Luis/nextjs-python-web-template
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

secrets: use CLAN_DIR instead of clanCore.clanDir for fact storage

Browse Source
This commit is contained in:
lassulus
2023-09-14 15:22:13 +02:00
committed by Mic92
parent 6b7301cefb
commit 0132abc547
6 changed files with 32 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
nixosModules/clanCore/secrets/default.nix
View File

@@ -59,10 +59,10 @@
description = '' description = ''
path to a fact which is generated by the generator path to a fact which is generated by the generator
''; '';
default = "${config.clanCore.clanDir}/machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}"; default = "machines/${config.clanCore.machineName}/facts/${fact.config._module.args.name}";
}; };
value = lib.mkOption { value = lib.mkOption {
default = builtins.readFile fact.config.path; default = builtins.readFile "${config.clanCore.clanDir}/fact.config.path";
}; };
}; };
})); }));

7
nixosModules/clanCore/secrets/password-store.nix
View File

@@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
passwordstoreDir = "$HOME/.password-store"; passwordstoreDir = "\${PASSWORD_STORE_DIR:-$HOME/.password-store}";
in in
{ {
options.clan.password-store.targetDirectory = lib.mkOption { options.clan.password-store.targetDirectory = lib.mkOption {
@@ -14,8 +14,8 @@ in
system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
#!/bin/sh #!/bin/sh
set -efu set -efu
set -x # remove for prod
test -d "$CLAN_DIR"
PATH=${lib.makeBinPath [ PATH=${lib.makeBinPath [
pkgs.pass pkgs.pass
]}:$PATH ]}:$PATH
@@ -36,7 +36,7 @@ in
${lib.concatMapStrings (fact: '' ${lib.concatMapStrings (fact: ''
mkdir -p "$(dirname ${fact.path})" mkdir -p "$(dirname ${fact.path})"
cp "$facts"/${fact.name} ${fact.path} cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path}
'') (lib.attrValues v.facts)} '') (lib.attrValues v.facts)}
${lib.concatMapStrings (secret: '' ${lib.concatMapStrings (secret: ''
@@ -48,7 +48,6 @@ in
system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" '' system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
#!/bin/sh #!/bin/sh
set -efu set -efu
set -x # remove for prod
target=$1 target=$1

5
nixosModules/clanCore/secrets/sops.nix
View File

@@ -25,7 +25,8 @@ in
system.clan.generateSecrets = pkgs.writeScript "generate-secrets" '' system.clan.generateSecrets = pkgs.writeScript "generate-secrets" ''
#!/bin/sh #!/bin/sh
set -efu set -efu
set -x # remove for prod
test -d "$CLAN_DIR"
PATH=$PATH:${lib.makeBinPath [ PATH=$PATH:${lib.makeBinPath [
config.clanCore.clanPkgs.clan-cli config.clanCore.clanPkgs.clan-cli
@@ -55,7 +56,7 @@ in
${lib.concatMapStrings (fact: '' ${lib.concatMapStrings (fact: ''
mkdir -p "$(dirname ${fact.path})" mkdir -p "$(dirname ${fact.path})"
cp "$facts"/${fact.name} ${fact.path} cp "$facts"/${fact.name} "$CLAN_DIR"/${fact.path}
'') (lib.attrValues v.facts)} '') (lib.attrValues v.facts)}
${lib.concatMapStrings (secret: '' ${lib.concatMapStrings (secret: ''

34
pkgs/clan-cli/clan_cli/nix.py
View File

@@ -1,44 +1,18 @@
import json
import os import os
import tempfile import tempfile
from pathlib import Path
from .dirs import get_clan_flake_toplevel, nixpkgs_flake, nixpkgs_source, unfree_nixpkgs from .dirs import nixpkgs_flake, nixpkgs_source, unfree_nixpkgs
def nix_build_machine( def nix_build(
machine: str, attr: list[str], flake_url: Path | None = None flags: list[str],
) -> list[str]: ) -> list[str]:
if flake_url is None:
flake_url = get_clan_flake_toplevel()
payload = json.dumps(
dict(
clan_flake=flake_url.as_posix(),
machine=machine,
attr=attr,
)
)
escaped_payload = json.dumps(payload)
return [ return [
"nix", "nix",
"build", "build",
"--no-link", "--no-link",
"--impure",
"--print-out-paths", "--print-out-paths",
"--expr", ] + flags
f"let args = builtins.fromJSON {escaped_payload}; in "
"""
let
flake = builtins.getFlake args.clan_flake;
config = flake.nixosConfigurations.${args.machine}.extendModules {
modules = [{
clanCore.clanDir = args.clan_flake;
}];
};
in
flake.inputs.nixpkgs.lib.getAttrFromPath args.attr config
""",
]
def nix_eval(flags: list[str]) -> list[str]: def nix_eval(flags: list[str]) -> list[str]:

21
pkgs/clan-cli/clan_cli/secrets/generate.py
View File

@@ -1,22 +1,24 @@
import argparse import argparse
import os
import subprocess import subprocess
import sys import sys
from clan_cli.errors import ClanError from clan_cli.errors import ClanError
from ..nix import nix_build_machine from ..dirs import get_clan_flake_toplevel
from ..nix import nix_build
def generate_secrets(machine: str) -> None: def generate_secrets(machine: str) -> None:
clan_dir = get_clan_flake_toplevel().as_posix().strip()
env = os.environ.copy()
env["CLAN_DIR"] = clan_dir
proc = subprocess.run( proc = subprocess.run(
nix_build_machine( nix_build(
machine=machine, [
attr=[ f'path:{clan_dir}#nixosConfigurations."{machine}".config.system.clan.generateSecrets'
"config", ]
"system",
"clan",
"generateSecrets",
],
), ),
capture_output=True, capture_output=True,
text=True, text=True,
@@ -29,6 +31,7 @@ def generate_secrets(machine: str) -> None:
print(secret_generator_script) print(secret_generator_script)
secret_generator = subprocess.run( secret_generator = subprocess.run(
[secret_generator_script], [secret_generator_script],
env=env,
) )
if secret_generator.returncode != 0: if secret_generator.returncode != 0:

17
pkgs/clan-cli/clan_cli/secrets/upload.py
View File

@@ -4,19 +4,18 @@ import sys
from clan_cli.errors import ClanError from clan_cli.errors import ClanError
from ..nix import nix_build_machine from ..dirs import get_clan_flake_toplevel
from ..nix import nix_build
def upload_secrets(machine: str) -> None: def upload_secrets(machine: str) -> None:
clan_dir = get_clan_flake_toplevel().as_posix()
proc = subprocess.run( proc = subprocess.run(
nix_build_machine( nix_build(
machine=machine, [
attr=[ f'{clan_dir}#nixosConfigurations."{machine}".config.system.clan.uploadSecrets'
"config", ]
"system",
"clan",
"uploadSecrets",
],
), ),
capture_output=True, capture_output=True,
text=True, text=True,