clan/clan-core
12
4
Fork 19
Code Issues 108 Pull Requests 3 Actions Packages Projects 1 Releases Wiki Activity

vars: fix using vars module with multiple machines #1891

Merged
kenji merged 1 commits from kenji/clan-core:fix-vars-multiple-machines into main 2024-08-17 14:00:57 +00:00
Conversation 0 Commits 1 Files Changed 1 +8 -1
kenji commented 2024-08-14 21:15:16 +00:00
Owner
Copy Link

This filters the secrets to only include the secrets managed under per-machine and shared,
otherwise new deployments will fail, when using the vars module for multiple machines:

[vyr] /nix/store/[…]sops-install-secrets: failed to decrypt '/nix/store/[…]/sops/vars/per-machine/draper/garage/admin_token/secret': Error getting data key: 0 successful groups required, got 0

This doesn't fix all the edge cases with this approach.
We get a similar error if we deploy shared vars that are not
encrypted for our machine key. This needs to be addressed when
implementing the shared vars functionality.

Fixes #1892

This filters the secrets to only include the secrets managed under `per-machine` and `shared`, otherwise new deployments will fail, when using the vars module for multiple machines: ``` [vyr] /nix/store/[…]sops-install-secrets: failed to decrypt '/nix/store/[…]/sops/vars/per-machine/draper/garage/admin_token/secret': Error getting data key: 0 successful groups required, got 0 ``` This doesn't fix all the edge cases with this approach. We get a similar error if we deploy shared vars that are not encrypted for our machine key. This needs to be addressed when implementing the shared vars functionality. Fixes #1892
kenji added the
needs-review
 label 2024-08-14 21:15:16 +00:00
DavHau was assigned by kenji 2024-08-14 21:15:16 +00:00
kenji added 1 commit 2024-08-14 21:15:16 +00:00
vars: fix using vars module with multiple machines
All checks were successful
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-inventory-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-yagna Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-inventory-schema-pretty Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.mumble Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.postgresql Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.template-minimal Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
Details
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
Details
buildbot/nix-eval Build done.
Details
a6d797cdc6 
This filters the secrets to only include the secrets managed under `per-machine` and `shared`,
otherwise new deployments will fail, when using the vars module for multiple machines:

```
[vyr] /nix/store/[…]sops-install-secrets: failed to decrypt '/nix/store/[…]/sops/vars/per-machine/draper/garage/admin_token/secret': Error getting data key: 0 successful groups required, got 0
```

This doesn't fix all the edge cases with this approach.
We get a similar error if we deploy shared vars that are not
encrypted for our machine key. This needs to be addressed when
implementing the shared vars functionality.
kenji requested review from DavHau 2024-08-14 21:15:21 +00:00
kenji reviewed 2024-08-14 21:17:45 +00:00
nixosModules/clanCore/vars/secret/sops/default.nix
@ -17,0 +18,4 @@
vars:
builtins.elem vars.machine [
config.clan.core.machineName
"shared"
kenji commented 2024-08-14 21:17:45 +00:00
Author
Owner
Copy Link

Not sure, if this is correct.
Are the shared variables also encrypted under shared/machine?
Should I remove this for now?

Not sure, if this is correct. Are the shared variables also encrypted under `shared/machine`? Should I remove this for now?
kenji merged commit d0d95d0189 into main 2024-08-17 14:00:57 +00:00
kenji deleted branch fix-vars-multiple-machines 2024-08-17 14:00:57 +00:00
DavHau removed the
needs-review
 label 2024-08-21 12:30:25 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
DavHau
Labels
Clear labels   
backups

   
blog

   
bootstrapping

Issues regarding bootstrapping, or onboarding

  
bug

Something is not working.

  
changes-requested

Please fix this.

  
cli

   
documentation

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
facts

Issues regarding facts and secrets setting and generation

  
help wanted

Need some help

  
invalid

Something is wrong

  
Inventory

Inventory

  
low_prio

   
manager

   
modules

   
needs-review

This PR needs to be reviewed. Use the request-changes label to request changes

  
networking

   
packaging

   
question

More information is needed

  
secrets

   
template

Issues regarding templates.

  
test

Issues regarding testing

  
tooling

Issues regarding internal devtools

  
user-testing

Issues that cristallised after hands on user testing.

  
vm

Issues regarding virtual machines.

  
wontfix

This won't be fixed

No Label
backups
blog
bootstrapping
bug
changes-requested
cli
documentation
duplicate
enhancement
facts
help wanted
invalid
Inventory
low_prio
manager
modules
needs-review
networking
packaging
question
secrets
template
test
tooling
user-testing
vm
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
DavHau
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: clan/clan-core#1891
No description provided.
Delete Branch "kenji/clan-core:fix-vars-multiple-machines"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?