yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
5,175 Commits 120 Branches 6 Tags
ec54a6a97828c7d44f0a2ddeabac833ecb4e664b
Commit Graph

1313 Commits

Author SHA1 Message Date
Louis Opter
8d53568d95 clan-cli: secrets: treemft 2024-11-27 06:27:53 +00:00
Louis Opter
daf51f523e clan-cli: secrets.sops: improve age keys detection 
This change allows you to e.g. directly pass `$(age-keygen)` on the
command line.
 2024-11-27 06:27:53 +00:00
Louis Opter
67c7876629 clan-cli: filter any sops recipients set in the environment for encryption 
This forces sops to use our config file, otherwise if any of the
environment variables set to specify recipients is present then
`--config` will be ignored (see [env_check]).

That's simple enough, still I ended up refactoring how we call sops for
correctness, and to align with its behavior. The code now distinguishes
between public and private keys explicitly. `secrets.decrypt_secret`
does not try to lookup for public and private keys anymore.

With this changeset, some people might have to adjust their environment
as public age and PGP keys will be discovered like sops would do. In
particular if multiple public keys are discovered, then the user will
have to specify which one to use for the clan.

This also makes the following changes:

- try to use `/dev/shm` when swapping a secret (it's what [pass] does
  fwiw);
- alias immediate values for readability;
- remove some float comparison that could never succeed, and use sops'
  exit status instead;
- remove unused function `maybe_get_sops_key`.

[env_check]: 8c567aa8a7/cmd/sops/main.go (L2229)
[pass]: http://passwordstore.org/
 2024-11-27 06:27:53 +00:00
Jörg Thalheim
45dfbf54db vars: make interface more type-safe 2024-11-26 17:08:26 +01:00
a-kenji
26344a7938 pkgs/cli: Add --password flag to machines install 
Add `--password` flag to `clan machines install`,
which allows installing through the `nixos-image` installer
manually without extra configuration.
 2024-11-26 15:01:43 +01:00
Jörg Thalheim
09a7fccbb0 less verbose logging if commands fail 2024-11-26 14:38:59 +01:00
Jörg Thalheim
8eb37903e0 test_vars: mock ask function instead of sys.stdin 2024-11-26 11:56:38 +00:00
Johannes Kirschbauer
446b2592ec API/serde: add handling for serializing enum classes 2024-11-26 10:44:06 +00:00
DavHau
173436632d vars: fix migration - secrets end up in public store 2024-11-26 17:02:11 +07:00
Qubasa
4775139091 clan-cli: Remove tty.py 2024-11-25 20:32:36 +01:00
Qubasa
27b40849d1 clan-cli: Refactor ssh classes to dataclasses 2024-11-25 19:47:17 +01:00
Qubasa
41a84f5970 docs: Fix nix flake check problem with diskId 2024-11-25 18:39:16 +01:00
lassulus
19dce7694f cli password-store: upload generators folder only if it has secrets 2024-11-22 22:34:09 +01:00
lassulus
045c9119f3 password-store: include filenames in manifest for upload check 2024-11-22 22:34:09 +01:00
lassulus
13b7d3c7ec cli password-store: skip uploading non secret files 2024-11-22 22:34:09 +01:00
Qubasa
f01d586bf3 clan-cli: Fix inventory update.sh 2024-11-22 22:23:10 +01:00
Qubasa
8866a85765 clan-cli: Refactor ssh part 2, Refactor custom_logger 2024-11-22 22:08:50 +01:00
Johannes Kirschbauer
0ab8bcd017 Clan-cli/api: init dynamic get module interface 2024-11-22 13:58:30 +01:00
Johannes Kirschbauer
ff052e53e3 Clan-cli/api: list external modules 2024-11-21 17:04:35 +01:00
Johannes Kirschbauer
28f907cc85 Clan-cli: update inventory classes.py 2024-11-21 15:38:17 +00:00
Qubasa
4104374b76 clan-cli: Refactor ssh folder part 1 2024-11-21 13:02:22 +01:00
a-kenji
cc36247f22 pkgs/cli: Fix generation of hardware configuration for machines install 
Correctly use the `value` of the `enum`, which is expected by
`nixos-anywhere`.
 2024-11-20 16:15:45 +01:00
a-kenji
1bc0b71155 pkgs/cli: Fix tag creation for clan machines create 2024-11-20 15:12:05 +01:00
danjujan
434ce7aeb4 vms/qemu: fix opengl detection 2024-11-20 10:20:30 +00:00
Jörg Thalheim
5bf2afdf0e vars: add VarStatus dataclass to make return type more readable 2024-11-20 10:20:06 +00:00
DavHau
3f62e143ec vars: implement invalidation mechanism 
This adds options `invalidationData` to generators.

`invalidationData` can be used by an author of a generator to signal if a re-generation is required after updating the logic.

Whenever a generator with invalidation data is executed, a hash of that data is stored by the respective public and/or secret backends.

The stored hashes will be checked on future deployments, and a re-generation is triggered whenever a hash doesn't match what's defined in nix.
 2024-11-20 16:27:22 +07:00
Jörg Thalheim
a4e03a85eb vars: don't print stack trace if generator fails 2024-11-19 09:46:14 +00:00
Jörg Thalheim
9c6e04fa3f vars: introduce ensure_machine_has_access method for sops 
this should help avoiding overriding existing shared secrets by not
triggering vars regeneration if a machine has no access.

wip
 2024-11-19 09:46:14 +00:00
Johannes Kirschbauer
9a6f39be76 Modules/api: export constraints, filter by inventory 2024-11-19 10:36:29 +01:00
lassulus
8e1697a089 password-store owner & group support 2024-11-16 01:18:59 +01:00
Qubasa
250eed0798 clan-cli: upload.py -> Replace rsync with native ssh command 2024-11-15 22:03:47 +07:00
a-kenji
9be8d5dbeb pkgs/cli: Add comment to add_common_flags function 2024-11-15 12:06:10 +01:00
a-kenji
032bf4b09b pkgs/cli: Fix adding common flags for aliases 2024-11-15 10:49:03 +00:00
Jörg Thalheim
c98055c781 vars: introduce ensure_machine_has_access method for sops 
this should help avoiding overriding existing shared secrets by not
triggering vars regeneration if a machine has no access.

wip
 2024-11-14 15:37:55 +00:00
Jörg Thalheim
8f1e5ed1eb vars/get: use machine_name as variable name 2024-11-14 15:37:55 +00:00
Jörg Thalheim
4a389b0fb3 vars/sops: simplify conditional in exists 2024-11-14 15:37:55 +00:00
clan-bot
7852006eda Merge pull request 'pkgs/cli: Improve help description' (#2415) from kenji/clan-core:kenji-cli/show/improve/description into main 2024-11-14 14:40:22 +00:00
a-kenji
9e31ba823d pkgs/cli: Improve help description 2024-11-14 15:34:24 +01:00
clan-bot
57f9b1a410 Merge pull request 'pkgs/cli: Improve clan secrets help' (#2416) from kenji/clan-core:kenji-cli/secrets/help into main 2024-11-14 14:18:43 +00:00
a-kenji
a17992a59f pkgs/cli: Improve clan secrets help 2024-11-14 15:07:16 +01:00
a-kenji
a7e68637a9 pkgs/cli: Remove superfluous comment string 2024-11-14 15:04:19 +01:00
a-kenji
279b5b316d pkgs/cli: Improve help output of show subcommand 2024-11-14 15:03:14 +01:00
lassulus
7ae7ac8bd1 cli vars password-store: fix file locations 2024-11-14 12:07:52 +01:00
a-kenji
a1508ab9cb pkgs/cli: Fix typo in comment 2024-11-14 10:17:44 +01:00
DavHau
21796c1dbb clan-cli: remove --no-write-lock-file from nix invocations 2024-11-14 14:11:06 +07:00
lassulus
11ce774820 clan_cli vars: actually upload 2024-11-13 13:23:42 +01:00
Jörg Thalheim
cb6fefd694 cmd: also process stdin 2024-11-13 13:23:42 +01:00
lassulus
745af335ec cli machines update: run deploy directly if deploying single machine 2024-11-13 13:23:42 +01:00
DavHau
54b8f5904e vars: allow re-encrypting secrets when recipient keys were added. 
When the users of a secret change, when for example a new admin user is added, an error will be thrown when generating vars, prompting the user to pass --fix to re-encrypt the secrets
 2024-11-13 18:49:30 +07:00
clan-bot
3822efc11b Merge pull request 'Modules/constraints: init constraints checking for inventory compatible modules' (#2391) from hsjobeki/clan-core:hsjobeki-main into main 2024-11-13 08:02:29 +00:00