clan-cli secrets: commit facts/secrets after generating them

2024-02-05 10:02:39 +01:00 · 2024-02-05 10:02:39 +01:00 · 815527ec2b
commit 815527ec2b
parent e265537f69
3 changed files with 28 additions and 6 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@ -9,6 +9,7 @@ from tempfile import TemporaryDirectory
 from clan_cli.cmd import run

 from ..errors import ClanError
+from ..git import commit_files
 from ..machines.machines import Machine
 from ..nix import nix_shell
 from .check import check_secrets
@ -26,6 +27,10 @@ def generate_secrets(machine: Machine) -> None:
            # check if all secrets exist and generate them if at least one is missing
            needs_regeneration = not check_secrets(machine)
            if needs_regeneration:
+                if not isinstance(machine.flake, Path):
+                    msg = f"flake is not a Path: {machine.flake}"
+                    msg += "fact/secret generation is only supported for local flakes"
+
                env = os.environ.copy()
                facts_dir = tmpdir / "facts"
                facts_dir.mkdir(parents=True)
@ -58,6 +63,7 @@ def generate_secrets(machine: Machine) -> None:
                    cmd,
                    env=env,
                )
+                files_to_commit = []
                # store secrets
                for secret in machine.secrets_data[service]["secrets"]:
                    secret_file = secrets_dir / secret
@ -65,7 +71,12 @@ def generate_secrets(machine: Machine) -> None:
                        msg = f"did not generate a file for '{secret}' when running the following command:\n"
                        msg += machine.secrets_data[service]["generator"]
                        raise ClanError(msg)
-                    secret_store.set(service, secret, secret_file.read_bytes())
+                    secret_path = secret_store.set(
+                        service, secret, secret_file.read_bytes()
+                    )
+                    if secret_path:
+                        files_to_commit.append(secret_path)
+
                # store facts
                for name, fact_path in machine.secrets_data[service]["facts"].items():
                    fact_file = facts_dir / name
@ -76,6 +87,12 @@ def generate_secrets(machine: Machine) -> None:
                    fact_path = machine.flake / fact_path
                    fact_path.parent.mkdir(parents=True, exist_ok=True)
                    shutil.copyfile(fact_file, fact_path)
+                    files_to_commit.append(fact_path)
+                commit_files(
+                    files_to_commit,
+                    machine.flake_dir,
+                    f"Update facts/secrets for service {service} in machine {machine.name}",
+                )

    print("successfully generated secrets")

--- a/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
@ -10,7 +10,7 @@ class SecretStore:
    def __init__(self, machine: Machine) -> None:
        self.machine = machine

-    def set(self, service: str, name: str, value: bytes) -> None:
+    def set(self, _service: str, name: str, value: bytes) -> Path | None:
        subprocess.run(
            nix_shell(
                ["nixpkgs#pass"],
@ -19,8 +19,9 @@ class SecretStore:
            input=value,
            check=True,
        )
+        return None  # we manage the files outside of the git repo

-    def get(self, service: str, name: str) -> bytes:
+    def get(self, _service: str, name: str) -> bytes:
        return subprocess.run(
            nix_shell(
                ["nixpkgs#pass"],
@ -30,7 +31,7 @@ class SecretStore:
            stdout=subprocess.PIPE,
        ).stdout

-    def exists(self, service: str, name: str) -> bool:
+    def exists(self, _service: str, name: str) -> bool:
        password_store = os.environ.get(
            "PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
        )
--- a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
@ -28,13 +28,17 @@ class SecretStore:
        )
        add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)

-    def set(self, _service: str, name: str, value: bytes) -> None:
+    def set(self, _service: str, name: str, value: bytes) -> Path | None:
+        path = (
+            sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}"
+        )
        encrypt_secret(
            self.machine.flake_dir,
-            sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
+            path,
            value.decode(),
            add_machines=[self.machine.name],
        )
+        return path

    def get(self, _service: str, _name: str) -> bytes:
        raise NotImplementedError()