clanCore/vars/sops: only copy required secrets to store
Create a store path per in repo secret/var to be copied, this prevents unused secrets from being leaked. For example the `root-password` generator contains both the hashed and unhashed password but only the hash is used.
This commit is contained in:
vdbe
@@ -241,12 +241,35 @@ in
|
|||||||
type = bool;
|
type = bool;
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
|
flakePath = lib.mkOption {
|
||||||
|
description = ''
|
||||||
|
The path to the file containing the content of the generated value.
|
||||||
|
This will be set automatically
|
||||||
|
'';
|
||||||
|
type = nullOr str;
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
path = lib.mkOption {
|
path = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
The path to the file containing the content of the generated value.
|
The path to the file containing the content of the generated value.
|
||||||
This will be set automatically
|
This will be set automatically
|
||||||
'';
|
'';
|
||||||
type = str;
|
type = str;
|
||||||
|
defaultText = ''
|
||||||
|
(pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}"
|
||||||
|
{ }
|
||||||
|
''\''
|
||||||
|
cp $${file.config.inRepoPath} $out
|
||||||
|
''\''
|
||||||
|
).outPath;
|
||||||
|
'';
|
||||||
|
default =
|
||||||
|
(pkgs.runCommandNoCCLocal "${generator.config._module.args.name}_${file.config._module.args.name}"
|
||||||
|
{ }
|
||||||
|
''
|
||||||
|
cp ${file.config.flakePath} $out
|
||||||
|
''
|
||||||
|
).outPath;
|
||||||
};
|
};
|
||||||
neededFor = lib.mkOption {
|
neededFor = lib.mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ in
|
|||||||
config.clan.core.vars.settings = mkIf (config.clan.core.vars.settings.publicStore == "in_repo") {
|
config.clan.core.vars.settings = mkIf (config.clan.core.vars.settings.publicStore == "in_repo") {
|
||||||
publicModule = "clan_cli.vars.public_modules.in_repo";
|
publicModule = "clan_cli.vars.public_modules.in_repo";
|
||||||
fileModule = file: {
|
fileModule = file: {
|
||||||
path = mkIf (file.config.secret == false) (
|
flakePath = mkIf (file.config.secret == false) (
|
||||||
if file.config.share then
|
if file.config.share then
|
||||||
(
|
(
|
||||||
config.clan.core.settings.directory
|
config.clan.core.settings.directory
|
||||||
@@ -25,9 +25,9 @@ in
|
|||||||
);
|
);
|
||||||
value = mkIf (file.config.secret == false) (
|
value = mkIf (file.config.secret == false) (
|
||||||
# dynamically adjust priority to allow overriding with mkDefault in case the file is not found
|
# dynamically adjust priority to allow overriding with mkDefault in case the file is not found
|
||||||
if (pathExists file.config.path) then
|
if (pathExists file.config.flakePath) then
|
||||||
# if the file is found it should have normal priority
|
# if the file is found it should have normal priority
|
||||||
readFile file.config.path
|
readFile file.config.flakePath
|
||||||
else
|
else
|
||||||
# if the file is not found, we want to downgrade the priority, to allow overriding via mkDefault
|
# if the file is not found, we want to downgrade the priority, to allow overriding via mkDefault
|
||||||
mkOptionDefault (
|
mkOptionDefault (
|
||||||
|
|||||||
@@ -970,7 +970,7 @@ def test_dynamic_invalidation(
|
|||||||
custom_nix.write_text(
|
custom_nix.write_text(
|
||||||
"""
|
"""
|
||||||
{ config, ... }: let
|
{ config, ... }: let
|
||||||
p = config.clan.core.vars.generators.my_generator.files.my_value.path;
|
p = config.clan.core.vars.generators.my_generator.files.my_value.flakePath;
|
||||||
in {
|
in {
|
||||||
clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null;
|
clan.core.vars.generators.dependent_generator.validation = if builtins.pathExists p then builtins.readFile p else null;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user