clan-cli/secrets: suggest clan vars keygen instead

clan-cli/secrets: update some error message in encrypt_secret
Found that while reading through some code.
2025-10-07 11:12:04 +02:00 · 2025-10-07 11:09:00 +02:00 · 2025-10-07 11:09:00 +02:00 · 2025-10-07 11:09:00 +02:00 · 2025-10-07 11:09:00 +02:00 · 2025-10-07 11:09:00 +02:00
4 changed files with 6 additions and 13 deletions
--- a/docs/nix/flake-module.nix
+++ b/docs/nix/flake-module.nix
@@ -121,7 +121,6 @@
        pkgs.runCommand "docs-integrity"
          {
            nativeBuildInputs = [ pkgs.html-proofer ];
-            LANG = "C.UTF-8";
          }
          ''
            # External links should be avoided in the docs, because they often break
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -158,8 +158,10 @@ def encrypt_secret(
    admin_keys = sops.ensure_admin_public_keys(flake_dir)

    if not admin_keys:
-        # TODO double check the correct command to run
-        msg = "No keys found. Please run 'clan secrets add-key' to add a key."
+        msg = (
+            "No admin keys found.\n\n"
+            "Please run 'clan vars keygen' to generate and set up keys."
+        )
        raise ClanError(msg)

    username = next(iter(admin_keys)).username
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -355,10 +355,7 @@ def get_public_age_key_from_private_key(privkey: str) -> str:
    cmd = nix_shell(["age"], ["age-keygen", "-y"])

    error_msg = "Failed to get public key for age private key. Is the key malformed?"
-    res = run(
-        cmd,
-        RunOpts(input=privkey.encode(), error_msg=error_msg, sensitive_input=True),
-    )
+    res = run(cmd, RunOpts(input=privkey.encode(), error_msg=error_msg))
    return res.stdout.rstrip(os.linesep).rstrip()


--- a/pkgs/clan-cli/clan_lib/cmd/init.py
+++ b/pkgs/clan-cli/clan_lib/cmd/init.py
@@ -294,8 +294,6 @@ class RunOpts:
    # This is needed for GUI applications
    graphical_perm: bool = False
    trace: bool = True
-    # Mark input as sensitive to prevent it from being logged (e.g., private keys, passwords)
-    sensitive_input: bool = False


 def cmd_with_root(cmd: list[str], graphical: bool = False) -> list[str]:
@@ -351,10 +349,7 @@ def run(

    if cmdlog.isEnabledFor(logging.DEBUG) and options.trace:
        if options.input and isinstance(options.input, bytes):
-            # Always redact sensitive input (e.g., private keys, passwords)
-            if options.sensitive_input:
-                filtered_input = "<<REDACTED>>"
-            elif any(
+            if any(
                not ch.isprintable() for ch in options.input.decode("ascii", "replace")
            ):
                filtered_input = "<<binary_blob>>"
Author	SHA1	Message	Date
Jörg Thalheim	a2e4b98a93	clan-cli/secrets: suggest clan vars keygen instead	2025-10-07 11:12:04 +02:00
Louis Opter	25ce97dd5e	clan-cli/secrets: update some error message in encrypt_secret Found that while reading through some code.	2025-10-07 11:09:00 +02:00
a-kenji	bd361b2744	docs: Fix nixpkgs hierarchy	2025-10-07 11:09:00 +02:00
clan-bot	ac901f5656	Update nixpkgs-dev in devFlake	2025-10-07 11:09:00 +02:00
clan-bot	8339ad605c	Update clan-core-for-checks in devFlake	2025-10-07 11:09:00 +02:00
clan-bot	3473aaa440	Update clan-core-for-checks in devFlake	2025-10-07 11:09:00 +02:00
clan-bot	e983b10331	Update clan-core-for-checks in devFlake	2025-10-07 11:09:00 +02:00
clan-bot	fcf5ccd115	Update nixpkgs-dev in devFlake	2025-10-07 11:09:00 +02:00