vars: move logic from vars-to-sops into single file

2025-10-13 16:27:31 +02:00
3 changed files with 85 additions and 68 deletions
--- a/nixosModules/clanCore/vars/secret/sops/collectFiles.nix
+++ b/nixosModules/clanCore/vars/secret/sops/collectFiles.nix
@@ -1,35 +0,0 @@
-# collectFiles helper function
-{
-  lib ? import <nixpkgs/lib>,
-}:
-let
-  inherit (lib)
-    filterAttrs
-    mapAttrsToList
-    ;
-
-  relevantFiles = filterAttrs (
-    _name: f: f.secret && f.deploy && (f.neededFor == "users" || f.neededFor == "services")
-  );
-
-  collectFiles =
-    generators:
-    builtins.concatLists (
-      mapAttrsToList (
-        gen_name: generator:
-        mapAttrsToList (fname: file: {
-          name = fname;
-          generator = gen_name;
-          neededForUsers = file.neededFor == "users";
-          inherit (generator) share;
-          inherit (file)
-            owner
-            group
-            mode
-            restartUnits
-            ;
-        }) (relevantFiles generator.files)
-      ) generators
-    );
-in
-collectFiles
--- a/nixosModules/clanCore/vars/secret/sops/default.nix
+++ b/nixosModules/clanCore/vars/secret/sops/default.nix
@@ -7,19 +7,9 @@
 }:
 let

-  collectFiles = import ./collectFiles.nix { inherit lib; };
+  mapGeneratorsToSopsSecrets = import ./generators-to-sops.nix { inherit lib; };

  machineName = config.clan.core.settings.machine.name;
-
-  secretPath =
-    secret:
-    if secret.share then
-      config.clan.core.settings.directory + "/vars/shared/${secret.generator}/${secret.name}/secret"
-    else
-      config.clan.core.settings.directory
-      + "/vars/per-machine/${machineName}/${secret.generator}/${secret.name}/secret";
-
-  vars = collectFiles config.clan.core.vars.generators;
 in
 {
  config.clan.core.vars.settings = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {
@@ -39,28 +29,13 @@ in
  };

  config.sops = lib.mkIf (config.clan.core.vars.settings.secretStore == "sops") {
-
-    secrets = lib.listToAttrs (
-      map (secret: {
-        name = "vars/${secret.generator}/${secret.name}";
-        value = {
-          inherit (secret)
-            owner
-            group
-            mode
-            neededForUsers
-            ;
-          sopsFile = builtins.path {
-            name = "${secret.generator}_${secret.name}";
-            path = secretPath secret;
+    #
+    secrets = mapGeneratorsToSopsSecrets {
+      inherit machineName;
+      directory = config.clan.core.settings.directory;
+      class = _class;
+      generators = config.clan.core.vars.generators;
    };
-          format = "binary";
-        }
-        // (lib.optionalAttrs (_class == "nixos") {
-          inherit (secret) restartUnits;
-        });
-      }) (builtins.filter (x: builtins.pathExists (secretPath x)) vars)
-    );

    # To get proper error messages about missing secrets we need a dummy secret file that is always present
    defaultSopsFile = lib.mkIf config.sops.validateSopsFiles (
--- a/nixosModules/clanCore/vars/secret/sops/generators-to-sops.nix
+++ b/nixosModules/clanCore/vars/secret/sops/generators-to-sops.nix
@@ -0,0 +1,77 @@
+# This file maps generators to sops.secrets
+# TODO(@davHau): add tests
+{
+  lib ? import <nixpkgs/lib>,
+  # Can be mocked for testing
+  pathExists ? builtins.pathExists,
+}:
+let
+  inherit (lib)
+    filterAttrs
+    mapAttrsToList
+    ;
+
+  relevantFiles = filterAttrs (
+    _name: f: f.secret && f.deploy && (f.neededFor == "users" || f.neededFor == "services")
+  );
+
+  extractSecretDefinitions =
+    generators:
+    builtins.concatLists (
+      mapAttrsToList (
+        gen_name: generator:
+        mapAttrsToList (fname: file: {
+          name = fname;
+          generator = gen_name;
+          neededForUsers = file.neededFor == "users";
+          inherit (generator) share;
+          inherit (file)
+            owner
+            group
+            mode
+            restartUnits
+            ;
+        }) (relevantFiles generator.files)
+      ) generators
+    );
+
+  mapGeneratorsToSopsSecrets =
+    {
+      machineName,
+      directory,
+      class,
+      generators,
+    }:
+    assert lib.assertMsg (class == "nixos" || class == "darwin")
+      "Error trying to map 'var.generators' to 'sops.secrets': class must be 'nixos' or 'darwin', got: ${class}";
+    let
+      getSecretPath =
+        secret:
+        let
+          scope = if secret.share then "shared" else "per-machine/${machineName}";
+        in
+        "${directory}/vars/${scope}/${secret.generator}/${secret.name}/secret";
+    in
+    lib.listToAttrs (
+      map (secret: {
+        name = "vars/${secret.generator}/${secret.name}";
+        value = {
+          inherit (secret)
+            owner
+            group
+            mode
+            neededForUsers
+            ;
+          sopsFile = builtins.path {
+            name = "${secret.generator}_${secret.name}";
+            path = getSecretPath secret;
+          };
+          format = "binary";
+        }
+        // (lib.optionalAttrs (class == "nixos") {
+          inherit (secret) restartUnits;
+        });
+      }) (builtins.filter (x: pathExists (getSecretPath x)) (extractSecretDefinitions generators))
+    );
+in
+mapGeneratorsToSopsSecrets