From f1e80704127dba02034e61415f74fae620afb653 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 13:53:20 +0200 Subject: [PATCH 1/6] Revert "fix machines folder not beeing present yet" This reverts commit 14335ae5765a8e58f3c04ab8231e5c79c71745df. --- lib/build-clan/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/build-clan/default.nix b/lib/build-clan/default.nix index 658c60a1f..265a1c584 100644 --- a/lib/build-clan/default.nix +++ b/lib/build-clan/default.nix @@ -23,7 +23,7 @@ let (machines.${name} or { }) { clanCore.machineName = name; - clanCore.clanDir = builtins.toString directory; + clanCore.clanDir = directory; # TODO: remove this once we have a hardware-config mechanism nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } From cfec69fec493e447b8651b96f1aa0309dfed50c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 14:04:18 +0200 Subject: [PATCH 2/6] different fix for missing secrets --- lib/build-clan/default.nix | 4 ++-- nixosModules/clanCore/secrets/sops.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/build-clan/default.nix b/lib/build-clan/default.nix index 265a1c584..405934a2c 100644 --- a/lib/build-clan/default.nix +++ b/lib/build-clan/default.nix @@ -6,12 +6,12 @@ let machinesDirs = if builtins.pathExists "${directory}/machines" - then builtins.readDir "${directory}/machines" + then builtins.readDir directory + /machines else { }; machineSettings = machineName: if builtins.pathExists "${directory}/machines/${machineName}/settings.json" - then builtins.fromJSON (builtins.readFile "${directory}/machines/${machineName}/settings.json") + then builtins.fromJSON (builtins.readFile directory + /machines/${machineName}/settings.json) else { }; nixosConfigurations = lib.mapAttrs diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix index 05973cc4f..58a6eef6d 100644 --- a/nixosModules/clanCore/secrets/sops.nix +++ b/nixosModules/clanCore/secrets/sops.nix @@ -59,7 +59,7 @@ in builtins.mapAttrs (name: _: { - sopsFile = "${config.clanCore.clanDir}/sops/secrets/${name}/secret"; + sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret"; format = "binary"; }) secrets; From 2a9be18d31178e9dbde4f0033cd701aab938e5a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 14:17:00 +0200 Subject: [PATCH 3/6] generate-secrets: use - instead of _ as file seperator --- nixosModules/clanCore/secrets/sops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix index 58a6eef6d..fb06c393d 100644 --- a/nixosModules/clanCore/secrets/sops.nix +++ b/nixosModules/clanCore/secrets/sops.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: { config = { - system.clan.generateSecrets = pkgs.writeScript "generate_secrets" '' + system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' #!/bin/sh set -efu set -x # remove for prod From 89cdbdd62a3df9789f4ac5d20fb6cdeb0f61cea4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 14:55:53 +0200 Subject: [PATCH 4/6] also auto-import group secrets --- checks/secrets/default.nix | 6 ++- .../foo => groups/group}/machines/machine | 0 .../sops/secrets/group-secret/groups/group | 1 + .../secrets/sops/secrets/group-secret/secret | 20 ++++++++ .../sops/secrets/secret/machines/machine | 1 + .../sops/secrets/{foo => secret}/secret | 0 .../sops/secrets/{foo => secret}/users/admin | 0 nixosModules/clanCore/secrets/sops.nix | 47 +++++++++++-------- 8 files changed, 54 insertions(+), 21 deletions(-) rename checks/secrets/sops/{secrets/foo => groups/group}/machines/machine (100%) create mode 120000 checks/secrets/sops/secrets/group-secret/groups/group create mode 100644 checks/secrets/sops/secrets/group-secret/secret create mode 120000 checks/secrets/sops/secrets/secret/machines/machine rename checks/secrets/sops/secrets/{foo => secret}/secret (100%) rename checks/secrets/sops/secrets/{foo => secret}/users/admin (100%) diff --git a/checks/secrets/default.nix b/checks/secrets/default.nix index c6b1a8b2b..8f050bf7b 100644 --- a/checks/secrets/default.nix +++ b/checks/secrets/default.nix @@ -5,13 +5,17 @@ imports = [ (self.nixosModules.clanCore) ]; - environment.etc."secret".source = config.sops.secrets.foo.path; + environment.etc."secret".source = config.sops.secrets.secret.path; + environment.etc."group-secret".source = config.sops.secrets.group-secret.path; sops.age.keyFile = ./key.age; + clanCore.clanDir = "${./.}"; clanCore.machineName = "machine"; + networking.hostName = "machine"; }; testScript = '' machine.succeed("cat /etc/secret >&2") + machine.succeed("cat /etc/group-secret >&2") ''; } diff --git a/checks/secrets/sops/secrets/foo/machines/machine b/checks/secrets/sops/groups/group/machines/machine similarity index 100% rename from checks/secrets/sops/secrets/foo/machines/machine rename to checks/secrets/sops/groups/group/machines/machine diff --git a/checks/secrets/sops/secrets/group-secret/groups/group b/checks/secrets/sops/secrets/group-secret/groups/group new file mode 120000 index 000000000..ad3ef6eac --- /dev/null +++ b/checks/secrets/sops/secrets/group-secret/groups/group @@ -0,0 +1 @@ +../../../groups/group \ No newline at end of file diff --git a/checks/secrets/sops/secrets/group-secret/secret b/checks/secrets/sops/secrets/group-secret/secret new file mode 100644 index 000000000..fc575a972 --- /dev/null +++ b/checks/secrets/sops/secrets/group-secret/secret @@ -0,0 +1,20 @@ +{ + "data": "ENC[AES256_GCM,data:FgF3,iv:QBbnqZ6405qmwGKhbolPr9iobngXt8rtfUwCBOnmwRA=,tag:7gqI1zLVnTkZ0xrNn/LEkA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age15x8u838dwqflr3t6csf4tlghxm4tx77y379ncqxav7y2n8qp7yzqgrwt00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArMHcxKzhUZzNHQmQrb28x\nRC9UMlZMeDN3S1l1eHdUWmV4VUVReHhhQ0RnCjAyUXVlY1FmclVmL2lEdFZuTmll\nVENpa3AwbjlDck5zdGdHUTRnNEdEOUkKLS0tIER3ZlNMSVFnRElkRDcxajZnVmFl\nZThyYzcvYUUvaWJYUmlwQ3dsSDdjSjgK+tj34yBzrsIjm6V+T9wTgz5FdNGOR7I/\nVB4fh8meW0vi/PCK/rajC8NbqmK8qq/lwsF/JwfZKDSdG0FOJUB1AA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-09-03T12:44:56Z", + "mac": "ENC[AES256_GCM,data:d5a0WfE5ZRLKF1NZkBfOl+cVI8ZZHd2rC+qX/giALjyrzk09rLxBeY4lO827GFfMmVy/oC7ceH9pjv2O7ibUiQtcbGIQVBg/WP+dVn8fRMWtF0jpv9BhYTutkVk3kiddqPGhp3mpwvls2ot5jtCRczTPk3JSxN3B1JSJCmj9GfQ=,iv:YmlkTYFNUaFRWozO8+OpEVKaSQmh+N9zpatwUNMPNyw=,tag:mEGQ4tdo82qlhKWalQuufg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/checks/secrets/sops/secrets/secret/machines/machine b/checks/secrets/sops/secrets/secret/machines/machine new file mode 120000 index 000000000..4cef1e1fa --- /dev/null +++ b/checks/secrets/sops/secrets/secret/machines/machine @@ -0,0 +1 @@ +../../../machines/machine \ No newline at end of file diff --git a/checks/secrets/sops/secrets/foo/secret b/checks/secrets/sops/secrets/secret/secret similarity index 100% rename from checks/secrets/sops/secrets/foo/secret rename to checks/secrets/sops/secrets/secret/secret diff --git a/checks/secrets/sops/secrets/foo/users/admin b/checks/secrets/sops/secrets/secret/users/admin similarity index 100% rename from checks/secrets/sops/secrets/foo/users/admin rename to checks/secrets/sops/secrets/secret/users/admin diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix index fb06c393d..ab9772282 100644 --- a/nixosModules/clanCore/secrets/sops.nix +++ b/nixosModules/clanCore/secrets/sops.nix @@ -1,4 +1,25 @@ { config, lib, pkgs, ... }: +let + secretsDir = config.clanCore.clanDir + "/sops/secrets"; + groupsDir = config.clanCore.clanDir + "/sops/groups"; + + # My symlink is in the nixos module detected as a directory also it works in the repl. Is this because of pure evaluation? + containsSymlink = path: + builtins.pathExists path && (builtins.readFileType path == "directory" || builtins.readFileType path == "symlink"); + + containsMachine = parent: name: type: + type == "directory" && containsSymlink "${parent}/${name}/machines/${config.clanCore.machineName}"; + + containsMachineOrGroups = name: type: + (containsMachine secretsDir name type) || lib.any (group: type == "directory" && containsSymlink "${secretsDir}/${name}/groups/${group}") groups; + + filterDir = filter: dir: + lib.optionalAttrs (builtins.pathExists dir) + (lib.filterAttrs filter (builtins.readDir dir)); + + groups = builtins.attrNames (filterDir (containsMachine groupsDir) groupsDir); + secrets = filterDir containsMachineOrGroups secretsDir; +in { config = { system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' @@ -43,26 +64,12 @@ fi) '') "" config.clanCore.secrets} ''; - sops.secrets = - let - secretsDir = config.clanCore.clanDir + "/sops/secrets"; - encryptedForThisMachine = name: type: - let - symlink = "${secretsDir}/${name}/machines/${config.clanCore.machineName}"; - in - # WTF, nix bug, my symlink is in the nixos module detected as a directory also it works in the repl - type == "directory" && builtins.pathExists symlink && (builtins.readFileType symlink == "directory" || builtins.readFileType symlink == "symlink"); - secrets = - if !(builtins.pathExists secretsDir) - then { } - else lib.filterAttrs encryptedForThisMachine (builtins.readDir secretsDir); - in - builtins.mapAttrs - (name: _: { - sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret"; - format = "binary"; - }) - secrets; + sops.secrets = builtins.mapAttrs + (name: _: { + sopsFile = config.clanCore.clanDir + "/sops/secrets/${name}/secret"; + format = "binary"; + }) + secrets; # To get proper error messages about missing secrets we need a dummy secret file that is always present sops.defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" ""))); }; From 618fb4b8a7b2b03f5c9b30e01b54cc82f087003c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 15:17:28 +0200 Subject: [PATCH 5/6] impureTest: add clan to $PATH for debugging --- checks/impure/flake-module.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/checks/impure/flake-module.nix b/checks/impure/flake-module.nix index d8018061b..4d571c4d0 100644 --- a/checks/impure/flake-module.nix +++ b/checks/impure/flake-module.nix @@ -17,6 +17,7 @@ pkgs.jq pkgs.openssh pkgs.nix + self'.packages.clan-cli ]}" cd $TMPDIR @@ -32,10 +33,10 @@ nix flake show echo create a machine - ${self'.packages.clan-cli}/bin/clan machines create machine1 + clan machines create machine1 echo check machine1 exists - ${self'.packages.clan-cli}/bin/clan machines list | grep -q machine1 + clan machines list | grep -q machine1 echo check machine1 appears in nixosConfigurations nix flake show --json | jq '.nixosConfigurations' | grep -q machine1 From d51dd39ae3caba9281bb3987632efdd1ee48accb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 3 Sep 2023 15:18:29 +0200 Subject: [PATCH 6/6] buildClan: fix importing machines from settings --- lib/build-clan/default.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lib/build-clan/default.nix b/lib/build-clan/default.nix index 405934a2c..f931b8d6f 100644 --- a/lib/build-clan/default.nix +++ b/lib/build-clan/default.nix @@ -4,15 +4,12 @@ , machines ? { } # allows to include machine-specific modules i.e. machines.${name} = { ... } }: let - machinesDirs = - if builtins.pathExists "${directory}/machines" - then builtins.readDir directory + /machines - else { }; + machinesDirs = lib.optionalAttrs (builtins.pathExists "${directory}/machines") (builtins.readDir (directory + /machines)); machineSettings = machineName: - if builtins.pathExists "${directory}/machines/${machineName}/settings.json" - then builtins.fromJSON (builtins.readFile directory + /machines/${machineName}/settings.json) - else { }; + lib.optionalAttrs (builtins.pathExists "${directory}/machines/${machineName}/settings.json") + builtins.fromJSON + (builtins.readFile (directory + /machines/${machineName}/settings.json)); nixosConfigurations = lib.mapAttrs (name: _: