yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
4,768 Commits 120 Branches 6 Tags
edc3f847c7c3ce36e0747d793356305832553298
Commit Graph

188 Commits

Author SHA1 Message Date
DavHau
54b8f5904e vars: allow re-encrypting secrets when recipient keys were added. 
When the users of a secret change, when for example a new admin user is added, an error will be thrown when generating vars, prompting the user to pass --fix to re-encrypt the secrets
 2024-11-13 18:49:30 +07:00
Louis Opter
f540ab91a1 vars: add the user and group options on files 
This changeset forwards the ownership control options from sops-nix.
 2024-10-23 09:05:53 +00:00
Jörg Thalheim
76aa8d2d82 Revert "Merge pull request 'Revert "Merge pull request 'clan-cli: secrets: Add support for PGP keys with sops-nix' (#2186) from lopter/clan-core:lo-sops-nix-pgp-support into main"' (#2202) from revert into main" 
This reverts commit 23f5abee0d, reversing
changes made to 66a94c91ae.
 2024-10-04 16:36:35 +00:00
Jörg Thalheim
d134d94a1e Revert "Merge pull request 'clan-cli: secrets: Add support for PGP keys with sops-nix' (#2186) from lopter/clan-core:lo-sops-nix-pgp-support into main" 
This reverts commit b956b94039, reversing
changes made to b1af3d5d6d.

Reverting for now as Dave's recent change conflicts with this change.
 2024-10-04 17:54:29 +02:00
Louis Opter
103ad87bc9 Improvements for clan secrets key generate. 
I am not sure to understand what `extract_public_key` was for. It seems
like `age-keygen -y` will just work fine for a file like
`extract_public_key` is looking for. Unless someone intentionally made a
file with a comment like that without the private key in it.

Messages are moved to stdout rather being logged. It feels like the
output is meaningful in the first step users are going to take. Also
makes testing easier, as log messages are captured differently than
stdout. The call to add an user is changed to be easier to copy paste
and work whether PGP or age is in use.

A description for the command is added instead of help which does not
seem to be displayed.
 2024-10-04 15:36:30 +00:00
Louis Opter
7999465d89 Make clan_cli.secrets.sops.SopsKey immutable and remove its __eq__ method 
Immutability seems sensible for this type.

There is some ambiguity on how to compare keys, in particular when `user.name == ""`, but the rest matches.
 2024-10-04 15:36:30 +00:00
Louis Opter
6848b3b6b3 fix: clan secrets user get dump the user identity correctly 2024-10-04 15:36:30 +00:00
Louis Opter
6694c2b60d Fix key dump in clan secrets key show 
```
In [4]: str(Type.AGE)
Out[4]: Type.AGE

In [5]: Type.AGE.name.lower()
Out[5]: age
```
 2024-10-04 15:36:30 +00:00
Jörg Thalheim
be5f10e241 secrets/show: pretty print json 2024-10-04 15:36:30 +00:00
Jörg Thalheim
4a3030d6ed secrets: replace Key, key type tuple with SopsKey class 2024-10-04 15:36:30 +00:00
Jörg Thalheim
541a73692f fix serialisation of SopsKey type 2024-10-04 15:36:30 +00:00
Jörg Thalheim
d909078033 default key type to age and rename to age-key/pgp-key 2024-10-04 15:36:30 +00:00
Jörg Thalheim
24973370b3 secrets: do not shadow python builtins 2024-10-04 15:36:30 +00:00
Louis Opter
30d0afe75b Fix: use new sops api in clan secrets machines 2024-10-04 15:36:30 +00:00
Louis Opter
61ceb44a71 Draft: clan-cli: secrets: Add support for PGP keys with sops-nix 
To use a PGP key instead of an age key you can set `SOPS_PGP_FP`. (You
can use `gpg -k --fingerprint --fingerprint` to get your PGP encryption
key fingerprint, remove spaces from it).

The internal manifest file already supported a type field, and so I built
from there.

With those changes, I was able to add my PGP key, and update all my
secrets with it, instead of the age key originally generated:

```
% clan secrets key show | jq
{
  "key": "ADB6276965590A096004F6D1E114CBAE8FA29165",
  "type": "pgp"
}
% clan secrets key update
% for s in $(clan secrets list) ; do clan secrets users add-secret kal-pgp-from-2022-12-to-2024-12 "$s"; done
% for s in $(clan secrets list) ; do clan secrets users remove-secret --debug kal "$s" ; done
```
 2024-10-04 15:36:30 +00:00
DavHau
1f1be62c60 sops: refactor some function names for clarity 2024-10-02 13:56:43 +02:00
DavHau
cf47c1d51a vars: generate proper commit messages 
fixes #2126
 2024-09-17 20:22:18 +02:00
DavHau
a1dd10f502 vars/sops/shared: add machines key on demand 2024-09-12 20:17:05 +02:00
Johannes Kirschbauer
3b0d694a07 API: add sops keyfile checks 2024-09-04 15:29:06 +02:00
Jörg Thalheim
403b9cf2cc apply TRY lint 2024-09-03 18:13:46 +02:00
Johannes Kirschbauer
6e595c3f60 UI: Init iwd service for single wifi 2024-09-03 17:24:31 +02:00
DavHau
8efcd65bed vars: global metadata paths for all store backends 
This also changes the paths where sops stores teh secret -> all sops secrets will have to be re-generated
 2024-09-03 16:30:01 +02:00
Jörg Thalheim
659e5b37dd use pathlib everywhere 2024-09-02 18:26:13 +02:00
Jörg Thalheim
357b619068 add SIM lint 2024-09-02 16:39:30 +02:00
Jörg Thalheim
ad3daa3ce4 add RET, Q, RSE lint 2024-09-02 15:58:49 +02:00
Jörg Thalheim
15ff74f7c2 enable ASYNC, DTZ, YTT and EM lints 2024-09-02 14:07:06 +02:00
Jörg Thalheim
e9a266001c enable comprehensions linting rules 2024-09-02 13:35:52 +02:00
Jörg Thalheim
35839ef701 enable bug-bear linting rules 2024-09-02 13:26:07 +02:00
Jörg Thalheim
af4b9cc2d5 make all same-module imports relative, the rest absolute 
This makes sorting more consitent.
 2024-09-02 13:00:19 +02:00
DavHau
ec055f7606 vars: introduce deploy=true/false for generated files 2024-09-01 14:32:46 +02:00
Johannes Kirschbauer
91397adbfc Fix: regression list_machines. Split into multiple functions 
list_inventory_machines, list_nixos_machine, list_sops_machines
The caller of the function should specify which machines they wants to see
 2024-08-03 12:43:35 +02:00
a-kenji
ccdfd0c6fc clan/secrets: improve naming of secret key 
Change the secret key help wording to: `secret-name`,
to convey that it is the key and not the value.

Fixes: #1696
 2024-07-30 12:54:22 +02:00
DavHau
9996f5596c vars/sops: store secrets in /sops/vars 2024-07-24 18:42:50 +07:00
DavHau
ac5d421f84 sops/refactor: lay groundwork for secrets with arbitrary paths 2024-07-24 18:12:19 +07:00
DavHau
0222ebf482 secrets: refactor parameter naming 2024-07-24 17:50:03 +07:00
DavHau
00f7a6300b clan-cli/secrets: refactor: rename secret -> secret_path 2024-07-23 18:18:32 +07:00
Jörg Thalheim
0d6e2539e3 Revert "clan-cli: deprecate nix_shell() in favor of run_cmd()" 
This reverts commit 37e6ca7a30.
 2024-07-17 14:04:49 +02:00
DavHau
37e6ca7a30 clan-cli: deprecate nix_shell() in favor of run_cmd() 2024-07-16 14:03:17 +07:00
Jörg Thalheim
5b606c035f move FlakeId to flake id 
move FlakeId to flake id
 2024-07-03 18:28:55 +02:00
Jörg Thalheim
b4698528ef make machine class now a dataclass 2024-07-03 12:34:43 +02:00
Qubasa
1ff58adcef clan-cli: Add validity check for age key generation 2024-06-21 15:07:53 +02:00
a-kenji
0bd13727de clan: add dynamic-completions to clan secrets set 2024-06-04 15:21:00 +02:00
a-kenji
e1d6d04b48 clan: add dynamic completions to clan secrets machines 2024-06-04 15:02:35 +02:00
a-kenji
9dbbb6f2f6 clan: add dynamic completions for clan secrets import-sops 2024-06-04 13:40:24 +02:00
a-kenji
b21bef0b98 clan: add dynamic completions for clan secrets users 2024-06-04 13:30:38 +02:00
a-kenji
533ed97fc1 clan: add dynamic completion for clan secret groups 2024-06-04 13:30:38 +02:00
a-kenji
4e95030e55 clan: clan secrets groups add machine completions 2024-06-04 13:30:11 +02:00
a-kenji
2923051a12 clan: fix help message 2024-06-04 10:28:34 +00:00
a-kenji
addc4de735 clan: add more machine completion functions to secrets 2024-06-04 11:07:24 +02:00
a-kenji
31eca9e8bc clan: add dyncamic completions for secrets 2024-06-03 21:47:14 +02:00