`04b11a75c069`

2 files changed

modifiedlib/default.nixdiff before after both

1# Shared functions for fleet configuration, available as `fleet` module argument2{ lib }:3let4  inherit (lib.trivial) isFunction functionArgs;5  inherit (lib.options) mkOption mergeOneOption;6  inherit (lib.modules) mkOverride;7  inherit (lib.types)8    listOf9    submodule10    attrsOf11    mkOptionType12    ;13  inherit (lib.strings) optionalString hasPrefix removePrefix;14in15rec {16  types = {17    overlay = mkOptionType {18      name = "nixpkgs-overlay";19      description = "nixpkgs overlay";20      check = isFunction;21      merge = mergeOneOption;22    };23    listOfOverlay = listOf types.overlay;2425    mkHostsType = module: attrsOf (submodule module);26    mkDataType = module: submodule module;27  };2829  options = {30    mkHostsOption =31      module:32      mkOption {33        type = types.mkHostsType module;34      };35    mkDataOption =36      module:37      mkOption {38        type = types.mkDataType module;39      };40  };4142  inherit (options) mkHostsOption;4344  modules = {45    /**46      Use in places, where fleet might know better than nixpkgs defaults to47    */48    mkFleetDefault = mkOverride 999;49    /**50      Some generators use mkDefault, but optionDefault is set by nixpkgs.51    */52    mkFleetGeneratorDefault = mkOverride 1001;53  };5455  inherit (modules) mkFleetDefault mkFleetGeneratorDefault;5657  secrets =58    let59      describedGenerator =60        generator: {parts ? {}}:61        {parts = {};}62        // {63          __functionArgs = functionArgs generator;64          __functor = _: generator;65        };66    in67    {68      inherit describedGenerator;6970      /**71        Generate a random secret password, 32 ascii characters by default7273        Options:74          size: generated password length in ascii characters (bytes).75          noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might76                     not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].7778        Output:79          Resulting secret has only part: secret, which contains encrypted password.80      */81      mkPassword =82        {83          size ? 32,84        }:85        describedGenerator86          (87            {88              coreutils,89              mkSecretGenerator,90            }:91            mkSecretGenerator {92              script = ''93                mkdir $out94                gh generate password -o $out/secret --size ${toString size}95              '';96            }97          )98          {99            parts.secret.encrypted = true;100          };101102      /**103        Generate a random ed25519 keypair104105        Options:106          noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)107                         When noEmbedPublis is enabled - only the private scalar is included.108          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".109110        Output:111          Resulting secret has two parts: public and secret, where the secret part is encrypted.112113        This secret format is used by e.g Garage S3 server114      */115      mkEd25519 =116        {117          noEmbedPublic ? false,118          encoding ? null,119        }:120        describedGenerator121          (122            { mkSecretGenerator }:123            mkSecretGenerator {124              script = ''125                mkdir $out126                gh generate ed25519 -p $out/public -s $out/secret \127                  ${optionalString noEmbedPublic "--no-embed-public"} \128                  ${optionalString (encoding != null) "--encoding=${encoding}"}129              '';130            }131          )132          {133            parts.secret.encrypted = true;134            parts.public.encrypted = false;135          };136137      /**138        Generate a random x25519 keypair139140        Options:141          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".142143        Output:144          Resulting secret has two parts: public and secret, where the secret part is encrypted.145146        This secret format is used by e.g Wireguard VPN for peers (base64-encoded)147      */148      mkX25519 =149        {150          encoding ? null,151        }:152        describedGenerator153          (154            { mkSecretGenerator }:155            mkSecretGenerator {156              script = ''157                mkdir $out158                gh generate x25519 -p $out/public -s $out/secret \159                  ${optionalString (encoding != null) "--encoding=${encoding}"}160              '';161            }162          )163          {164            parts.secret.encrypted = true;165            parts.public.encrypted = false;166          };167168      /**169        Generate a random RSA keypair170171        Options:172          size: RSA key size, 4096 by default173174        Output:175          Resulting secret has two parts: public and secret, where the secret part is encrypted.176          Both parts are PEM encoded.177      */178      mkRsa =179        {180          size ? 4096,181        }:182        describedGenerator183          (184            {185              openssl,186              mkSecretGenerator,187            }:188            mkSecretGenerator {189              script = ''190                mkdir $out191192                ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}193                ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key194195                cat rsa_private.key | gh private -o $out/secret196                cat rsa_public.key | gh public -o $out/public197              '';198            }199          )200          {201            parts.secret.encrypted = true;202            parts.public.encrypted = false;203          };204205      /**206        Generate a random byte sequence207208        Options:209          size: generated password length in bytes, 32 by default.210          encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"211          noNuls: prevent output byte sequence from containing internal \0, useful for some C applications212                  that can't handle their strings properly.213214        Output:215          Resulting secret has only part: secret, which contains encrypted bytes.216217        Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)218      */219      mkBytes =220        {221          count ? 32,222          encoding,223          noNuls ? false,224        }:225        describedGenerator226          (227            { mkSecretGenerator }:228            mkSecretGenerator {229              script = ''230                mkdir $out231                gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \232                  ${optionalString noNuls "--no-nuls"}233              '';234            }235          )236          {237            parts.secret.encrypted = true;238          };239      /**240        Shorthand for `mkBytes`, which defaults to "hex" encoding241      */242      mkHexBytes =243        {244          count ? 32,245        }:246        mkBytes {247          inherit count;248          encoding = "hex";249        };250      /**251        Shorthand for `mkBytes`, which defaults to "base64" encoding252      */253      mkBase64Bytes =254        {255          count ? 32,256        }:257        mkBytes {258          inherit count;259          encoding = "base64";260        };261262      # Wireguard263      # mkWireguard = {}: mkX25519 {encoding = "base64";};264      # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};265    };266267  inherit (secrets)268    mkPassword269    mkEd25519270    mkX25519271    mkRsa272    mkBytes273    mkHexBytes274    mkBase64Bytes275    ;276277  strings =278    let279      plaintextPrefix = "<PLAINTEXT>";280      plaintextNewlinePrefix = "<PLAINTEXT-NL>";281    in282    {283      /**284        Decode public secret part into string285      */286      decodeRawSecret =287        raw:288        if hasPrefix plaintextPrefix raw then289          removePrefix plaintextPrefix raw290        else if hasPrefix plaintextNewlinePrefix raw then291          removePrefix plaintextNewlinePrefix raw292        else293          throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";294    };295296  inherit (strings) decodeRawSecret;297}

1# Shared functions for fleet configuration, available as `fleet` module argument2{ lib }:3let4  inherit (lib.trivial) isFunction functionArgs;5  inherit (lib.options) mkOption mergeOneOption;6  inherit (lib.modules) mkOverride;7  inherit (lib.types)8    listOf9    submodule10    attrsOf11    mkOptionType12    ;13  inherit (lib.strings) optionalString hasPrefix removePrefix;14in15rec {16  types = {17    overlay = mkOptionType {18      name = "nixpkgs-overlay";19      description = "nixpkgs overlay";20      check = {21        __functor = _self: isFunction;22        isV2MergeCoherent = true;23      };24      merge = mergeOneOption;25    };26    listOfOverlay = listOf types.overlay;2728    mkHostsType = module: attrsOf (submodule module);29    mkDataType = module: submodule module;30  };3132  options = {33    mkHostsOption =34      module:35      mkOption {36        type = types.mkHostsType module;37      };38    mkDataOption =39      module:40      mkOption {41        type = types.mkDataType module;42      };43  };4445  inherit (options) mkHostsOption;4647  modules = {48    /**49      Use in places, where fleet might know better than nixpkgs defaults to50    */51    mkFleetDefault = mkOverride 999;52    /**53      Some generators use mkDefault, but optionDefault is set by nixpkgs.54    */55    mkFleetGeneratorDefault = mkOverride 1001;56  };5758  inherit (modules) mkFleetDefault mkFleetGeneratorDefault;5960  secrets =61    let62      describedGenerator =63        generator: {parts ? {}}:64        {parts = {};}65        // {66          __functionArgs = functionArgs generator;67          __functor = _: generator;68        };69    in70    {71      inherit describedGenerator;7273      /**74        Generate a random secret password, 32 ascii characters by default7576        Options:77          size: generated password length in ascii characters (bytes).78          noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might79                     not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].8081        Output:82          Resulting secret has only part: secret, which contains encrypted password.83      */84      mkPassword =85        {86          size ? 32,87        }:88        describedGenerator89          (90            {91              coreutils,92              mkSecretGenerator,93            }:94            mkSecretGenerator {95              script = ''96                mkdir $out97                gh generate password -o $out/secret --size ${toString size}98              '';99            }100          )101          {102            parts.secret.encrypted = true;103          };104105      /**106        Generate a random ed25519 keypair107108        Options:109          noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)110                         When noEmbedPublis is enabled - only the private scalar is included.111          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".112113        Output:114          Resulting secret has two parts: public and secret, where the secret part is encrypted.115116        This secret format is used by e.g Garage S3 server117      */118      mkEd25519 =119        {120          noEmbedPublic ? false,121          encoding ? null,122        }:123        describedGenerator124          (125            { mkSecretGenerator }:126            mkSecretGenerator {127              script = ''128                mkdir $out129                gh generate ed25519 -p $out/public -s $out/secret \130                  ${optionalString noEmbedPublic "--no-embed-public"} \131                  ${optionalString (encoding != null) "--encoding=${encoding}"}132              '';133            }134          )135          {136            parts.secret.encrypted = true;137            parts.public.encrypted = false;138          };139140      /**141        Generate a random x25519 keypair142143        Options:144          encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".145146        Output:147          Resulting secret has two parts: public and secret, where the secret part is encrypted.148149        This secret format is used by e.g Wireguard VPN for peers (base64-encoded)150      */151      mkX25519 =152        {153          encoding ? null,154        }:155        describedGenerator156          (157            { mkSecretGenerator }:158            mkSecretGenerator {159              script = ''160                mkdir $out161                gh generate x25519 -p $out/public -s $out/secret \162                  ${optionalString (encoding != null) "--encoding=${encoding}"}163              '';164            }165          )166          {167            parts.secret.encrypted = true;168            parts.public.encrypted = false;169          };170171      /**172        Generate a random RSA keypair173174        Options:175          size: RSA key size, 4096 by default176177        Output:178          Resulting secret has two parts: public and secret, where the secret part is encrypted.179          Both parts are PEM encoded.180      */181      mkRsa =182        {183          size ? 4096,184        }:185        describedGenerator186          (187            {188              openssl,189              mkSecretGenerator,190            }:191            mkSecretGenerator {192              script = ''193                mkdir $out194195                ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}196                ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key197198                cat rsa_private.key | gh private -o $out/secret199                cat rsa_public.key | gh public -o $out/public200              '';201            }202          )203          {204            parts.secret.encrypted = true;205            parts.public.encrypted = false;206          };207208      /**209        Generate a random byte sequence210211        Options:212          size: generated password length in bytes, 32 by default.213          encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"214          noNuls: prevent output byte sequence from containing internal \0, useful for some C applications215                  that can't handle their strings properly.216217        Output:218          Resulting secret has only part: secret, which contains encrypted bytes.219220        Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)221      */222      mkBytes =223        {224          count ? 32,225          encoding,226          noNuls ? false,227        }:228        describedGenerator229          (230            { mkSecretGenerator }:231            mkSecretGenerator {232              script = ''233                mkdir $out234                gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \235                  ${optionalString noNuls "--no-nuls"}236              '';237            }238          )239          {240            parts.secret.encrypted = true;241          };242      /**243        Shorthand for `mkBytes`, which defaults to "hex" encoding244      */245      mkHexBytes =246        {247          count ? 32,248        }:249        mkBytes {250          inherit count;251          encoding = "hex";252        };253      /**254        Shorthand for `mkBytes`, which defaults to "base64" encoding255      */256      mkBase64Bytes =257        {258          count ? 32,259        }:260        mkBytes {261          inherit count;262          encoding = "base64";263        };264265      # Wireguard266      # mkWireguard = {}: mkX25519 {encoding = "base64";};267      # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};268    };269270  inherit (secrets)271    mkPassword272    mkEd25519273    mkX25519274    mkRsa275    mkBytes276    mkHexBytes277    mkBase64Bytes278    ;279280  strings =281    let282      plaintextPrefix = "<PLAINTEXT>";283      plaintextNewlinePrefix = "<PLAINTEXT-NL>";284    in285    {286      /**287        Decode public secret part into string288      */289      decodeRawSecret =290        raw:291        if hasPrefix plaintextPrefix raw then292          removePrefix plaintextPrefix raw293        else if hasPrefix plaintextNewlinePrefix raw then294          removePrefix plaintextNewlinePrefix raw295        else296          throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";297    };298299  inherit (strings) decodeRawSecret;300}

modifiedmodules/secrets-data.nixdiff before after both

--- a/modules/secrets-data.nix
+++ b/modules/secrets-data.nix
@@ -115,8 +115,7 @@
   };
 in
 {
-  options.data = mkDataOption (
-    { config, ... }:
+  options.data = mkDataOption ({ config, ... }:
     {
       options = {
         managerKeys = mkOption {
@@ -143,8 +142,7 @@
           toHostSecret = _: secret: (removeAttrs secret [ "owners" ]) // { shared = true; };
         in
         genAttrs hostsWithSharedSecrets (host: mapAttrs toHostSecret (secretsHavingHost host));
-    }
-  );
+    });
   config = {
     assertions =
       (mapAttrsToList (name: secret: {