yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
4,854 Commits 120 Branches 6 Tags
41a84f59708546d1abe9a90a486c3c1663cc6483
Commit Graph

58 Commits

Author SHA1 Message Date
DavHau
54b8f5904e vars: allow re-encrypting secrets when recipient keys were added. 
When the users of a secret change, when for example a new admin user is added, an error will be thrown when generating vars, prompting the user to pass --fix to re-encrypt the secrets
 2024-11-13 18:49:30 +07:00
Jörg Thalheim
76aa8d2d82 Revert "Merge pull request 'Revert "Merge pull request 'clan-cli: secrets: Add support for PGP keys with sops-nix' (#2186) from lopter/clan-core:lo-sops-nix-pgp-support into main"' (#2202) from revert into main" 
This reverts commit 23f5abee0d, reversing
changes made to 66a94c91ae.
 2024-10-04 16:36:35 +00:00
Jörg Thalheim
d134d94a1e Revert "Merge pull request 'clan-cli: secrets: Add support for PGP keys with sops-nix' (#2186) from lopter/clan-core:lo-sops-nix-pgp-support into main" 
This reverts commit b956b94039, reversing
changes made to b1af3d5d6d.

Reverting for now as Dave's recent change conflicts with this change.
 2024-10-04 17:54:29 +02:00
Louis Opter
7999465d89 Make clan_cli.secrets.sops.SopsKey immutable and remove its __eq__ method 
Immutability seems sensible for this type.

There is some ambiguity on how to compare keys, in particular when `user.name == ""`, but the rest matches.
 2024-10-04 15:36:30 +00:00
Louis Opter
6694c2b60d Fix key dump in clan secrets key show 
```
In [4]: str(Type.AGE)
Out[4]: Type.AGE

In [5]: Type.AGE.name.lower()
Out[5]: age
```
 2024-10-04 15:36:30 +00:00
Jörg Thalheim
4a3030d6ed secrets: replace Key, key type tuple with SopsKey class 2024-10-04 15:36:30 +00:00
Jörg Thalheim
541a73692f fix serialisation of SopsKey type 2024-10-04 15:36:30 +00:00
Jörg Thalheim
d909078033 default key type to age and rename to age-key/pgp-key 2024-10-04 15:36:30 +00:00
Jörg Thalheim
24973370b3 secrets: do not shadow python builtins 2024-10-04 15:36:30 +00:00
Louis Opter
61ceb44a71 Draft: clan-cli: secrets: Add support for PGP keys with sops-nix 
To use a PGP key instead of an age key you can set `SOPS_PGP_FP`. (You
can use `gpg -k --fingerprint --fingerprint` to get your PGP encryption
key fingerprint, remove spaces from it).

The internal manifest file already supported a type field, and so I built
from there.

With those changes, I was able to add my PGP key, and update all my
secrets with it, instead of the age key originally generated:

```
% clan secrets key show | jq
{
  "key": "ADB6276965590A096004F6D1E114CBAE8FA29165",
  "type": "pgp"
}
% clan secrets key update
% for s in $(clan secrets list) ; do clan secrets users add-secret kal-pgp-from-2022-12-to-2024-12 "$s"; done
% for s in $(clan secrets list) ; do clan secrets users remove-secret --debug kal "$s" ; done
```
 2024-10-04 15:36:30 +00:00
DavHau
1f1be62c60 sops: refactor some function names for clarity 2024-10-02 13:56:43 +02:00
Johannes Kirschbauer
3b0d694a07 API: add sops keyfile checks 2024-09-04 15:29:06 +02:00
Jörg Thalheim
403b9cf2cc apply TRY lint 2024-09-03 18:13:46 +02:00
Johannes Kirschbauer
6e595c3f60 UI: Init iwd service for single wifi 2024-09-03 17:24:31 +02:00
DavHau
8efcd65bed vars: global metadata paths for all store backends 
This also changes the paths where sops stores teh secret -> all sops secrets will have to be re-generated
 2024-09-03 16:30:01 +02:00
Jörg Thalheim
659e5b37dd use pathlib everywhere 2024-09-02 18:26:13 +02:00
Jörg Thalheim
357b619068 add SIM lint 2024-09-02 16:39:30 +02:00
Jörg Thalheim
ad3daa3ce4 add RET, Q, RSE lint 2024-09-02 15:58:49 +02:00
Jörg Thalheim
15ff74f7c2 enable ASYNC, DTZ, YTT and EM lints 2024-09-02 14:07:06 +02:00
Jörg Thalheim
e9a266001c enable comprehensions linting rules 2024-09-02 13:35:52 +02:00
Jörg Thalheim
35839ef701 enable bug-bear linting rules 2024-09-02 13:26:07 +02:00
Jörg Thalheim
af4b9cc2d5 make all same-module imports relative, the rest absolute 
This makes sorting more consitent.
 2024-09-02 13:00:19 +02:00
DavHau
ec055f7606 vars: introduce deploy=true/false for generated files 2024-09-01 14:32:46 +02:00
Jörg Thalheim
0d6e2539e3 Revert "clan-cli: deprecate nix_shell() in favor of run_cmd()" 
This reverts commit 37e6ca7a30.
 2024-07-17 14:04:49 +02:00
DavHau
37e6ca7a30 clan-cli: deprecate nix_shell() in favor of run_cmd() 2024-07-16 14:03:17 +07:00
Qubasa
1ff58adcef clan-cli: Add validity check for age key generation 2024-06-21 15:07:53 +02:00
Jörg Thalheim
b5653c169b sops: fix setting secret from pipe 2024-04-30 14:04:49 +02:00
Jörg Thalheim
5606101ce8 sops: also log content type on error 2024-04-30 13:56:07 +02:00
DavHau
cf67de2f69 secrets: ensure all added/deleted files get committed 2024-04-24 17:26:32 +07:00
Jörg Thalheim
0fa36252c2 re-encrypt secrets after rotating users/machines keys 2024-03-25 12:34:29 +01:00
Jörg Thalheim
cd9db02db0 add hint to use --force when a key already exists 2024-03-25 11:06:20 +01:00
lassulus
11bf0b8b9e clan-cli sops: accept bytes 2024-03-03 09:25:40 +01:00
Jörg Thalheim
b358089488 sops: unbreak edit flags 2024-02-20 11:07:00 +01:00
Qubasa
1a6983e031 cmd.py refactor part 6 2024-01-12 17:02:56 +01:00
Jörg Thalheim
1496f45fe2 prefix nixpkgs# explicitly in nix_shell 
This makes the function usage less confusing (you can now tell from the call side what are flags and what is passed to nix-shell) and allows to use different flakes to download packages.
 2023-12-08 15:14:14 +01:00
Jörg Thalheim
d0362bb757 error if age key cannot be decoded 2023-11-30 10:57:58 +01:00
Jörg Thalheim
f1b223d0a1 modernisation for python 3.11 2023-11-29 13:29:45 +00:00
lassulus
7b3d3e20b4 clan-cli secrets: flake_name -> flake_dir 2023-11-05 16:58:48 +01:00
Qubasa
d02acbe04b nix fmt 2023-10-27 19:19:45 +02:00
Qubasa
8cc1c2c4bd Fixed cyclic dependencie AND swapped pytest-parallel for pytest-xdist to fix deadlock in tests 2023-10-27 19:18:45 +02:00
Qubasa
2ca54afe7f Added new type FlakeName 2023-10-27 19:18:45 +02:00
Qubasa
32e60f5adc Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-27 19:15:40 +02:00
Jörg Thalheim
b2ef8bf1a3 also test that updating a group works 2023-10-03 16:15:36 +00:00
Jörg Thalheim
486ff4e7f4 age: generate private and public key in one go 2023-09-21 17:22:20 +02:00
Jörg Thalheim
17af763ad1 add edit flag to secret cli 2023-09-13 10:52:03 +02:00
Jörg Thalheim
ae3283a762 clan/secrets: fix if user/machine directory does not contain a key.json 2023-09-07 12:30:29 +02:00
Jörg Thalheim
e6762d8b3f sops: add explicit commands to generate secrets 2023-09-07 11:41:20 +02:00
Jörg Thalheim
9b3bfd6950 secrets: improve error messages 2023-08-29 16:20:39 +02:00
Jörg Thalheim
63bb9395fd automatically import secrets into nixos 2023-08-23 13:59:43 +02:00
Jörg Thalheim
c2ff6acef4 sops: pass empty manifest when decrypting 2023-08-10 12:08:17 +02:00