From 815527ec2b2f4298957170a56d3e2d533f915cba Mon Sep 17 00:00:00 2001
From: lassulus <git@lassul.us>
Date: Mon, 5 Feb 2024 10:02:39 +0100
Subject: [PATCH] clan-cli secrets: commit facts/secrets after generating them

---
 pkgs/clan-cli/clan_cli/secrets/generate.py    | 19 ++++++++++++++++++-
 .../secrets/modules/password_store.py         |  7 ++++---
 .../clan-cli/clan_cli/secrets/modules/sops.py |  8 ++++++--
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/secrets/generate.py b/pkgs/clan-cli/clan_cli/secrets/generate.py
index e90ac1d8..633ff264 100644
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@@ -9,6 +9,7 @@ from tempfile import TemporaryDirectory
 from clan_cli.cmd import run
 
 from ..errors import ClanError
+from ..git import commit_files
 from ..machines.machines import Machine
 from ..nix import nix_shell
 from .check import check_secrets
@@ -26,6 +27,10 @@ def generate_secrets(machine: Machine) -> None:
             # check if all secrets exist and generate them if at least one is missing
             needs_regeneration = not check_secrets(machine)
             if needs_regeneration:
+                if not isinstance(machine.flake, Path):
+                    msg = f"flake is not a Path: {machine.flake}"
+                    msg += "fact/secret generation is only supported for local flakes"
+
                 env = os.environ.copy()
                 facts_dir = tmpdir / "facts"
                 facts_dir.mkdir(parents=True)
@@ -58,6 +63,7 @@ def generate_secrets(machine: Machine) -> None:
                     cmd,
                     env=env,
                 )
+                files_to_commit = []
                 # store secrets
                 for secret in machine.secrets_data[service]["secrets"]:
                     secret_file = secrets_dir / secret
@@ -65,7 +71,12 @@ def generate_secrets(machine: Machine) -> None:
                         msg = f"did not generate a file for '{secret}' when running the following command:\n"
                         msg += machine.secrets_data[service]["generator"]
                         raise ClanError(msg)
-                    secret_store.set(service, secret, secret_file.read_bytes())
+                    secret_path = secret_store.set(
+                        service, secret, secret_file.read_bytes()
+                    )
+                    if secret_path:
+                        files_to_commit.append(secret_path)
+
                 # store facts
                 for name, fact_path in machine.secrets_data[service]["facts"].items():
                     fact_file = facts_dir / name
@@ -76,6 +87,12 @@ def generate_secrets(machine: Machine) -> None:
                     fact_path = machine.flake / fact_path
                     fact_path.parent.mkdir(parents=True, exist_ok=True)
                     shutil.copyfile(fact_file, fact_path)
+                    files_to_commit.append(fact_path)
+                commit_files(
+                    files_to_commit,
+                    machine.flake_dir,
+                    f"Update facts/secrets for service {service} in machine {machine.name}",
+                )
 
     print("successfully generated secrets")
 
diff --git a/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py b/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
index 15592e89..20d4abcd 100644
--- a/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
+++ b/pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
@@ -10,7 +10,7 @@ class SecretStore:
     def __init__(self, machine: Machine) -> None:
         self.machine = machine
 
-    def set(self, service: str, name: str, value: bytes) -> None:
+    def set(self, _service: str, name: str, value: bytes) -> Path | None:
         subprocess.run(
             nix_shell(
                 ["nixpkgs#pass"],
@@ -19,8 +19,9 @@ class SecretStore:
             input=value,
             check=True,
         )
+        return None  # we manage the files outside of the git repo
 
-    def get(self, service: str, name: str) -> bytes:
+    def get(self, _service: str, name: str) -> bytes:
         return subprocess.run(
             nix_shell(
                 ["nixpkgs#pass"],
@@ -30,7 +31,7 @@ class SecretStore:
             stdout=subprocess.PIPE,
         ).stdout
 
-    def exists(self, service: str, name: str) -> bool:
+    def exists(self, _service: str, name: str) -> bool:
         password_store = os.environ.get(
             "PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
         )
diff --git a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
index 6c434e32..cb5ccda4 100644
--- a/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/modules/sops.py
@@ -28,13 +28,17 @@ class SecretStore:
         )
         add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
 
-    def set(self, _service: str, name: str, value: bytes) -> None:
+    def set(self, _service: str, name: str, value: bytes) -> Path | None:
+        path = (
+            sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}"
+        )
         encrypt_secret(
             self.machine.flake_dir,
-            sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
+            path,
             value.decode(),
             add_machines=[self.machine.name],
         )
+        return path
 
     def get(self, _service: str, _name: str) -> bytes:
         raise NotImplementedError()