clan/clan-core
11
2
Fork 13
Code Issues 90 Pull Requests 4 Actions Packages Projects 1 Releases Wiki Activity

Merge pull request 'clan-cli: add autocommits for facts/secrets' (#809) from lassulus-autocommits into main
All checks were successful
checks / test (push) Successful in 30s
Details
checks-impure / test (push) Successful in 1m33s
Details

Browse Source
This commit is contained in:
clan-bot 2024-02-05 09:08:29 +00:00
commit bfd525b042
4 changed files with 69 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
pkgs/clan-cli/clan_cli/git.py
View File

@ -7,29 +7,49 @@ from clan_cli.nix import nix_shell
from .cmd import Log, run
# generic vcs agnostic commit function
def commit_file(
file_path: Path,
repo_dir: Path,
commit_message: str | None = None,
) -> None:
"""Commit a file to a git repository.
:param file_path: The path to the file to commit.
:param repo_dir: The path to the git repository.
:param commit_message: The commit message.
:raises ClanError: If the file is not in the git repository.
"""
commit_files([file_path], repo_dir, commit_message)
# generic vcs agnostic commit function
def commit_files(
file_paths: list[Path],
repo_dir: Path,
commit_message: str | None = None,
) -> None:
# check that the file is in the git repository and exists
if not Path(file_path).resolve().is_relative_to(repo_dir.resolve()):
raise ClanError(f"File {file_path} is not in the git repository {repo_dir}")
if not file_path.exists():
raise ClanError(f"File {file_path} does not exist")
for file_path in file_paths:
if not Path(file_path).resolve().is_relative_to(repo_dir.resolve()):
raise ClanError(f"File {file_path} is not in the git repository {repo_dir}")
if not file_path.exists():
raise ClanError(f"File {file_path} does not exist")
# generate commit message if not provided
if commit_message is None:
# ensure that mentioned file path is relative to repo
commit_message = f"Add {file_path.relative_to(repo_dir)}"
commit_message = ""
for file_path in file_paths:
# ensure that mentioned file path is relative to repo
commit_message += f"Add {file_path.relative_to(repo_dir)}"
# check if the repo is a git repo and commit
if (repo_dir / ".git").exists():
_commit_file_to_git(repo_dir, file_path, commit_message)
_commit_file_to_git(repo_dir, file_paths, commit_message)
else:
return
def _commit_file_to_git(repo_dir: Path, file_path: Path, commit_message: str) -> None:
def _commit_file_to_git(
repo_dir: Path, file_paths: list[Path], commit_message: str
) -> None:
"""Commit a file to a git repository.
:param repo_dir: The path to the git repository.
@ -37,18 +57,20 @@ def _commit_file_to_git(repo_dir: Path, file_path: Path, commit_message: str) ->
:param commit_message: The commit message.
:raises ClanError: If the file is not in the git repository.
"""
cmd = nix_shell(
["nixpkgs#git"],
["git", "-C", str(repo_dir), "add", str(file_path)],
)
# add the file to the git index
for file_path in file_paths:
cmd = nix_shell(
["nixpkgs#git"],
["git", "-C", str(repo_dir), "add", str(file_path)],
)
# add the file to the git index
run(cmd, log=Log.BOTH, error_msg=f"Failed to add {file_path} file to git index")
run(cmd, log=Log.BOTH, error_msg=f"Failed to add {file_path} file to git index")
# check if there is a diff
cmd = nix_shell(
["nixpkgs#git"],
["git", "-C", str(repo_dir), "diff", "--cached", "--exit-code", str(file_path)],
["git", "-C", str(repo_dir), "diff", "--cached", "--exit-code"]
+ [str(file_path) for file_path in file_paths],
)
result = run(cmd, check=False, cwd=repo_dir)
# if there is no diff, return
@ -65,8 +87,8 @@ def _commit_file_to_git(repo_dir: Path, file_path: Path, commit_message: str) ->
"commit",
"-m",
commit_message,
str(file_path.relative_to(repo_dir)),
],
]
+ [str(file_path) for file_path in file_paths],
)
run(cmd, error_msg=f"Failed to commit {file_path} to git repository {repo_dir}")
run(cmd, error_msg=f"Failed to commit {file_paths} to git repository {repo_dir}")

23
pkgs/clan-cli/clan_cli/secrets/generate.py
View File

@ -9,6 +9,7 @@ from tempfile import TemporaryDirectory
from clan_cli.cmd import run
from ..errors import ClanError
from ..git import commit_files
from ..machines.machines import Machine
from ..nix import nix_shell
from .check import check_secrets
@ -22,14 +23,14 @@ def generate_secrets(machine: Machine) -> None:
with TemporaryDirectory() as d:
for service in machine.secrets_data:
print(service)
tmpdir = Path(d) / service
# check if all secrets exist and generate them if at least one is missing
needs_regeneration = not check_secrets(machine)
for fact in machine.secrets_data[service]["facts"].values():
if not (machine.flake / fact).exists():
print(f"fact {fact} is missing")
if needs_regeneration:
if not isinstance(machine.flake, Path):
msg = f"flake is not a Path: {machine.flake}"
msg += "fact/secret generation is only supported for local flakes"
env = os.environ.copy()
facts_dir = tmpdir / "facts"
facts_dir.mkdir(parents=True)
@ -62,6 +63,7 @@ def generate_secrets(machine: Machine) -> None:
cmd,
env=env,
)
files_to_commit = []
# store secrets
for secret in machine.secrets_data[service]["secrets"]:
secret_file = secrets_dir / secret
@ -69,7 +71,12 @@ def generate_secrets(machine: Machine) -> None:
msg = f"did not generate a file for '{secret}' when running the following command:\n"
msg += machine.secrets_data[service]["generator"]
raise ClanError(msg)
secret_store.set(service, secret, secret_file.read_bytes())
secret_path = secret_store.set(
service, secret, secret_file.read_bytes()
)
if secret_path:
files_to_commit.append(secret_path)
# store facts
for name, fact_path in machine.secrets_data[service]["facts"].items():
fact_file = facts_dir / name
@ -80,6 +87,12 @@ def generate_secrets(machine: Machine) -> None:
fact_path = machine.flake / fact_path
fact_path.parent.mkdir(parents=True, exist_ok=True)
shutil.copyfile(fact_file, fact_path)
files_to_commit.append(fact_path)
commit_files(
files_to_commit,
machine.flake_dir,
f"Update facts/secrets for service {service} in machine {machine.name}",
)
print("successfully generated secrets")

7
pkgs/clan-cli/clan_cli/secrets/modules/password_store.py
View File

@ -10,7 +10,7 @@ class SecretStore:
def __init__(self, machine: Machine) -> None:
self.machine = machine
def set(self, service: str, name: str, value: bytes) -> None:
def set(self, _service: str, name: str, value: bytes) -> Path | None:
subprocess.run(
nix_shell(
["nixpkgs#pass"],
@ -19,8 +19,9 @@ class SecretStore:
input=value,
check=True,
)
return None # we manage the files outside of the git repo
def get(self, service: str, name: str) -> bytes:
def get(self, _service: str, name: str) -> bytes:
return subprocess.run(
nix_shell(
["nixpkgs#pass"],
@ -30,7 +31,7 @@ class SecretStore:
stdout=subprocess.PIPE,
).stdout
def exists(self, service: str, name: str) -> bool:
def exists(self, _service: str, name: str) -> bool:
password_store = os.environ.get(
"PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
)

8
pkgs/clan-cli/clan_cli/secrets/modules/sops.py
View File

@ -28,13 +28,17 @@ class SecretStore:
)
add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
def set(self, _service: str, name: str, value: bytes) -> None:
def set(self, _service: str, name: str, value: bytes) -> Path | None:
path = (
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}"
)
encrypt_secret(
self.machine.flake_dir,
sops_secrets_folder(self.machine.flake_dir) / f"{self.machine.name}-{name}",
path,
value.decode(),
add_machines=[self.machine.name],
)
return path
def get(self, _service: str, _name: str) -> bytes:
raise NotImplementedError()