secrets: use clanInternal for crosscompiling, move sops generators to new file

2023-09-20 18:08:47 +02:00
parent 18c360f729
commit aeed648bd0
6 changed files with 183 additions and 165 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/upload.py
+++ b/pkgs/clan-cli/clan_cli/secrets/upload.py
@@ -1,14 +1,10 @@
 import argparse
 import json
 import subprocess
-import sys
-from pathlib import Path

 from ..dirs import get_clan_flake_toplevel
 from ..errors import ClanError
 from ..nix import nix_build, nix_config, nix_eval
-from ..ssh import parse_deployment_address
-from .secrets import decrypt_secret, has_secret


 def upload_secrets(machine: str) -> None:
@@ -19,7 +15,7 @@ def upload_secrets(machine: str) -> None:
    proc = subprocess.run(
        nix_build(
            [
-                f'{clan_dir}#nixosConfigurations."{machine}".config.system.clan.{system}.uploadSecrets'
+                f'{clan_dir}#clanInternals.machines."{machine}".{system}.config.system.clan.uploadSecrets'
            ]
        ),
        stdout=subprocess.PIPE,
@@ -30,7 +26,7 @@ def upload_secrets(machine: str) -> None:
        subprocess.run(
            nix_eval(
                [
-                    f'{clan_dir}#nixosConfigurations."{machine}".config.clan.networking.deploymentAddress'
+                    f'{clan_dir}#clanInternals.machines."{machine}".{system}.config.clan.networking.deploymentAddress'
                ]
            ),
            stdout=subprocess.PIPE,
@@ -53,34 +49,6 @@ def upload_secrets(machine: str) -> None:
        print("successfully uploaded secrets")


-# this is called by the sops.nix clan core module
-def upload_age_key_from_nix(
-    machine_name: str, deployment_address: str, age_key_file: str
-) -> None:
-    secret_name = f"{machine_name}-age.key"
-    if not has_secret(secret_name):  # skip uploading the secret, not managed by us
-        return
-    secret = decrypt_secret(secret_name)
-
-    h = parse_deployment_address(machine_name, deployment_address)
-    path = Path(age_key_file)
-
-    proc = h.run(
-        [
-            "bash",
-            "-c",
-            'mkdir -p "$0" && echo -n "$1" > "$2"',
-            str(path.parent),
-            secret,
-            age_key_file,
-        ],
-        check=False,
-    )
-    if proc.returncode != 0:
-        print(f"failed to upload age key to {deployment_address}")
-        sys.exit(1)
-
-
 def upload_command(args: argparse.Namespace) -> None:
    upload_secrets(args.machine)