Qubasa
5f7099fc89
All checks were successful
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-no-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-fakeroot Build done.
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
buildbot/nix-build .#checks.x86_64-linux.container Build done.
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-pytest Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-install-test-ubuntu-22-04 Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
checks / checks-impure (pull_request) Successful in 2m24s
buildbot/nix-build .#checks.x86_64-linux.flash Build done.
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
buildbot/nix-eval Build done.
118 lines
3.9 KiB
Python
118 lines
3.9 KiB
Python
import os
|
|
import subprocess
|
|
from pathlib import Path
|
|
|
|
from clan_cli.machines.machines import Machine
|
|
from clan_cli.nix import nix_shell
|
|
|
|
from . import SecretStoreBase
|
|
|
|
|
|
class SecretStore(SecretStoreBase):
|
|
def __init__(self, machine: Machine) -> None:
|
|
self.machine = machine
|
|
|
|
def set(
|
|
self, service: str, name: str, value: bytes, groups: list[str]
|
|
) -> Path | None:
|
|
subprocess.run(
|
|
nix_shell(
|
|
["nixpkgs#pass"],
|
|
["pass", "insert", "-m", f"machines/{self.machine.name}/{name}"],
|
|
),
|
|
input=value,
|
|
check=True,
|
|
)
|
|
return None # we manage the files outside of the git repo
|
|
|
|
def get(self, service: str, name: str) -> bytes:
|
|
return subprocess.run(
|
|
nix_shell(
|
|
["nixpkgs#pass"],
|
|
["pass", "show", f"machines/{self.machine.name}/{name}"],
|
|
),
|
|
check=True,
|
|
stdout=subprocess.PIPE,
|
|
).stdout
|
|
|
|
def exists(self, service: str, name: str) -> bool:
|
|
password_store = os.environ.get(
|
|
"PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
|
|
)
|
|
secret_path = Path(password_store) / f"machines/{self.machine.name}/{name}.gpg"
|
|
return secret_path.exists()
|
|
|
|
def generate_hash(self) -> bytes:
|
|
password_store = os.environ.get(
|
|
"PASSWORD_STORE_DIR", f"{os.environ['HOME']}/.password-store"
|
|
)
|
|
hashes = []
|
|
hashes.append(
|
|
subprocess.run(
|
|
nix_shell(
|
|
["nixpkgs#git"],
|
|
[
|
|
"git",
|
|
"-C",
|
|
password_store,
|
|
"log",
|
|
"-1",
|
|
"--format=%H",
|
|
f"machines/{self.machine.name}",
|
|
],
|
|
),
|
|
stdout=subprocess.PIPE,
|
|
).stdout.strip()
|
|
)
|
|
for symlink in Path(password_store).glob(f"machines/{self.machine.name}/**/*"):
|
|
if symlink.is_symlink():
|
|
hashes.append(
|
|
subprocess.run(
|
|
nix_shell(
|
|
["nixpkgs#git"],
|
|
[
|
|
"git",
|
|
"-C",
|
|
password_store,
|
|
"log",
|
|
"-1",
|
|
"--format=%H",
|
|
str(symlink),
|
|
],
|
|
),
|
|
stdout=subprocess.PIPE,
|
|
).stdout.strip()
|
|
)
|
|
|
|
# we sort the hashes to make sure that the order is always the same
|
|
hashes.sort()
|
|
return b"\n".join(hashes)
|
|
|
|
# FIXME: add this when we switch to python3.12
|
|
# @override
|
|
def update_check(self) -> bool:
|
|
local_hash = self.generate_hash()
|
|
remote_hash = self.machine.target_host.run(
|
|
# TODO get the path to the secrets from the machine
|
|
["cat", f"{self.machine.secrets_upload_directory}/.pass_info"],
|
|
check=False,
|
|
stdout=subprocess.PIPE,
|
|
).stdout.strip()
|
|
|
|
if not remote_hash:
|
|
print("remote hash is empty")
|
|
return False
|
|
|
|
return local_hash.decode() == remote_hash
|
|
|
|
def upload(self, output_dir: Path) -> None:
|
|
for service in self.machine.facts_data:
|
|
for secret in self.machine.facts_data[service]["secret"]:
|
|
if isinstance(secret, dict):
|
|
secret_name = secret["name"]
|
|
else:
|
|
# TODO: drop old format soon
|
|
secret_name = secret
|
|
(output_dir / secret_name).write_bytes(self.get(service, secret_name))
|
|
(output_dir / ".pass_info").write_bytes(self.generate_hash())
|