vars: implement sops.defaultGroups

2024-07-11 18:39:00 +07:00 · 2024-07-11 18:39:00 +07:00 · 9988fb744c
commit 9988fb744c
parent 7055b352d4
6 changed files with 50 additions and 57 deletions
--- a/nixosModules/clanCore/default.nix
+++ b/nixosModules/clanCore/default.nix
@ -2,8 +2,10 @@
  imports = [
    ./backups.nix
    ./facts
-    ./manual.nix
    ./imports.nix
+    ./inventory/interface.nix
+    ./manual.nix
+    ./meta/interface.nix
    ./metadata.nix
    ./networking.nix
    ./nix-settings.nix
@ -11,12 +13,10 @@
    ./outputs.nix
    ./packages.nix
    ./schema.nix
+    ./sops.nix
+    ./vars
    ./vm.nix
    ./wayland-proxy-virtwl.nix
    ./zerotier
-    # Inventory
-    ./inventory/interface.nix
-    ./meta/interface.nix
-    ./vars
  ];
 }
--- a/nixosModules/clanCore/facts/secret/sops.nix
+++ b/nixosModules/clanCore/facts/secret/sops.nix
@ -33,15 +33,6 @@ let
  secrets = filterDir containsMachineOrGroups secretsDir;
 in
 {
-  options = {
-    clan.core.sops.defaultGroups = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      example = [ "admins" ];
-      description = "The default groups to for encryption use when no groups are specified.";
-    };
-  };
-
  config = lib.mkIf (config.clan.core.facts.secretStore == "sops") {
    # Before we generate a secret we cannot know the path yet, so we need to set it to an empty string
    clan.core.facts.secretPathFunction =
--- a/nixosModules/clanCore/outputs.nix
+++ b/nixosModules/clanCore/outputs.nix
@ -73,6 +73,7 @@
          services
          ;
      };
+      sops.defaultGroups = config.clan.core.sops.defaultGroups;
      inherit (config.clan.core.networking) targetHost buildHost;
      inherit (config.clan.deployment) requireExplicitUpdate;
    };
--- a/nixosModules/clanCore/sops.nix
+++ b/nixosModules/clanCore/sops.nix
@ -0,0 +1,11 @@
+{ lib, ... }:
+{
+  options = {
+    clan.core.sops.defaultGroups = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      example = [ "admins" ];
+      description = "The default groups to for encryption use when no groups are specified.";
+    };
+  };
+}
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@ -99,7 +99,7 @@ def execute_generator(
    # store secrets
    files = machine.vars_generators[generator_name]["files"]
    for file_name, file in files.items():
-        groups = file.get("groups", [])
+        groups = machine.deployment["sops"]["defaultGroups"]

        secret_file = generator_dir / file_name
        if not secret_file.is_file():
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@ -1,4 +1,5 @@
 import os
+from collections import defaultdict
 from pathlib import Path

 import pytest
@ -8,35 +9,28 @@ from helpers import cli
 from root import CLAN_CORE


+def def_value() -> defaultdict:
+    return defaultdict(def_value)
+
+
+# allows defining nested dictionary in a single line
+nested_dict = lambda: defaultdict(def_value)
+
+
@pytest.mark.impure
 def test_generate_public_var(
    monkeypatch: pytest.MonkeyPatch,
    temporary_home: Path,
    # age_keys: list["KeyPair"],
 ) -> None:
+    config = nested_dict()
+    my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
+    my_generator["files"]["my_secret"]["secret"] = False
+    my_generator["script"] = "echo hello > $out/my_secret"
    flake = generate_flake(
        temporary_home,
        flake_template=CLAN_CORE / "templates" / "minimal",
-        machine_configs=dict(
-            my_machine=dict(
-                clan=dict(
-                    core=dict(
-                        vars=dict(
-                            generators=dict(
-                                my_generator=dict(
-                                    files=dict(
-                                        my_secret=dict(
-                                            secret=False,
-                                        )
-                                    ),
-                                    script="echo hello > $out/my_secret",
-                                )
-                            )
-                        )
-                    )
-                )
-            )
-        ),
+        machine_configs=dict(my_machine=config),
    )
    monkeypatch.chdir(flake.path)
    cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])
@ -48,34 +42,21 @@ def test_generate_public_var(


@pytest.mark.impure
-def test_generate_secret_var(
+def test_generate_secret_var_with_default_group(
    monkeypatch: pytest.MonkeyPatch,
    temporary_home: Path,
    sops_setup: SopsSetup,
 ) -> None:
+    user = os.environ.get("USER", "user")
+    config = nested_dict()
+    config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"]
+    my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
+    my_generator["files"]["my_secret"]["secret"] = True
+    my_generator["script"] = "echo hello > $out/my_secret"
    flake = generate_flake(
        temporary_home,
        flake_template=CLAN_CORE / "templates" / "minimal",
-        machine_configs=dict(
-            my_machine=dict(
-                clan=dict(
-                    core=dict(
-                        vars=dict(
-                            generators=dict(
-                                my_generator=dict(
-                                    files=dict(
-                                        my_secret=dict(
-                                            secret=True,
-                                        )
-                                    ),
-                                    script="echo hello > $out/my_secret",
-                                )
-                            )
-                        )
-                    )
-                )
-            )
-        ),
+        machine_configs=dict(my_machine=config),
    )
    monkeypatch.chdir(flake.path)
    cli.run(
@ -85,10 +66,11 @@ def test_generate_secret_var(
            "add",
            "--flake",
            str(flake.path),
-            os.environ.get("USER", "user"),
+            user,
            sops_setup.keys[0].pubkey,
        ]
    )
+    cli.run(["secrets", "groups", "add-user", "my_group", user])
    cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])
    assert not (
        flake.path / "machines" / "my_machine" / "vars" / "my_generator" / "my_secret"
@ -96,3 +78,11 @@ def test_generate_secret_var(
    assert (
        flake.path / "sops" / "secrets" / "vars-my_machine-my_generator-my_secret"
    ).is_dir()
+    assert (
+        flake.path
+        / "sops"
+        / "secrets"
+        / "vars-my_machine-my_generator-my_secret"
+        / "groups"
+        / "my_group"
+    ).exists()