yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Reapply + Fix "vars: fix - upload machines own secrets only"

Browse Source 
This reverts commit cb860f9a03.
This commit is contained in:
DavHau
2024-08-23 14:44:55 +02:00
parent 4b74ff5459
commit f0a3eaca96
4 changed files with 40 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
nixosModules/clanCore/vars/secret/sops/default.nix
View File

@@ -10,17 +10,12 @@ let
inherit (import ./funcs.nix { inherit lib; }) listVars; inherit (import ./funcs.nix { inherit lib; }) listVars;
varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine"; inherit (config.clan.core) machineName;
varsDirMachines = config.clan.core.clanDir + "/sops/vars/per-machine/${machineName}";
varsDirShared = config.clan.core.clanDir + "/sops/vars/shared"; varsDirShared = config.clan.core.clanDir + "/sops/vars/shared";
varsUnfiltered = (listVars varsDirMachines) ++ (listVars varsDirShared); vars = (listVars varsDirMachines) ++ (listVars varsDirShared);
filterVars =
vars:
builtins.elem vars.machine [
config.clan.core.machineName
"shared"
];
vars = lib.filter filterVars varsUnfiltered;
in in
{ {
@@ -28,7 +23,7 @@ in
# Before we generate a secret we cannot know the path yet, so we need to set it to an empty string # Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
fileModule = file: { fileModule = file: {
path = lib.mkIf file.config.secret ( path = lib.mkIf file.config.secret (
config.sops.secrets.${"${config.clan.core.machineName}/${file.config.generatorName}/${file.config.name}"}.path config.sops.secrets.${"vars/${file.config.generatorName}/${file.config.name}"}.path
or "/no-such-path" or "/no-such-path"
); );
}; };
@@ -39,7 +34,7 @@ in
config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") { config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {
secrets = lib.listToAttrs ( secrets = lib.listToAttrs (
flip map vars (secret: { flip map vars (secret: {
name = secret.id; name = "vars/${secret.generator}/${secret.name}";
value = { value = {
sopsFile = secret.sopsFile; sopsFile = secret.sopsFile;
format = "binary"; format = "binary";
@@ -51,7 +46,7 @@ in
lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" "")) lib.mkDefault (builtins.toString (pkgs.writeText "dummy.yaml" ""))
); );
age.keyFile = lib.mkIf (builtins.pathExists ( age.keyFile = lib.mkIf (builtins.pathExists (
config.clan.core.clanDir + "/sops/secrets/${config.clan.core.machineName}-age.key/secret" config.clan.core.clanDir + "/sops/secrets/${machineName}-age.key/secret"
)) (lib.mkDefault "/var/lib/sops-nix/key.txt"); )) (lib.mkDefault "/var/lib/sops-nix/key.txt");
}; };
} }

4
nixosModules/clanCore/vars/secret/sops/eval-tests/default.nix
View File

@@ -21,12 +21,12 @@ in
}; };
test_listSecrets = { test_listSecrets = {
expr = listVars ./populated/vars; expr = listVars ./populated/vars/my_machine;
expected = [ expected = [
{ {
machine = "my_machine";
generator = "my_generator"; generator = "my_generator";
name = "my_secret"; name = "my_secret";
sopsFile = "${./populated/vars/my_machine}/my_generator/my_secret/secret";
} }
]; ];
}; };

19
nixosModules/clanCore/vars/secret/sops/funcs.nix
View File

@@ -14,17 +14,12 @@ rec {
listVars = listVars =
varsDir: varsDir:
flip concatMap (readDirNames varsDir) ( flip concatMap (readDirNames (varsDir)) (
machine_name: generator_name:
flip concatMap (readDirNames (varsDir + "/${machine_name}")) ( flip map (readDirNames (varsDir + "/${generator_name}")) (secret_name: {
generator_name: generator = generator_name;
flip map (readDirNames (varsDir + "/${machine_name}/${generator_name}")) (secret_name: { name = secret_name;
machine = machine_name; sopsFile = "${varsDir}/${generator_name}/${secret_name}/secret";
generator = generator_name; })
name = secret_name;
id = "${machine_name}/${generator_name}/${secret_name}";
sopsFile = "${varsDir}/${machine_name}/${generator_name}/${secret_name}/secret";
})
)
); );
} }

26
pkgs/clan-cli/tests/test_vars_deployment.py
View File

@@ -1,3 +1,4 @@
import json
from pathlib import Path from pathlib import Path
import pytest import pytest
@@ -8,6 +9,8 @@ from helpers.nixos_config import nested_dict
from helpers.vms import qga_connect, run_vm_in_thread, wait_vm_down from helpers.vms import qga_connect, run_vm_in_thread, wait_vm_down
from root import CLAN_CORE from root import CLAN_CORE
from clan_cli.nix import nix_eval, run
@pytest.mark.impure @pytest.mark.impure
def test_vm_deployment( def test_vm_deployment(
@@ -32,10 +35,29 @@ def test_vm_deployment(
monkeypatch.chdir(flake.path) monkeypatch.chdir(flake.path)
sops_setup.init() sops_setup.init()
cli.run(["vars", "generate", "my_machine"]) cli.run(["vars", "generate", "my_machine"])
# check sops secrets not empty
sops_secrets = json.loads(
run(
nix_eval(
[
f"{flake.path}#nixosConfigurations.my_machine.config.sops.secrets",
]
)
).stdout.strip()
)
assert sops_secrets != dict()
my_secret_path = run(
nix_eval(
[
f"{flake.path}#nixosConfigurations.my_machine.config.clan.core.vars.generators.my_generator.files.my_secret.path",
]
)
).stdout.strip()
assert "no-such-path" not in my_secret_path
run_vm_in_thread("my_machine") run_vm_in_thread("my_machine")
qga = qga_connect("my_machine") qga = qga_connect("my_machine")
qga.run("ls /run/secrets/my_machine/my_generator/my_secret", check=True) qga.run("ls /run/secrets/vars/my_generator/my_secret", check=True)
_, out, _ = qga.run("cat /run/secrets/my_machine/my_generator/my_secret") _, out, _ = qga.run("cat /run/secrets/vars/my_generator/my_secret", check=True)
assert out == "hello\n" assert out == "hello\n"
qga.exec_cmd("poweroff") qga.exec_cmd("poweroff")
wait_vm_down("my_machine") wait_vm_down("my_machine")