From 6130505177b090c52c7d3a71b02236e16c1ada43 Mon Sep 17 00:00:00 2001
From: a-kenji <aks.kenji@protonmail.com>
Date: Wed, 14 Aug 2024 23:10:15 +0200
Subject: [PATCH] vars: fix using vars module with multiple machines
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This filters the secrets to only include the secrets managed under `per-machine` and `shared`,
otherwise new deployments will fail, when using the vars module for multiple machines:

```
[vyr] /nix/store/[…]sops-install-secrets: failed to decrypt '/nix/store/[…]/sops/vars/per-machine/draper/garage/admin_token/secret': Error getting data key: 0 successful groups required, got 0
```

This doesn't fix all the edge cases with this approach.
We get a similar error if we deploy shared vars that are not
encrypted for our machine key. This needs to be addressed when
implementing the shared vars functionality.
---
 nixosModules/clanCore/vars/secret/sops/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix
index e30367816..43c0983d1 100644
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -13,7 +13,14 @@ let
   varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine";
   varsDirShared = config.clan.core.clanDir + "/sops/vars/shared";
 
-  vars = (listVars varsDirMachines) ++ (listVars varsDirShared);
+  varsUnfiltered = (listVars varsDirMachines) ++ (listVars varsDirShared);
+  filterVars =
+    vars:
+    builtins.elem vars.machine [
+      config.clan.core.machineName
+      "shared"
+    ];
+  vars = lib.filter filterVars varsUnfiltered;
 
 in
 {