1# Shared functions for fleet configuration, available as `fleet` module argument2{ lib }:3let4 inherit (lib.trivial) isFunction functionArgs;5 inherit (lib.options) mkOption mergeOneOption;6 inherit (lib.modules) mkOverride;7 inherit (lib.types)8 listOf9 submodule10 attrsOf11 mkOptionType12 ;13 inherit (lib.strings) optionalString hasPrefix removePrefix;14in15rec {16 types = {17 overlay = mkOptionType {18 name = "nixpkgs-overlay";19 description = "nixpkgs overlay";20 check = {21 __functor = _self: isFunction;22 isV2MergeCoherent = true;23 };24 merge = mergeOneOption;25 };26 listOfOverlay = listOf types.overlay;2728 mkHostsType = module: attrsOf (submodule module);29 mkDataType = module: submodule module;30 };3132 options = {33 mkHostsOption =34 module:35 mkOption {36 type = types.mkHostsType module;37 };38 mkDataOption =39 module:40 mkOption {41 type = types.mkDataType module;42 };43 };4445 inherit (options) mkHostsOption;4647 modules = {48 /**49 Use in places, where fleet might know better than nixpkgs defaults to50 */51 mkFleetDefault = mkOverride 999;52 /**53 Some generators use mkDefault, but optionDefault is set by nixpkgs.54 */55 mkFleetGeneratorDefault = mkOverride 1001;56 };5758 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;5960 secrets =61 let62 describedGenerator =63 generator: {parts ? {}}:64 {parts = {};}65 // {66 __functionArgs = functionArgs generator;67 __functor = _: generator;68 };69 in70 {71 inherit describedGenerator;7273 /**74 Generate a random secret password, 32 ascii characters by default7576 Options:77 size: generated password length in ascii characters (bytes).78 noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might79 not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].8081 Output:82 Resulting secret has only part: secret, which contains encrypted password.83 */84 mkPassword =85 {86 size ? 32,87 }:88 describedGenerator89 (90 {91 coreutils,92 mkSecretGenerator,93 }:94 mkSecretGenerator {95 script = ''96 mkdir $out97 gh generate password -o $out/secret --size ${toStringsize}98 '';99 }100 )101 {102 parts.secret.encrypted = true;103 };104105 /**106 Generate a random ed25519 keypair107108 Options:109 noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)110 When noEmbedPublis is enabled - only the private scalar is included.111 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".112113 Output:114 Resulting secret has two parts: public and secret, where the secret part is encrypted.115116 This secret format is used by e.g Garage S3 server117 */118 mkEd25519 =119 {120 noEmbedPublic ? false,121 encoding ? null,122 }:123 describedGenerator124 (125 { mkSecretGenerator }:126 mkSecretGenerator {127 script = ''128 mkdir $out129 gh generate ed25519 -p $out/public -s $out/secret \130 ${optionalStringnoEmbedPublic"--no-embed-public"} \131 ${optionalString(encoding!=null)"--encoding=${encoding}"}132 '';133 }134 )135 {136 parts.secret.encrypted = true;137 parts.public.encrypted = false;138 };139140 /**141 Generate a random x25519 keypair142143 Options:144 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".145146 Output:147 Resulting secret has two parts: public and secret, where the secret part is encrypted.148149 This secret format is used by e.g Wireguard VPN for peers (base64-encoded)150 */151 mkX25519 =152 {153 encoding ? null,154 }:155 describedGenerator156 (157 { mkSecretGenerator }:158 mkSecretGenerator {159 script = ''160 mkdir $out161 gh generate x25519 -p $out/public -s $out/secret \162 ${optionalString(encoding!=null)"--encoding=${encoding}"}163 '';164 }165 )166 {167 parts.secret.encrypted = true;168 parts.public.encrypted = false;169 };170171 /**172 Generate a random RSA keypair173174 Options:175 size: RSA key size, 4096 by default176177 Output:178 Resulting secret has two parts: public and secret, where the secret part is encrypted.179 Both parts are PEM encoded.180 */181 mkRsa =182 {183 size ? 4096,184 }:185 describedGenerator186 (187 {188 openssl,189 mkSecretGenerator,190 }:191 mkSecretGenerator {192 script = ''193 mkdir $out194195 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toStringsize}196 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key197198 cat rsa_private.key | gh private -o $out/secret199 cat rsa_public.key | gh public -o $out/public200 '';201 }202 )203 {204 parts.secret.encrypted = true;205 parts.public.encrypted = false;206 };207208 /**209 Generate a random byte sequence210211 Options:212 size: generated password length in bytes, 32 by default.213 encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"214 noNuls: prevent output byte sequence from containing internal \0, useful for some C applications215 that can't handle their strings properly.216217 Output:218 Resulting secret has only part: secret, which contains encrypted bytes.219220 Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)221 */222 mkBytes =223 {224 count ? 32,225 encoding,226 noNuls ? false,227 }:228 describedGenerator229 (230 { mkSecretGenerator }:231 mkSecretGenerator {232 script = ''233 mkdir $out234 gh generate bytes --count=${toStringcount} --encoding=${encoding} -o $out/secret \235 ${optionalStringnoNuls"--no-nuls"}236 '';237 }238 )239 {240 parts.secret.encrypted = true;241 };242 /**243 Shorthand for `mkBytes`, which defaults to "hex" encoding244 */245 mkHexBytes =246 {247 count ? 32,248 }:249 mkBytes {250 inherit count;251 encoding = "hex";252 };253 /**254 Shorthand for `mkBytes`, which defaults to "base64" encoding255 */256 mkBase64Bytes =257 {258 count ? 32,259 }:260 mkBytes {261 inherit count;262 encoding = "base64";263 };264265 # Wireguard266 # mkWireguard = {}: mkX25519 {encoding = "base64";};267 # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};268 };269270 inherit (secrets)271 mkPassword272 mkEd25519273 mkX25519274 mkRsa275 mkBytes276 mkHexBytes277 mkBase64Bytes278 ;279280 strings =281 let282 plaintextPrefix = "<PLAINTEXT>";283 plaintextNewlinePrefix = "<PLAINTEXT-NL>";284 in285 {286 /**287 Decode public secret part into string288 */289 decodeRawSecret =290 raw:291 if hasPrefix plaintextPrefix raw then292 removePrefix plaintextPrefix raw293 else if hasPrefix plaintextNewlinePrefix raw then294 removePrefix plaintextNewlinePrefix raw295 else296 throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";297 };298299 inherit (strings) decodeRawSecret;300}difftreelog
source
lib/default.nix7.9 KiBsourcehistory