rewrite sops backend for secret generation and add tests

pkgs/clan-cli/clan_cli/secrets/upload.py

@@ -1,20 +1,25 @@
 import argparse
 import json
 import subprocess
-
-from clan_cli.errors import ClanError
+import sys
+from pathlib import Path
 
 from ..dirs import get_clan_flake_toplevel
-from ..nix import nix_build, nix_eval
+from ..errors import ClanError
+from ..nix import nix_build, nix_config, nix_eval
+from ..ssh import parse_deployment_address
+from .secrets import decrypt_secret, has_secret
 
 
 def upload_secrets(machine: str) -> None:
     clan_dir = get_clan_flake_toplevel().as_posix()
+    config = nix_config()
+    system = config["system"]
 
     proc = subprocess.run(
         nix_build(
             [
-                f'{clan_dir}#nixosConfigurations."{machine}".config.system.clan.uploadSecrets'
+                f'{clan_dir}#nixosConfigurations."{machine}".config.system.clan.{system}.uploadSecrets'
             ]
         ),
         stdout=subprocess.PIPE,
@@ -48,6 +53,34 @@ def upload_secrets(machine: str) -> None:
         print("successfully uploaded secrets")
 
 
+# this is called by the sops.nix clan core module
+def upload_age_key_from_nix(
+    machine_name: str, deployment_address: str, age_key_file: str
+) -> None:
+    secret_name = f"{machine_name}-age.key"
+    if not has_secret(secret_name):  # skip uploading the secret, not managed by us
+        return
+    secret = decrypt_secret(secret_name)
+
+    h = parse_deployment_address(machine_name, deployment_address)
+    path = Path(age_key_file)
+
+    proc = h.run(
+        [
+            "bash",
+            "-c",
+            'mkdir -p "$0" && echo -n "$1" > "$2"',
+            str(path.parent),
+            secret,
+            age_key_file,
+        ],
+        check=False,
+    )
+    if proc.returncode != 0:
+        print(f"failed to upload age key to {deployment_address}")
+        sys.exit(1)
+
+
 def upload_command(args: argparse.Namespace) -> None:
     upload_secrets(args.machine)