clan-cli secrets: commit facts/secrets after generating them
This commit is contained in:
parent
e265537f69
commit
815527ec2b
|
@ -9,6 +9,7 @@ from tempfile import TemporaryDirectory
|
|||
from clan_cli.cmd import run
|
||||
|
||||
from ..errors import ClanError
|
||||
from ..git import commit_files
|
||||
from ..machines.machines import Machine
|
||||
from ..nix import nix_shell
|
||||
from .check import check_secrets
|
||||
|
@ -26,6 +27,10 @@ def generate_secrets(machine: Machine) -> None:
|
|||
# check if all secrets exist and generate them if at least one is missing
|
||||
needs_regeneration = not check_secrets(machine)
|
||||
if needs_regeneration:
|
||||
if not isinstance(machine.flake, Path):
|
||||
msg = f"flake is not a Path: {machine.flake}"
|
||||
msg += "fact/secret generation is only supported for local flakes"
|
||||
|
||||
env = os.environ.copy()
|
||||
facts_dir = tmpdir / "facts"
|
||||
facts_dir.mkdir(parents=True)
|
||||
|
@ -58,6 +63,7 @@ def generate_secrets(machine: Machine) -> None:
|
|||
cmd,
|
||||
env=env,
|
||||
)
|
||||
files_to_commit = []
|
||||
# store secrets
|
||||
for secret in machine.secrets_data[service]["secrets"]:
|
||||
secret_file = secrets_dir / secret
|
||||
|
@ -65,7 +71,12 @@ def generate_secrets(machine: Machine) -> None:
|
|||
msg = f"did not generate a file for '{secret}' when running the following command:\n"
|
||||
msg += machine.secrets_data[service]["generator"]
|
||||
raise ClanError(msg)
|
||||
secret_store.set(service, secret, secret_file.read_bytes())
|
||||
secret_path = secret_store.set(
|
||||
service, secret, secret_file.read_bytes()
|
||||
)
|
||||
if secret_path:
|
||||
files_to_commit.append(secret_path)
|
||||
|
||||
# store facts
|
||||
for name, fact_path in machine.secrets_data[service]["facts"].items():
|
||||
fact_file = facts_dir / name
|
||||
|
@ -76,6 +87,12 @@ def generate_secrets(machine: Machine) -> None:
|
|||
fact_path = machine.flake / fact_path
|
||||
fact_path.parent.mkdir(parents=True, exist_ok=True)
|
||||
shutil.copyfile(fact_file, fact_path)
|
||||
files_to_commit.append(fact_path)
|
||||
commit_files(
|
||||
files_to_commit,
|
||||
machine.flake_dir,
|
||||
f"Update facts/secrets for service {service} in machine {machine.name}",
|
||||
)
|
||||
|
||||
print("successfully generated secrets")
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ class SecretStore:
|
|||
def __init__(self, machine: Machine) -> None:
|
||||
self.machine = machine
|
||||
|
||||
def set(self, service: str, name: str, value: bytes) -> None:
|
||||
def set(self, _service: str, name: str, value: bytes) -> Path | None:
|
||||
subprocess.run(
|
||||
nix_shell(
|
||||
["nixpkgs#pass"],
|
||||
|
@ -19,8 +19,9 @@ class SecretStore:
|
|||
input=value,
|
||||
check=True,
|
||||
)
|
||||
return None # we manage the files outside of the git repo
|
||||
|
||||
def get(self, service: str, name: str) -> bytes:
|
||||
def get(self, _service: str, name: str) -> bytes:
|
||||
return subprocess.run(
|
||||
nix_shell(
|
||||
["nixpkgs#pass"],
|
||||
|
@ -30,7 +31,7 @@ class SecretStore:
|
|||
stdout=subprocess.PIPE,
|
||||
).stdout
|
||||
|
||||
def exists(self, service: str, name: str) -> bool:
|
||||
def exists(self, _service: str, name: str) -> bool:
|
||||
password_store = os.environ.get(
|
||||
"PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
|
||||
)
|
||||
|
|
|
@ -28,13 +28,17 @@ class SecretStore:
|
|||
)
|
||||
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
|
||||
|
||||
def set(self, _service: str, name: str, value: bytes) -> None:
|
||||
def set(self, _service: str, name: str, value: bytes) -> Path | None:
|
||||
path = (
|
||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}"
|
||||
)
|
||||
encrypt_secret(
|
||||
self.machine.flake_dir,
|
||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
|
||||
path,
|
||||
value.decode(),
|
||||
add_machines=[self.machine.name],
|
||||
)
|
||||
return path
|
||||
|
||||
def get(self, _service: str, _name: str) -> bytes:
|
||||
raise NotImplementedError()
|
||||
|
|
Loading…
Reference in New Issue
Block a user