diff --git a/nixosModules/clanCore/secrets/default.nix b/nixosModules/clanCore/secrets/default.nix index e8c115e..700f5d0 100644 --- a/nixosModules/clanCore/secrets/default.nix +++ b/nixosModules/clanCore/secrets/default.nix @@ -59,10 +59,10 @@ description = '' path to a fact which is generated by the generator ''; - default = "${config.clanCore.clanDir}/machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}"; + default = "machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}"; }; value = lib.mkOption { - default = builtins.readFile fact.config.path; + default = builtins.readFile "${config.clanCore.clanDir}/fact.config.path"; }; }; })); diff --git a/nixosModules/clanCore/secrets/password-store.nix b/nixosModules/clanCore/secrets/password-store.nix index 0cb5873..3db20e0 100644 --- a/nixosModules/clanCore/secrets/password-store.nix +++ b/nixosModules/clanCore/secrets/password-store.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let - passwordstoreDir = "$HOME/.password-store"; + passwordstoreDir = "\${PASSWORD_STORE_DIR:-$HOME/.password-store}"; in { options.clan.password-store.targetDirectory = lib.mkOption { @@ -14,8 +14,8 @@ in system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' #!/bin/sh set -efu - set -x # remove for prod + test -d "$CLAN_DIR" PATH=${lib.makeBinPath [ pkgs.pass ]}:$PATH @@ -36,7 +36,7 @@ in ${lib.concatMapStrings (fact: '' mkdir -p "$(dirname ${fact.path})" - cp "$facts"/${fact.name} ${fact.path} + cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path} '') (lib.attrValues v.facts)} ${lib.concatMapStrings (secret: '' @@ -48,7 +48,6 @@ in system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" '' #!/bin/sh set -efu - set -x # remove for prod target=$1 diff --git a/nixosModules/clanCore/secrets/sops.nix b/nixosModules/clanCore/secrets/sops.nix index 5fe455d..25d0af6 100644 --- a/nixosModules/clanCore/secrets/sops.nix +++ b/nixosModules/clanCore/secrets/sops.nix @@ -25,7 +25,8 @@ in system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' #!/bin/sh set -efu - set -x # remove for prod + + test -d "$CLAN_DIR" PATH=$PATH:${lib.makeBinPath [ config.clanCore.clanPkgs.clan-cli @@ -55,7 +56,7 @@ in ${lib.concatMapStrings (fact: '' mkdir -p "$(dirname ${fact.path})" - cp "$facts"/${fact.name} ${fact.path} + cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path} '') (lib.attrValues v.facts)} ${lib.concatMapStrings (secret: '' diff --git a/pkgs/clan-cli/clan_cli/nix.py b/pkgs/clan-cli/clan_cli/nix.py index 212b55b..0a34fac 100644 --- a/pkgs/clan-cli/clan_cli/nix.py +++ b/pkgs/clan-cli/clan_cli/nix.py @@ -1,44 +1,18 @@ -import json import os import tempfile -from pathlib import Path -from .dirs import get_clan_flake_toplevel, nixpkgs_flake, nixpkgs_source, unfree_nixpkgs +from .dirs import nixpkgs_flake, nixpkgs_source, unfree_nixpkgs -def nix_build_machine( - machine: str, attr: list[str], flake_url: Path | None = None +def nix_build( + flags: list[str], ) -> list[str]: - if flake_url is None: - flake_url = get_clan_flake_toplevel() - payload = json.dumps( - dict( - clan_flake=flake_url.as_posix(), - machine=machine, - attr=attr, - ) - ) - escaped_payload = json.dumps(payload) return [ "nix", "build", "--no-link", - "--impure", "--print-out-paths", - "--expr", - f"let args = builtins.fromJSON {escaped_payload}; in " - """ - let - flake = builtins.getFlake args.clan_flake; - config = flake.nixosConfigurations.${args.machine}.extendModules { - modules = [{ - clanCore.clanDir = args.clan_flake; - }]; - }; - in - flake.inputs.nixpkgs.lib.getAttrFromPath args.attr config - """, - ] + ] + flags def nix_eval(flags: list[str]) -> list[str]: diff --git a/pkgs/clan-cli/clan_cli/secrets/generate.py b/pkgs/clan-cli/clan_cli/secrets/generate.py index 3093eee..782bb55 100644 --- a/pkgs/clan-cli/clan_cli/secrets/generate.py +++ b/pkgs/clan-cli/clan_cli/secrets/generate.py @@ -1,22 +1,24 @@ import argparse +import os import subprocess import sys from clan_cli.errors import ClanError -from ..nix import nix_build_machine +from ..dirs import get_clan_flake_toplevel +from ..nix import nix_build def generate_secrets(machine: str) -> None: + clan_dir = get_clan_flake_toplevel().as_posix().strip() + env = os.environ.copy() + env["CLAN_DIR"] = clan_dir + proc = subprocess.run( - nix_build_machine( - machine=machine, - attr=[ - "config", - "system", - "clan", - "generateSecrets", - ], + nix_build( + [ + f'path:{clan_dir}#nixosConfigurations."{machine}".config.system.clan.generateSecrets' + ] ), capture_output=True, text=True, @@ -29,6 +31,7 @@ def generate_secrets(machine: str) -> None: print(secret_generator_script) secret_generator = subprocess.run( [secret_generator_script], + env=env, ) if secret_generator.returncode != 0: diff --git a/pkgs/clan-cli/clan_cli/secrets/upload.py b/pkgs/clan-cli/clan_cli/secrets/upload.py index 344a006..8dc4afe 100644 --- a/pkgs/clan-cli/clan_cli/secrets/upload.py +++ b/pkgs/clan-cli/clan_cli/secrets/upload.py @@ -4,19 +4,18 @@ import sys from clan_cli.errors import ClanError -from ..nix import nix_build_machine +from ..dirs import get_clan_flake_toplevel +from ..nix import nix_build def upload_secrets(machine: str) -> None: + clan_dir = get_clan_flake_toplevel().as_posix() + proc = subprocess.run( - nix_build_machine( - machine=machine, - attr=[ - "config", - "system", - "clan", - "uploadSecrets", - ], + nix_build( + [ + f'{clan_dir}#nixosConfigurations."{machine}".config.system.clan.uploadSecrets' + ] ), capture_output=True, text=True,