clan-cli secrets: deploy -> upload
This commit is contained in:
parent
55fc055549
commit
c5786614bf
|
@ -68,9 +68,9 @@
|
|||
};
|
||||
}));
|
||||
};
|
||||
config.system.build.generateDeploySecrets = pkgs.writeScript "generate_deploy_secrets" ''
|
||||
${config.system.build.generateSecrets}
|
||||
${config.system.build.deploySecrets}
|
||||
config.system.build.generateUploadSecrets = pkgs.writeScript "generate_upload_secrets" ''
|
||||
${config.system.clan.generateSecrets}
|
||||
${config.system.clan.uploadSecrets}
|
||||
'';
|
||||
imports = [
|
||||
./sops.nix
|
||||
|
|
|
@ -7,7 +7,7 @@ in
|
|||
type = lib.types.path;
|
||||
default = "/etc/secrets";
|
||||
description = ''
|
||||
The directory where the password store is deployed to.
|
||||
The directory where the password store is uploaded to.
|
||||
'';
|
||||
};
|
||||
config = lib.mkIf (config.clanCore.secretStore == "password-store") {
|
||||
|
@ -45,7 +45,7 @@ in
|
|||
fi)
|
||||
'') "" config.clanCore.secrets}
|
||||
'';
|
||||
system.clan.deploySecrets = pkgs.writeScript "deploy-secrets" ''
|
||||
system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
|
||||
#!/bin/sh
|
||||
set -efu
|
||||
set -x # remove for prod
|
||||
|
|
|
@ -64,8 +64,8 @@ in
|
|||
fi)
|
||||
'') "" config.clanCore.secrets}
|
||||
'';
|
||||
system.clan.deploySecrets = pkgs.writeScript "deploy-secrets" ''
|
||||
echo deployment is not needed for sops secret store, since the secrets are part of the flake
|
||||
system.clan.uploadSecrets = pkgs.writeScript "upload-secrets" ''
|
||||
echo upload is not needed for sops secret store, since the secrets are part of the flake
|
||||
'';
|
||||
sops.secrets = builtins.mapAttrs
|
||||
(name: _: {
|
||||
|
|
|
@ -4,7 +4,7 @@ import os
|
|||
import subprocess
|
||||
|
||||
from ..ssh import Host, HostGroup, HostKeyCheck
|
||||
from ..secrets.deploy import deploy_secrets
|
||||
from ..secrets.upload import upload_secrets
|
||||
from ..secrets.generate import generate_secrets
|
||||
|
||||
|
||||
|
@ -35,7 +35,7 @@ def deploy_nixos(hosts: HostGroup) -> None:
|
|||
ssh_arg += " -i " + h.key if h.key else ""
|
||||
|
||||
generate_secrets(h.host)
|
||||
deploy_secrets(h.host)
|
||||
upload_secrets(h.host)
|
||||
|
||||
flake_attr = h.meta.get("flake_attr", "")
|
||||
if flake_attr:
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# !/usr/bin/env python3
|
||||
import argparse
|
||||
|
||||
from .deploy import register_deploy_parser
|
||||
from .generate import register_generate_parser
|
||||
from .groups import register_groups_parser
|
||||
from .import_sops import register_import_sops_parser
|
||||
from .key import register_key_parser
|
||||
from .machines import register_machines_parser
|
||||
from .secrets import register_secrets_parser
|
||||
from .upload import register_upload_parser
|
||||
from .users import register_users_parser
|
||||
|
||||
|
||||
|
@ -37,8 +37,8 @@ def register_parser(parser: argparse.ArgumentParser) -> None:
|
|||
)
|
||||
register_generate_parser(parser_generate)
|
||||
|
||||
parser_deploy = subparser.add_parser("deploy", help="deploy secrets for machines")
|
||||
register_deploy_parser(parser_deploy)
|
||||
parser_upload = subparser.add_parser("upload", help="upload secrets for machines")
|
||||
register_upload_parser(parser_upload)
|
||||
|
||||
parser_key = subparser.add_parser("key", help="create and show age keys")
|
||||
register_key_parser(parser_key)
|
||||
|
|
|
@ -1,51 +0,0 @@
|
|||
import argparse
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
from clan_cli.errors import ClanError
|
||||
|
||||
from ..nix import nix_build_machine
|
||||
|
||||
|
||||
def deploy_secrets(machine: str) -> None:
|
||||
proc = subprocess.run(
|
||||
nix_build_machine(
|
||||
machine=machine,
|
||||
attr=[
|
||||
"config",
|
||||
"system",
|
||||
"clan",
|
||||
"deploySecrets",
|
||||
],
|
||||
),
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
if proc.returncode != 0:
|
||||
print(proc.stderr, file=sys.stderr)
|
||||
raise ClanError(f"failed to deploy secrets:\n{proc.stderr}")
|
||||
|
||||
secret_deploy_script = proc.stdout.strip()
|
||||
secret_deploy = subprocess.run(
|
||||
[
|
||||
secret_deploy_script,
|
||||
f"root@{machine}",
|
||||
],
|
||||
)
|
||||
|
||||
if secret_deploy.returncode != 0:
|
||||
raise ClanError("failed to deploy secrets")
|
||||
else:
|
||||
print("successfully deployed secrets")
|
||||
|
||||
|
||||
def deploy_command(args: argparse.Namespace) -> None:
|
||||
deploy_secrets(args.machine)
|
||||
|
||||
|
||||
def register_deploy_parser(parser: argparse.ArgumentParser) -> None:
|
||||
parser.add_argument(
|
||||
"machine",
|
||||
help="The machine to deploy secrets to",
|
||||
)
|
||||
parser.set_defaults(func=deploy_command)
|
51
pkgs/clan-cli/clan_cli/secrets/upload.py
Normal file
51
pkgs/clan-cli/clan_cli/secrets/upload.py
Normal file
|
@ -0,0 +1,51 @@
|
|||
import argparse
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
from clan_cli.errors import ClanError
|
||||
|
||||
from ..nix import nix_build_machine
|
||||
|
||||
|
||||
def upload_secrets(machine: str) -> None:
|
||||
proc = subprocess.run(
|
||||
nix_build_machine(
|
||||
machine=machine,
|
||||
attr=[
|
||||
"config",
|
||||
"system",
|
||||
"clan",
|
||||
"uploadSecrets",
|
||||
],
|
||||
),
|
||||
capture_output=True,
|
||||
text=True,
|
||||
)
|
||||
if proc.returncode != 0:
|
||||
print(proc.stderr, file=sys.stderr)
|
||||
raise ClanError(f"failed to upload secrets:\n{proc.stderr}")
|
||||
|
||||
secret_upload_script = proc.stdout.strip()
|
||||
secret_upload = subprocess.run(
|
||||
[
|
||||
secret_upload_script,
|
||||
f"root@{machine}",
|
||||
],
|
||||
)
|
||||
|
||||
if secret_upload.returncode != 0:
|
||||
raise ClanError("failed to upload secrets")
|
||||
else:
|
||||
print("successfully uploaded secrets")
|
||||
|
||||
|
||||
def upload_command(args: argparse.Namespace) -> None:
|
||||
upload_secrets(args.machine)
|
||||
|
||||
|
||||
def register_upload_parser(parser: argparse.ArgumentParser) -> None:
|
||||
parser.add_argument(
|
||||
"machine",
|
||||
help="The machine to upload secrets to",
|
||||
)
|
||||
parser.set_defaults(func=upload_command)
|
Loading…
Reference in New Issue
Block a user