Luis/nextjs-python-web-template
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clan-cli secrets: deploy -> upload

Browse Source
This commit is contained in:
lassulus
2023-09-14 13:49:20 +02:00
committed by Mic92
parent 55fc055549
commit c5786614bf
7 changed files with 63 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
nixosModules/clanCore/secrets/default.nix
View File

@@ -68,9 +68,9 @@
}; };
})); }));
}; };
config.system.build.generateDeploySecrets = pkgs.writeScript "generate_deploy_secrets" '' config.system.build.generateUploadSecrets = pkgs.writeScript "generate_upload_secrets" ''
${config.system.build.generateSecrets} ${config.system.clan.generateSecrets}
${config.system.build.deploySecrets} ${config.system.clan.uploadSecrets}
''; '';
imports = [ imports = [
./sops.nix ./sops.nix

4
nixosModules/clanCore/secrets/password-store.nix
View File

@@ -7,7 +7,7 @@ in
type = lib.types.path; type = lib.types.path;
default = "/etc/secrets"; default = "/etc/secrets";
description = '' description = ''
The directory where the password store is deployed to. The directory where the password store is uploaded to.
''; '';
}; };
config = lib.mkIf (config.clanCore.secretStore == "password-store") { config = lib.mkIf (config.clanCore.secretStore == "password-store") {
@@ -45,7 +45,7 @@ in
fi) fi)
'') "" config.clanCore.secrets} '') "" config.clanCore.secrets}
''; '';
system.clan.deploySecrets = pkgs.writeScript "deploy-secrets" '' system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
#!/bin/sh #!/bin/sh
set -efu set -efu
set -x # remove for prod set -x # remove for prod

4
nixosModules/clanCore/secrets/sops.nix
View File

@@ -64,8 +64,8 @@ in
fi) fi)
'') "" config.clanCore.secrets} '') "" config.clanCore.secrets}
''; '';
system.clan.deploySecrets = pkgs.writeScript "deploy-secrets" '' system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
echo deployment is not needed for sops secret store, since the secrets are part of the flake echo upload is not needed for sops secret store, since the secrets are part of the flake
''; '';
sops.secrets = builtins.mapAttrs sops.secrets = builtins.mapAttrs
(name: _: { (name: _: {

4
pkgs/clan-cli/clan_cli/machines/update.py
View File

@@ -4,7 +4,7 @@ import os
import subprocess import subprocess
from ..ssh import Host, HostGroup, HostKeyCheck from ..ssh import Host, HostGroup, HostKeyCheck
from ..secrets.deploy import deploy_secrets from ..secrets.upload import upload_secrets
from ..secrets.generate import generate_secrets from ..secrets.generate import generate_secrets
@@ -35,7 +35,7 @@ def deploy_nixos(hosts: HostGroup) -> None:
ssh_arg += " -i " + h.key if h.key else "" ssh_arg += " -i " + h.key if h.key else ""
generate_secrets(h.host) generate_secrets(h.host)
deploy_secrets(h.host) upload_secrets(h.host)
flake_attr = h.meta.get("flake_attr", "") flake_attr = h.meta.get("flake_attr", "")
if flake_attr: if flake_attr:

6
pkgs/clan-cli/clan_cli/secrets/__init__.py
View File

@@ -1,13 +1,13 @@
# !/usr/bin/env python3 # !/usr/bin/env python3
import argparse import argparse
from .deploy import register_deploy_parser
from .generate import register_generate_parser from .generate import register_generate_parser
from .groups import register_groups_parser from .groups import register_groups_parser
from .import_sops import register_import_sops_parser from .import_sops import register_import_sops_parser
from .key import register_key_parser from .key import register_key_parser
from .machines import register_machines_parser from .machines import register_machines_parser
from .secrets import register_secrets_parser from .secrets import register_secrets_parser
from .upload import register_upload_parser
from .users import register_users_parser from .users import register_users_parser
@@ -37,8 +37,8 @@ def register_parser(parser: argparse.ArgumentParser) -> None:
) )
register_generate_parser(parser_generate) register_generate_parser(parser_generate)
parser_deploy = subparser.add_parser("deploy", help="deploy secrets for machines") parser_upload = subparser.add_parser("upload", help="upload secrets for machines")
register_deploy_parser(parser_deploy) register_upload_parser(parser_upload)
parser_key = subparser.add_parser("key", help="create and show age keys") parser_key = subparser.add_parser("key", help="create and show age keys")
register_key_parser(parser_key) register_key_parser(parser_key)

51
pkgs/clan-cli/clan_cli/secrets/deploy.py
View File

@@ -1,51 +0,0 @@
import argparse
import subprocess
import sys
from clan_cli.errors import ClanError
from ..nix import nix_build_machine
def deploy_secrets(machine: str) -> None:
proc = subprocess.run(
nix_build_machine(
machine=machine,
attr=[
"config",
"system",
"clan",
"deploySecrets",
],
),
capture_output=True,
text=True,
)
if proc.returncode != 0:
print(proc.stderr, file=sys.stderr)
raise ClanError(f"failed to deploy secrets:\n{proc.stderr}")
secret_deploy_script = proc.stdout.strip()
secret_deploy = subprocess.run(
[
secret_deploy_script,
f"root@{machine}",
],
)
if secret_deploy.returncode != 0:
raise ClanError("failed to deploy secrets")
else:
print("successfully deployed secrets")
def deploy_command(args: argparse.Namespace) -> None:
deploy_secrets(args.machine)
def register_deploy_parser(parser: argparse.ArgumentParser) -> None:
parser.add_argument(
"machine",
help="The machine to deploy secrets to",
)
parser.set_defaults(func=deploy_command)

51
pkgs/clan-cli/clan_cli/secrets/upload.py Normal file
View File

@@ -0,0 +1,51 @@
import argparse
import subprocess
import sys
from clan_cli.errors import ClanError
from ..nix import nix_build_machine
def upload_secrets(machine: str) -> None:
proc = subprocess.run(
nix_build_machine(
machine=machine,
attr=[
"config",
"system",
"clan",
"uploadSecrets",
],
),
capture_output=True,
text=True,
)
if proc.returncode != 0:
print(proc.stderr, file=sys.stderr)
raise ClanError(f"failed to upload secrets:\n{proc.stderr}")
secret_upload_script = proc.stdout.strip()
secret_upload = subprocess.run(
[
secret_upload_script,
f"root@{machine}",
],
)
if secret_upload.returncode != 0:
raise ClanError("failed to upload secrets")
else:
print("successfully uploaded secrets")
def upload_command(args: argparse.Namespace) -> None:
upload_secrets(args.machine)
def register_upload_parser(parser: argparse.ArgumentParser) -> None:
parser.add_argument(
"machine",
help="The machine to upload secrets to",
)
parser.set_defaults(func=upload_command)