vars: introduce deploy=true/false for generated files

2024-09-01 14:30:13 +02:00
parent 2ca4fd29e4
commit ec055f7606
11 changed files with 69 additions and 17 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -87,9 +87,10 @@ def encrypt_secret(
    add_users: list[str] = [],
    add_machines: list[str] = [],
    add_groups: list[str] = [],
+    meta: dict = {},
 ) -> None:
    key = ensure_sops_key(flake_dir)
-    keys = set([])
+    recipient_keys = set([])

    files_to_commit = []
    for user in add_users:
@@ -122,10 +123,10 @@ def encrypt_secret(
            )
        )

-    keys = collect_keys_for_path(secret_path)
+    recipient_keys = collect_keys_for_path(secret_path)

-    if key.pubkey not in keys:
-        keys.add(key.pubkey)
+    if key.pubkey not in recipient_keys:
+        recipient_keys.add(key.pubkey)
        files_to_commit.extend(
            allow_member(
                users_folder(secret_path),
@@ -136,7 +137,7 @@ def encrypt_secret(
        )

    secret_path = secret_path / "secret"
-    encrypt_file(secret_path, value, list(sorted(keys)))
+    encrypt_file(secret_path, value, list(sorted(recipient_keys)), meta)
    files_to_commit.append(secret_path)
    commit_files(
        files_to_commit,
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -143,12 +143,15 @@ def update_keys(secret_path: Path, keys: list[str]) -> list[Path]:


 def encrypt_file(
-    secret_path: Path, content: IO[str] | str | bytes | None, keys: list[str]
+    secret_path: Path,
+    content: IO[str] | str | bytes | None,
+    pubkeys: list[str],
+    meta: dict = {},
 ) -> None:
    folder = secret_path.parent
    folder.mkdir(parents=True, exist_ok=True)

-    with sops_manifest(keys) as manifest:
+    with sops_manifest(pubkeys) as manifest:
        if not content:
            args = ["sops", "--config", str(manifest)]
            args.extend([str(secret_path)])
@@ -186,6 +189,9 @@ def encrypt_file(
                with NamedTemporaryFile(dir=folder, delete=False) as f2:
                    shutil.copyfile(f.name, f2.name)
                    os.rename(f2.name, secret_path)
+                meta_path = secret_path.parent / "meta.json"
+                with open(meta_path, "w") as f_meta:
+                    json.dump(meta, f_meta, indent=2)
            finally:
                try:
                    os.remove(f.name)
@@ -203,6 +209,14 @@ def decrypt_file(secret_path: Path) -> str:
    return res.stdout


+def get_meta(secret_path: Path) -> dict:
+    meta_path = secret_path.parent / "meta.json"
+    if not meta_path.exists():
+        return {}
+    with open(meta_path) as f:
+        return json.load(f)
+
+
 def write_key(path: Path, publickey: str, overwrite: bool) -> None:
    path.mkdir(parents=True, exist_ok=True)
    try: