From 11bf0b8b9e11e7b6841c0dda2c50d53a119c80bb Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Sun, 3 Mar 2024 09:18:45 +0100
Subject: [PATCH] clan-cli sops: accept bytes

---
 pkgs/clan-cli/clan_cli/secrets/modules/sops.py |  2 +-
 pkgs/clan-cli/clan_cli/secrets/secrets.py      |  2 +-
 pkgs/clan-cli/clan_cli/secrets/sops.py         | 14 ++++++++++----
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
index e2c0bb07..c770ac80 100644
--- a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
@@ -39,7 +39,7 @@ class SecretStore(SecretStoreBase):
         encrypt_secret(
             self.machine.flake_dir,
             path,
-            value.decode(),
+            value,
             add_machines=[self.machine.name],
             add_groups=groups,
         )
diff --git a/pkgs/clan-cli/clan_cli/secrets/secrets.py b/pkgs/clan-cli/clan_cli/secrets/secrets.py
index a95a0644..24518787 100644
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -57,7 +57,7 @@ def collect_keys_for_path(path: Path) -> set[str]:
 def encrypt_secret(
     flake_dir: Path,
     secret: Path,
-    value: IO[str] | str | None,
+    value: IO[str] | str | bytes | None,
     add_users: list[str] = [],
     add_machines: list[str] = [],
     add_groups: list[str] = [],
diff --git a/pkgs/clan-cli/clan_cli/secrets/sops.py b/pkgs/clan-cli/clan_cli/secrets/sops.py
index 181e2c54..f245c95d 100644
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -134,7 +134,7 @@ def update_keys(secret_path: Path, keys: list[str]) -> None:
 
 
 def encrypt_file(
-    secret_path: Path, content: IO[str] | str | None, keys: list[str]
+    secret_path: Path, content: IO[str] | str | bytes | None, keys: list[str]
 ) -> None:
     folder = secret_path.parent
     folder.mkdir(parents=True, exist_ok=True)
@@ -157,11 +157,17 @@ def encrypt_file(
         # hopefully /tmp is written to an in-memory file to avoid leaking secrets
         with NamedTemporaryFile(delete=False) as f:
             try:
-                with open(f.name, "w") as fd:
-                    if isinstance(content, str):
+                if isinstance(content, str):
+                    with open(f.name, "w") as fd:
                         fd.write(content)
-                    else:
+                elif isinstance(content, bytes):
+                    with open(f.name, "wb") as fd:
+                        fd.write(content)
+                elif isinstance(content, IO):
+                    with open(f.name, "w") as fd:
                         shutil.copyfileobj(content, fd)
+                else:
+                    raise ClanError("Invalid content type")
                 # we pass an empty manifest to pick up existing configuration of the user
                 args = ["sops", "--config", str(manifest)]
                 args.extend(["-i", "--encrypt", str(f.name)])