git.delta.rocks / jrsonnet / refs/commits / 0f6e11e64e77

difftreelog

source

lib/default.nix6.1 KiBsourcehistory
1# Shared functions for fleet configuration, available as `fleet` module argument2{lib}: let3  inherit (lib.trivial) isFunction;4  inherit (lib.options) mkOption mergeOneOption;5  inherit (lib.modules) mkOverride;6  inherit (lib.types) listOf submodule attrsOf mkOptionType;7  inherit (lib.strings) optionalString hasPrefix removePrefix;8in rec {9  types = {10    overlay = mkOptionType {11      name = "nixpkgs-overlay";12      description = "nixpkgs overlay";13      check = isFunction;14      merge = mergeOneOption;15    };16    listOfOverlay = listOf types.overlay;1718    mkHostsType = module: attrsOf (submodule module);19    mkDataType = module: submodule module;20  };2122  options = {23    mkHostsOption = module:24      mkOption {25        type = types.mkHostsType module;26      };27    mkDataOption = module:28      mkOption {29        type = types.mkDataType module;30      };31  };3233  inherit (options) mkHostsOption;3435  modules = {36    /**37      Use in places, where fleet might know better than nixpkgs defaults to38    */39    mkFleetDefault = mkOverride 999;40    /**41      Some generators use mkDefault, but optionDefault is set by nixpkgs.42    */43    mkFleetGeneratorDefault = mkOverride 1001;44  };4546  inherit (modules) mkFleetDefault mkFleetGeneratorDefault;4748  secrets = {49    /**50      Generate a random secret password, 32 ascii characters by default5152      Options:53        size: generated password length in ascii characters (bytes).54        noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might55                   not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].5657      Output:58        Resulting secret has only part: secret, which contains encrypted password.59    */60    mkPassword = {size ? 32}: {61      coreutils,62      mkSecretGenerator,63    }:64      mkSecretGenerator {65        script = ''66          mkdir $out67          gh generate password -o $out/secret --size ${toString size}68        '';69      };7071    /**72      Generate a random ed25519 keypair7374      Options:75        noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)76                       When noEmbedPublis is enabled - only the private scalar is included.77        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".7879      Output:80        Resulting secret has two parts: public and secret, where the secret part is encrypted.8182      This secret format is used by e.g Garage S3 server83    */84    mkEd25519 = {85      noEmbedPublic ? false,86      encoding ? null,87    }: {mkSecretGenerator}:88      mkSecretGenerator {89        script = ''90          mkdir $out91          gh generate ed25519 -p $out/public -s $out/secret \92            ${optionalString noEmbedPublic "--no-embed-public"} \93            ${optionalString (encoding != null) "--encoding=${encoding}"}94        '';95      };9697    /**98      Generate a random x25519 keypair99100      Options:101        encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".102103      Output:104        Resulting secret has two parts: public and secret, where the secret part is encrypted.105106      This secret format is used by e.g Wireguard VPN for peers (base64-encoded)107    */108    mkX25519 = {encoding ? null}: {mkSecretGenerator}:109      mkSecretGenerator {110        script = ''111          mkdir $out112          gh generate x25519 -p $out/public -s $out/secret \113            ${optionalString (encoding != null) "--encoding=${encoding}"}114        '';115      };116117    /**118      Generate a random RSA keypair119120      Options:121        size: RSA key size, 4096 by default122123      Output:124        Resulting secret has two parts: public and secret, where the secret part is encrypted.125        Both parts are PEM encoded.126    */127    mkRsa = {size ? 4096}: {128      openssl,129      mkSecretGenerator,130    }:131      mkSecretGenerator {132        script = ''133          mkdir $out134135          ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}136          ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key137138          cat rsa_private.key | gh private -o $out/secret139          cat rsa_public.key | gh public -o $out/public140        '';141      };142143    /**144      Generate a random byte sequence145146      Options:147        size: generated password length in bytes, 32 by default.148        encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"149        noNuls: prevent output byte sequence from containing internal \0, useful for some C applications150                that can't handle their strings properly.151152      Output:153        Resulting secret has only part: secret, which contains encrypted bytes.154155      Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)156    */157    mkBytes = {158      count ? 32,159      encoding,160      noNuls ? false,161    }: {mkSecretGenerator}:162      mkSecretGenerator {163        script = ''164          mkdir $out165          gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \166            ${optionalString noNuls "--no-nuls"}167        '';168      };169    /**170      Shorthand for `mkBytes`, which defaults to "hex" encoding171    */172    mkHexBytes = {count ? 32}:173      mkBytes {174        inherit count;175        encoding = "hex";176      };177    /**178      Shorthand for `mkBytes`, which defaults to "base64" encoding179    */180    mkBase64Bytes = {count ? 32}:181      mkBytes {182        inherit count;183        encoding = "base64";184      };185186    # Wireguard187    # mkWireguard = {}: mkX25519 {encoding = "base64";};188    # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};189  };190191  inherit (secrets) mkPassword mkEd25519 mkX25519 mkRsa mkBytes mkHexBytes mkBase64Bytes;192193  strings = let194    plaintextPrefix = "<PLAINTEXT>";195    plaintextNewlinePrefix = "<PLAINTEXT-NL>";196  in {197    /**198      Decode public secret part into string199    */200    decodeRawSecret = raw:201      if hasPrefix plaintextPrefix raw202      then removePrefix plaintextPrefix raw203      else if hasPrefix plaintextNewlinePrefix raw204      then removePrefix plaintextNewlinePrefix raw205      else throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";206  };207208  inherit (strings) decodeRawSecret;209}