secrets modules: pass secrets as bytes
This commit is contained in:
parent
0dbfe52d62
commit
961eb26335
@ -74,7 +74,7 @@ def generate_secrets(machine: Machine) -> None:
|
|||||||
msg = f"did not generate a file for '{secret}' when running the following command:\n"
|
msg = f"did not generate a file for '{secret}' when running the following command:\n"
|
||||||
msg += machine.secrets_data[service]["generator"]
|
msg += machine.secrets_data[service]["generator"]
|
||||||
raise ClanError(msg)
|
raise ClanError(msg)
|
||||||
secret_store.set(service, secret, secret_file.read_text())
|
secret_store.set(service, secret, secret_file.read_bytes())
|
||||||
# store facts
|
# store facts
|
||||||
for name, fact_path in machine.secrets_data[service]["facts"].items():
|
for name, fact_path in machine.secrets_data[service]["facts"].items():
|
||||||
fact_file = facts_dir / name
|
fact_file = facts_dir / name
|
||||||
|
@ -10,13 +10,13 @@ class SecretStore:
|
|||||||
def __init__(self, machine: Machine) -> None:
|
def __init__(self, machine: Machine) -> None:
|
||||||
self.machine = machine
|
self.machine = machine
|
||||||
|
|
||||||
def set(self, service: str, name: str, value: str) -> None:
|
def set(self, service: str, name: str, value: bytes) -> None:
|
||||||
subprocess.run(
|
subprocess.run(
|
||||||
nix_shell(
|
nix_shell(
|
||||||
["nixpkgs#pass"],
|
["nixpkgs#pass"],
|
||||||
["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"],
|
["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"],
|
||||||
),
|
),
|
||||||
input=value.encode("utf-8"),
|
input=value,
|
||||||
check=True,
|
check=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -28,11 +28,11 @@ class SecretStore:
|
|||||||
)
|
)
|
||||||
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
|
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
|
||||||
|
|
||||||
def set(self, _service: str, name: str, value: str) -> None:
|
def set(self, _service: str, name: str, value: bytes) -> None:
|
||||||
encrypt_secret(
|
encrypt_secret(
|
||||||
self.machine.flake_dir,
|
self.machine.flake_dir,
|
||||||
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
|
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
|
||||||
value,
|
value.decode(),
|
||||||
add_machines=[self.machine.name],
|
add_machines=[self.machine.name],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user