yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

clanCore/vars/sops: only copy required secrets to store

Browse Source 
Create a store path per in repo secret/var to be copied, this prevents
unused secrets from being leaked.

For example the `root-password` generator contains both the hashed and
unhashed password but only the hash is used.
This commit is contained in:
vdbe
2025-05-01 00:29:01 +02:00
committed by Jörg Thalheim
parent 4ef8ef4542
commit f3e32ce827
3 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/clan-cli/clan_cli/tests/test_vars.py
View File

@@ -970,7 +970,7 @@ def test_dynamic_invalidation(
custom_nix.write_text(
"""
{ config, ... }: let
p = config.clan.core.vars.generators.my_generator.files.my_value.path;
p = config.clan.core.vars.generators.my_generator.files.my_value.flakePath;
in {
clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null;
}