore.secretsPrefix = config.clanCore.machineName + "-"; clanCore.secretsPrefix = config.clanCore.machineName + "-";
system.clan = { system.clan = lib.mkIf (config.clanCore.secrets != { }) {
generateSecrets = pkgs.writeScript "generate-secrets" '' generateSecrets = pkgs.writeScript "generate-secrets" ''
#!${pkgs.python3}/bin/python #!${pkgs.python3}/bin/python