Merge pull request 'Fix import group secrets and fix import sops files into the nix store' (#245) from machines-import-fix into main

2023-09-03 13:31:33 +00:00
parent fed4b99477 d51dd39ae3
commit dfb47b5c4b
10 changed files with 63 additions and 32 deletions
--- a/checks/impure/flake-module.nix
+++ b/checks/impure/flake-module.nix
@@ -17,6 +17,7 @@
            pkgs.jq
            pkgs.openssh
            pkgs.nix
+            self'.packages.clan-cli
          ]}"

          cd $TMPDIR
@@ -32,10 +33,10 @@
          nix flake show

          echo create a machine
-          ${self'.packages.clan-cli}/bin/clan machines create machine1
+          clan machines create machine1

          echo check machine1 exists
-          ${self'.packages.clan-cli}/bin/clan machines list | grep -q machine1
+          clan machines list | grep -q machine1

          echo check machine1 appears in nixosConfigurations
          nix flake show --json | jq '.nixosConfigurations' | grep -q machine1
--- a/checks/secrets/default.nix
+++ b/checks/secrets/default.nix
@@ -5,13 +5,17 @@
    imports = [
      (self.nixosModules.clanCore)
    ];
-    environment.etc."secret".source = config.sops.secrets.foo.path;
+    environment.etc."secret".source = config.sops.secrets.secret.path;
+    environment.etc."group-secret".source = config.sops.secrets.group-secret.path;
    sops.age.keyFile = ./key.age;
+
    clanCore.clanDir = "${./.}";
    clanCore.machineName = "machine";
+
    networking.hostName = "machine";
  };
  testScript = ''
    machine.succeed("cat /etc/secret >&2")
+    machine.succeed("cat /etc/group-secret >&2")
  '';
 }
--- a/checks/secrets/sops/groups/group/machines/machine
+++ b/checks/secrets/sops/groups/group/machines/machine
--- a/checks/secrets/sops/secrets/group-secret/groups/group
+++ b/checks/secrets/sops/secrets/group-secret/groups/group
@@ -0,0 +1 @@
+../../../groups/group
--- a/checks/secrets/sops/secrets/group-secret/secret
+++ b/checks/secrets/sops/secrets/group-secret/secret
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:FgF3,iv:QBbnqZ6405qmwGKhbolPr9iobngXt8rtfUwCBOnmwRA=,tag:7gqI1zLVnTkZ0xrNn/LEkA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMHcxKzhUZzNHQmQrb28x\nRC9UMlZMeDN3S1l1eHdUWmV4VUVReHhhQ0RnCjAyUXVlY1FmclVmL2lEdFZuTmll\nVENpa3AwbjlDck5zdGdHUTRnNEdEOUkKLS0tIER3ZlNMSVFnRElkRDcxajZnVmFl\nZThyYzcvYUUvaWJYUmlwQ3dsSDdjSjgK+tj34yBzrsIjm6V+T9wTgz5FdNGOR7I/\nVB4fh8meW0vi/PCK/rajC8NbqmK8qq/lwsF/JwfZKDSdG0FOJUB1AA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-09-03T12:44:56Z",
+		"mac": "ENC[AES256_GCM,data:d5a0WfE5ZRLKF1NZkBfOl+cVI8ZZHd2rC+qX/giALjyrzk09rLxBeY4lO827GFfMmVy/oC7ceH9pjv2O7ibUiQtcbGIQVBg/WP+dVn8fRMWtF0jpv9BhYTutkVk3kiddqPGhp3mpwvls2ot5jtCRczTPk3JSxN3B1JSJCmj9GfQ=,iv:YmlkTYFNUaFRWozO8+OpEVKaSQmh+N9zpatwUNMPNyw=,tag:mEGQ4tdo82qlhKWalQuufg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
--- a/checks/secrets/sops/secrets/secret/machines/machine
+++ b/checks/secrets/sops/secrets/secret/machines/machine
@@ -0,0 +1 @@
+../../../machines/machine
--- a/checks/secrets/sops/secrets/secret/secret
+++ b/checks/secrets/sops/secrets/secret/secret
--- a/checks/secrets/sops/secrets/secret/users/admin
+++ b/checks/secrets/sops/secrets/secret/users/admin
--- a/lib/build-clan/default.nix
+++ b/lib/build-clan/default.nix
@@ -4,15 +4,12 @@
 , machines ? { } # allows to include machine-specific modules i.e. machines.${name} = { ... }
 }:
 let
-  machinesDirs =
-    if builtins.pathExists "${directory}/machines"
-    then builtins.readDir "${directory}/machines"
-    else { };
+  machinesDirs = lib.optionalAttrs (builtins.pathExists "${directory}/machines") (builtins.readDir (directory + /machines));

  machineSettings = machineName:
-    if builtins.pathExists "${directory}/machines/${machineName}/settings.json"
-    then builtins.fromJSON (builtins.readFile "${directory}/machines/${machineName}/settings.json")
-    else { };
+    lib.optionalAttrs (builtins.pathExists "${directory}/machines/${machineName}/settings.json")
+      builtins.fromJSON
+      (builtins.readFile (directory + /machines/${machineName}/settings.json));

  nixosConfigurations = lib.mapAttrs
    (name: _:
@@ -23,7 +20,7 @@ let
          (machines.${name} or { })
          {
            clanCore.machineName = name;
-            clanCore.clanDir = builtins.toString directory;
+            clanCore.clanDir = directory;
            # TODO: remove this once we have a hardware-config mechanism
            nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
          }
--- a/nixosModules/clanCore/secrets/sops.nix
+++ b/nixosModules/clanCore/secrets/sops.nix
@@ -1,7 +1,28 @@
 { config, lib, pkgs, ... }:
+let
+  secretsDir = config.clanCore.clanDir + "/sops/secrets";
+  groupsDir = config.clanCore.clanDir + "/sops/groups";
+
+  # My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation?
+  containsSymlink = path:
+    builtins.pathExists path && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink");
+
+  containsMachine = parent: name: type:
+    type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}";
+
+  containsMachineOrGroups = name: type:
+    (containsMachine secretsDir name type) || lib.any (group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}") groups;
+
+  filterDir = filter: dir:
+    lib.optionalAttrs (builtins.pathExists dir)
+      (lib.filterAttrs filter (builtins.readDir dir));
+
+  groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir);
+  secrets = filterDir containsMachineOrGroups secretsDir;
+in
 {
  config = {
-    system.clan.generateSecrets = pkgs.writeScript "generate_secrets" ''
+    system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
      #!/bin/sh
      set -efu
      set -x # remove for prod
@@ -43,26 +64,12 @@
        fi)
      '') "" config.clanCore.secrets}
    '';
-    sops.secrets =
-      let
-        secretsDir = config.clanCore.clanDir + "/sops/secrets";
-        encryptedForThisMachine = name: type:
-          let
-            symlink = "${secretsDir}/${name}/machines/${config.clanCore.machineName}";
-          in
-          # WTF, nix bug, my symlink is in the nixos module detected as a directory also it works in the repl
-          type == "directory" && builtins.pathExists symlink && (builtins.readFileType symlink == "directory" || builtins.readFileType symlink == "symlink");
-        secrets =
-          if !(builtins.pathExists secretsDir)
-          then { }
-          else lib.filterAttrs encryptedForThisMachine (builtins.readDir secretsDir);
-      in
-      builtins.mapAttrs
-        (name: _: {
-          sopsFile = "${config.clanCore.clanDir}/sops/secrets/${name}/secret";
-          format = "binary";
-        })
-        secrets;
+    sops.secrets = builtins.mapAttrs
+      (name: _: {
+        sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret";
+        format = "binary";
+      })
+      secrets;
    # To get proper error messages about missing secrets we need a dummy secret file that is always present
    sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")));
  };