From cb860f9a036428ac0715345115501117228f7421 Mon Sep 17 00:00:00 2001 From: DavHau Date: Wed, 21 Aug 2024 14:59:05 +0200 Subject: [PATCH] Revert "vars: fix - upload machines own secrets only" This reverts commit 8d61b03f8de5b93b9a4528c951f0a072e571bd80. --- .../clanCore/vars/secret/sops/default.nix | 12 ++++++++--- .../vars/secret/sops/eval-tests/default.nix | 9 ++++----- .../clanCore/vars/secret/sops/funcs.nix | 20 +++++++++++-------- pkgs/clan-cli/tests/test_vars_deployment.py | 4 ++-- 4 files changed, 27 insertions(+), 18 deletions(-) diff --git a/nixosModules/clanCore/vars/secret/sops/default.nix b/nixosModules/clanCore/vars/secret/sops/default.nix index 17e95f30e..43c0983d1 100644 --- a/nixosModules/clanCore/vars/secret/sops/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/default.nix @@ -10,11 +10,17 @@ let inherit (import ./funcs.nix { inherit lib; }) listVars; - varsDirMachines = - config.clan.core.clanDir + "/sops/vars/per-machine/${config.clan.core.machineName}"; + varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine"; varsDirShared = config.clan.core.clanDir + "/sops/vars/shared"; - vars = lib.traceValSeq (listVars varsDirMachines) ++ (listVars varsDirShared); + varsUnfiltered = (listVars varsDirMachines) ++ (listVars varsDirShared); + filterVars = + vars: + builtins.elem vars.machine [ + config.clan.core.machineName + "shared" + ]; + vars = lib.filter filterVars varsUnfiltered; in { diff --git a/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix b/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix index b1e2b4616..d775350a0 100644 --- a/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix +++ b/nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix @@ -21,24 +21,23 @@ in }; test_listSecrets = { - expr = listVars "per_machine" ./populated/vars/my_machine; + expr = listVars ./populated/vars; expected = [ { + machine = "my_machine"; generator = "my_generator"; name = "my_secret"; - id = "per_machine/my_generator/my_secret"; - sopsFile = "${./populated/vars/my_machine}/my_generator/my_secret/secret"; } ]; }; test_listSecrets_no_vars = { - expr = listVars "per_machine" noVars; + expr = listVars noVars; expected = [ ]; }; test_listSecrets_empty_vars = { - expr = listVars "per_machine" emtpyVars; + expr = listVars emtpyVars; expected = [ ]; }; } diff --git a/nixosModules/clanCore/vars/secret/sops/funcs.nix b/nixosModules/clanCore/vars/secret/sops/funcs.nix index 70b565a43..4b6dded74 100644 --- a/nixosModules/clanCore/vars/secret/sops/funcs.nix +++ b/nixosModules/clanCore/vars/secret/sops/funcs.nix @@ -14,13 +14,17 @@ rec { listVars = varsDir: - flip concatMap (readDirNames (varsDir)) ( - generator_name: - flip map (readDirNames (varsDir + "/${generator_name}")) (secret_name: { - generator = generator_name; - name = secret_name; - id = "${generator_name}/${secret_name}"; - sopsFile = "${varsDir}/${generator_name}/${secret_name}/secret"; - }) + flip concatMap (readDirNames varsDir) ( + machine_name: + flip concatMap (readDirNames (varsDir + "/${machine_name}")) ( + generator_name: + flip map (readDirNames (varsDir + "/${machine_name}/${generator_name}")) (secret_name: { + machine = machine_name; + generator = generator_name; + name = secret_name; + id = "${machine_name}/${generator_name}/${secret_name}"; + sopsFile = "${varsDir}/${machine_name}/${generator_name}/${secret_name}/secret"; + }) + ) ); } diff --git a/pkgs/clan-cli/tests/test_vars_deployment.py b/pkgs/clan-cli/tests/test_vars_deployment.py index 7ea04a488..2b2c361d7 100644 --- a/pkgs/clan-cli/tests/test_vars_deployment.py +++ b/pkgs/clan-cli/tests/test_vars_deployment.py @@ -35,8 +35,8 @@ def test_vm_deployment( cli.run(["vars", "generate", "my_machine"]) run_vm_in_thread("my_machine") qga = qga_connect("my_machine") - qga.run("ls /run/secrets/my_generator/my_secret", check=True) - _, out, _ = qga.run("cat /run/secrets/my_generator/my_secret") + qga.run("ls /run/secrets/my_machine/my_generator/my_secret", check=True) + _, out, _ = qga.run("cat /run/secrets/my_machine/my_generator/my_secret") assert out == "hello\n" qga.exec_cmd("poweroff") wait_vm_down("my_machine")