difftreelog
refactor consistent module naming
in: trunk
4 files changed
README.adocdiffbeforeafterboth--- a/README.adoc
+++ b/README.adoc
@@ -60,8 +60,8 @@
# treat the contents of this file as implementation detail
data = import ./fleet.nix;
- # globalModules section of fleet config declares modules, which are used for all configured nixos hosts.
- globalModules = [
+ # nixosModules section of fleet config declares modules, which are used for all configured nixos hosts.
+ nixosModules = [
lanzaboote.nixosModules.lanzaboote
({
config,
@@ -81,7 +81,7 @@
# Is I.e wiring up the mesh VPN, or deploying kubernetes, or other things.
#
# Modules use the same semantics as standard nixos module system, they are just configuring all the hosts at once.
- modules = [
+ fleetModules = [
./wireguard
# Multi-instancible modules example
(import ./kubernetes {hosts = ["a" "b"];})
@@ -93,7 +93,7 @@
# Every host has some system, for which the system configuration needs to be built
system = "x86_64-linux";
# And nixos modules
- modules = [
+ nixosModules = [
./controlplane-1/hardware-configuration.nix
./controlplane-1/configuration.nix
# Configuration may also be specified inline, as in any nixos config.
lib/default.nixdiffbeforeafterboth--- a/lib/default.nix
+++ b/lib/default.nix
@@ -8,8 +8,8 @@
nixpkgs,
overlays ? [],
hosts,
- modules,
- globalModules ? [],
+ fleetModules,
+ nixosModules ? [],
extraFleetLib ? {},
}: let
hostNames = nixpkgs.lib.attrNames hosts;
@@ -25,10 +25,10 @@
++ [
data
({...}: {
- inherit globalModules hosts overlays;
+ inherit nixosModules hosts overlays;
})
]
- ++ modules;
+ ++ fleetModules;
specialArgs = {
inherit nixpkgs fleetLib;
};
modules/fleet/meta.nixdiffbeforeafterboth--- a/modules/fleet/meta.nix
+++ b/modules/fleet/meta.nix
@@ -12,12 +12,12 @@
hostName = hostConfig.config._module.args.name;
in {
options = {
- modules = mkOption {
+ nixosModules = mkOption {
type = listOf (mkOptionType {
name = "submodule";
inherit (submodule {}) check;
merge = lib.options.mergeOneOption;
- description = "Nixos modules";
+ description = "Nixos module";
});
description = "List of nixos modules";
default = [];
@@ -42,13 +42,14 @@
};
config = {
nixosSystem = hostConfig.config.nixpkgs.lib.nixosSystem {
- inherit (hostConfig.config) system modules;
+ inherit (hostConfig.config) system;
+ modules = hostConfig.config.nixosModules;
specialArgs = {
inherit fleetLib;
fleet = hostsToAttrs (host: config.hosts.${host}.nixosSystem.config);
};
};
- modules = [
+ nixosModules = [
({...}: {
networking.hostName = mkFleetGeneratorDefault hostName;
})
@@ -68,7 +69,7 @@
default = {};
description = "Configurations of individual hosts";
};
- globalModules = mkOption {
+ nixosModules = mkOption {
type = listOf (mkOptionType {
name = "submodule";
inherit (submodule {}) check;
@@ -85,14 +86,14 @@
};
config = {
hosts = hostsToAttrs (host: {
- modules =
- config.globalModules
+ nixosModules =
+ config.nixosModules
++ [
({...}: {
nixpkgs.overlays = config.overlays;
})
];
});
- globalModules = import ../../nixos/modules/module-list.nix;
+ nixosModules = import ../../nixos/modules/module-list.nix;
};
}
modules/fleet/secrets.nixdiffbeforeafterboth1{2 lib,3 fleetLib,4 config,5 ...6}:7with lib;8with fleetLib; let9 sharedSecret = with types; ({config, ...}: {10 options = {11 managed = mkOption {12 type = bool;13 description = ''14 Is this secret managed by configuration (I.e will work with reencrypt/etc), or it is configured by user15 '';16 };1718 expectedOwners = mkOption {19 type = nullOr (listOf str);20 description = ''21 List of hosts to encrypt secret for. null if managed by user (= via owners field from fleet.nix)2223 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners24 '';25 default = null;26 };27 # TODO: Aren't those options may be just desugared to data/expectedData?28 regenerateOnOwnerAdded = mkOption {29 type = bool;30 description = ''31 Is this secret owner-dependent, and needs to be regenerated on ownership set change, or it may be just reencrypted.3233 You want to have this option set to true, when this secret contains some reference to its owners, i.e x509 SANs.34 '';35 };36 regenerateOnOwnerRemoved = mkOption {37 default = config.regenerateOnOwnerAdded;38 type = bool;39 description = ''40 Should this secret be removed on owner removal, or it may be just reencrypted4142 Most probably its value should be equal to regenerateOnOwnerAdded, override only if you know what are you doing.43 Contrary to regenerateOnOwnerAdded, you may want to set this option to false, when host permissions are revoked44 in some other way than by this secret ownership, I.e by firewall/etc.45 '';46 };47 generator = mkOption {48 type = nullOr unspecified;49 description = "Derivation to evaluate for secret generation";50 default = null;51 };52 createdAt = mkOption {53 type = nullOr str;54 description = "When this secret was (re)generated";55 default = null;56 };57 expiresAt = mkOption {58 type = nullOr str;59 description = "On which date this secret will expire, someone should regenerate this secret before it expires.";60 default = null;61 };6263 owners = mkOption {64 type = listOf str;65 description = ''66 For which owners this secret is currently encrypted,67 if not matches expectedOwners - then this secret is considered outdated, and68 should be regenerated/reencrypted.6970 Imported from fleet.nix71 '';72 default = [];73 };74 # TODO: Make secret generator generate arbitrary number of secret/public parts?75 # Make it generate a folder, where all files except suffixed by .enc are public, and the rest are secret?76 # How should modules refer to those files then?77 public = mkOption {78 type = nullOr str;79 description = "Secret public data. Imported from fleet.nix";80 default = null;81 };82 secret = mkOption {83 type = nullOr str;84 description = "Encrypted secret data. Imported from fleet.nix";85 default = null;86 internal = true;87 };88 };89 });90 hostSecret = with types; {91 options = {92 createdAt = mkOption {93 type = nullOr str;94 default = null;95 };96 expiresAt = mkOption {97 type = nullOr str;98 default = null;99 };100 public = mkOption {101 type = nullOr str;102 description = "Secret public data. Imported from fleet.nix";103 default = null;104 };105 secret = mkOption {106 type = nullOr str;107 description = "Encrypted secret data. Imported from fleet.nix";108 default = null;109 internal = true;110 };111 };112 };113in {114 options = with types; {115 sharedSecrets = mkOption {116 type = attrsOf (submodule sharedSecret);117 default = {};118 description = "Shared secrets";119 };120 hostSecrets = mkOption {121 type = attrsOf (attrsOf (submodule hostSecret));122 default = {};123 description = "Host secrets. Imported from fleet.nix";124 internal = true;125 };126 };127 config = {128 assertions =129 mapAttrsToList130 (name: secret: {131 assertion = secret.expectedOwners == null || builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;132 message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSONsecret.expectedOwners}, but it is encrypted for ${builtins.toJSONsecret.owners}. Run fleet secrets regenerate to fix";133 })134 config.sharedSecrets;135 hosts = hostsToAttrs (host: {136 modules = let137 cleanupSecret = secretName: v: {138 inherit (v) public secret;139 shared = true;140 };141 in [142 {143 secrets =144 (145 mapAttrs cleanupSecret146 (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)147 )148 // (mapAttrs cleanupSecret (config.hostSecrets.${host} or {}));149 }150 ];151 });152 # TODO: Should this attribute be moved to `nixpkgs.overlays`?153 overlays = [154 (final: prev: let155 lib = final.lib;156 inherit (lib) strings concatMap;157 inherit (strings) escapeShellArgs;158 in {159 mkEncryptSecret = {160 rage ? prev.rage,161 recipients,162 }:163 prev.writeShellScript "encryptor" ''164 #!/bin/sh165 exec ${rage}/bin/rage ${escapeShellArgs(concatMap(r["-r"r])recipients)} -e "$@"166 '';167 # TODO: Move to fleet168 # TODO: Merge both generators to one with consistent options syntax?169 # Impure generator is built on local machine, then built closure is copied to remote machine,170 # and then it is ran in inpure context, so that this generator may access HSMs and other things.171 mkImpureSecretGenerator = {172 script,173 # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD174 # (Some secrets-encryption-in-git/managed PKI solution is expected)175 impureOn ? null,176 }:177 (prev.writeShellScript "impureGenerator.sh" ''178 #!/bin/sh179 set -eu180181 # TODO: Provide tempdir from outside, to make it securely erasurable as needed?182 tmp=mktemp-d183 cd $tmp184 # cd /var/empty185186 created_at=date-u"%Y-%m-%dT%H:%M:%S.%NZ"187188 ${script}189190 if ! test -d $out; then191 echo "impure generator script did not produce expected \$out output"192 exit 1193 fi194195 echo -n $created_at > $out/created_at196 echo -n SUCCESS > $out/marker197 '')198 .overrideAttrs (old: {199 passthru = {200 inherit impureOn;201 generatorKind = "impure";202 };203 });204 # Pure generators are disabled for now205 mkSecretGenerator = {script}: final.mkImpureSecretGenerator {inherit script;};206207 # TODO: Implement consistent naming208 # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...209 # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.210 # mkSecretGenerator = {script}:211 # (prev.writeShellScript "generator.sh" ''212 # #!/bin/sh213 # set -eu214 # # TODO: make nix daemon build secret, not just the script.215 # cd /var/empty216 #217 # created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")218 #219 # ${script}220 # if ! test -d $out; then221 # echo "impure generator script did not produce expected \$out output"222 # exit 1223 # fi224 #225 # echo -n $created_at > $out/created_at226 # echo -n SUCCESS > $out/marker227 # '')228 # .overrideAttrs (old: {229 # passthru = {230 # generatorKind = "pure";231 # };232 # # TODO: make nix daemon build secret, not just the script.233 # # __impure = true;234 # });235 })236 ];237 };238}