From 33f3601e24db383bf35e051cffbe8277913f99ad Mon Sep 17 00:00:00 2001 From: Yaroslav Bolyukin Date: Thu, 08 Jan 2026 14:28:35 +0000 Subject: [PATCH] fix: shared generator condition --- --- a/cmds/fleet/src/cmds/build_systems.rs +++ b/cmds/fleet/src/cmds/build_systems.rs @@ -114,7 +114,8 @@ set.spawn_local( (async move { - let built = match build_task(config.clone(), hostname.clone(), "toplevel-fleet").await + let built = match build_task(config.clone(), hostname.clone(), "toplevel-fleet") + .await { Ok(path) => path, Err(e) => { --- a/cmds/fleet/src/cmds/secrets/mod.rs +++ b/cmds/fleet/src/cmds/secrets/mod.rs @@ -632,23 +632,23 @@ let config = config.clone(); let data = config.shared_secret(&name).expect("exists"); /* - let definition = config.shared_secret_definition(&name)?; - let expectations = definition.expectations()?; - let owners = data - .owners() - .map(|o| { - if expectations.owners.contains(o) { - o.green().to_string() - } else { - o.red().to_string() - } - }) - .collect::>(); - table.push(SecretDisplay { - owners: owners.join(", "), - name, - }) -*/ + let definition = config.shared_secret_definition(&name)?; + let expectations = definition.expectations()?; + let owners = data + .owners() + .map(|o| { + if expectations.owners.contains(o) { + o.green().to_string() + } else { + o.red().to_string() + } + }) + .collect::>(); + table.push(SecretDisplay { + owners: owners.join(", "), + name, + }) + */ } // info!("loaded\n{}", Table::new(table).to_string()) } --- a/crates/fleet-base/src/fleetdata.rs +++ b/crates/fleet-base/src/fleetdata.rs @@ -153,7 +153,7 @@ #[serde(flatten)] pub secret: FleetSecretData, - #[serde(default, skip_serializing, alias="managed")] + #[serde(default, skip_serializing, alias = "managed")] pub _deprecated_managed: bool, } --- a/crates/nix-eval/src/util.rs +++ b/crates/nix-eval/src/util.rs @@ -1,15 +1,23 @@ use std::time::Instant; use anyhow::bail; +use serde::Deserialize; use tracing::{debug, warn}; use crate::{Value, nix_go_json}; +#[derive(Deserialize, Debug)] +struct Assertion { + assertion: bool, + message: String, +} + #[tracing::instrument(level = "info", skip(val))] pub async fn assert_warn(action: &str, val: &Value) -> anyhow::Result<()> { let before_errors = Instant::now(); let errors: Vec = nix_go_json!(val.errors); - debug!("errors evaluation took {:?}", before_errors.elapsed()); + // let assertions: Vec = nix_go_json!(val.assertions); + debug!("errors evaluation took {:?} {errors:?} ", before_errors.elapsed()); if !errors.is_empty() { bail!( "failed with error{}{}", --- a/crates/nixlike/Cargo.toml +++ b/crates/nixlike/Cargo.toml @@ -7,10 +7,10 @@ [dependencies] thiserror.workspace = true +itertools = "0.14.0" linked-hash-map = "0.5.6" peg = "0.8.5" ron = "0.11.0" serde = { version = "1.0.219", features = ["derive"] } serde-transcode = "1.1.1" serde_json = "1.0.140" -itertools = "0.14.0" --- a/lib/default.nix +++ b/lib/default.nix @@ -150,7 +150,10 @@ ); mkAskPass = - { prompt ? "Secret value", part ? "secret" }: + { + prompt ? "Secret value", + part ? "secret", + }: ( { kdePackages, --- a/lib/flakePart.nix +++ b/lib/flakePart.nix @@ -34,7 +34,7 @@ # to do that, evaluate all the modules with only needed option declared. bootstrapEval = lib.evalModules { class = "fleet"; - prefix = ["fleetConfiguration"]; + prefix = [ "fleetConfiguration" ]; modules = [ module { @@ -53,7 +53,7 @@ bootstrapNixpkgs = bootstrapEval.config.nixpkgs.buildUsing; normalEval = bootstrapNixpkgs.lib.evalModules { class = "fleet"; - prefix = ["fleetConfiguration"]; + prefix = [ "fleetConfiguration" ]; modules = (import ../modules/module-list.nix) ++ [ module ( --- a/modules/nixos.nix +++ b/modules/nixos.nix @@ -39,13 +39,23 @@ in config.nixpkgs.buildUsing.lib.evalModules { class = "nixos"; - prefix = ["fleetConfiguration" "hosts" hostArgs.config._module.args.name "nixos"]; + prefix = [ + "fleetConfiguration" + "hosts" + hostArgs.config._module.args.name + "nixos" + ]; modules = (import "${modulesPath}/module-list.nix") ++ [ (module // { key = "attr"; }) (config.nixos // { key = "attr"; }) ]; specialArgs = { - inherit fleetLib inputs self modulesPath; + inherit + fleetLib + inputs + self + modulesPath + ; }; }; }; @@ -54,32 +64,34 @@ }; }; config = { - nixos = let - inherit (hostArgs.config) system; - in { - _module.args = { - nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts; - hosts = config.hosts; - host = hostArgs.config; - fleetConfiguration = config; + nixos = + let + inherit (hostArgs.config) system; + in + { + _module.args = { + nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts; + hosts = config.hosts; + host = hostArgs.config; + fleetConfiguration = config; - inputs' = mapAttrs ( - inputName: input: - builtins.addErrorContext - "while retrieving system-dependent attributes for input ${escapeNixIdentifier inputName}" - ( - if input._type or null == "flake" then - _fleetFlakeRootConfig.perInput system input - else - "input is not a flake, perhaps flake = false was added to te input declaration?" - ) - ) inputs; - self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" ( - _fleetFlakeRootConfig.perInput system self - ); + inputs' = mapAttrs ( + inputName: input: + builtins.addErrorContext + "while retrieving system-dependent attributes for input ${escapeNixIdentifier inputName}" + ( + if input._type or null == "flake" then + _fleetFlakeRootConfig.perInput system input + else + "input is not a flake, perhaps flake = false was added to te input declaration?" + ) + ) inputs; + self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" ( + _fleetFlakeRootConfig.perInput system self + ); + }; + nixpkgs.hostPlatform = system; }; - nixpkgs.hostPlatform = system; - }; nixos_unchecked = hostArgs.config.nixos.extendModules { modules = [ { --- a/modules/nixos/secrets.nix +++ b/modules/nixos/secrets.nix @@ -77,7 +77,7 @@ }: let secretName = config._module.args.name; - literal = l: enum [l]; + literal = l: enum [ l ]; in { options = { @@ -109,17 +109,16 @@ config = { # C api is broken in regard to thunks # https://github.com/NixOS/nix/issues/12800 - parts = let - hostName = host._module.args.name; - generator = config.generator; - in builtins.deepSeq [ - hostName - secretName - generator - ] (builtins.fleetEnsureHostSecret - hostName - secretName - generator); + parts = + let + hostName = host._module.args.name; + generator = config.generator; + in + builtins.deepSeq [ + hostName + secretName + generator + ] (builtins.fleetEnsureHostSecret hostName secretName generator); }; } ); @@ -136,14 +135,16 @@ secrets = mkOption { type = attrsOf secretType; default = { }; - apply = mapAttrs (_: secret: secret.parts // {definition = secret;}); + apply = mapAttrs (_: secret: secret.parts // { definition = secret; }); description = "Host-local secrets"; }; system.secretsData = mkOption { type = unspecified; - default = mapAttrs (_: s: - (removeAttrs s.definition ["generator"]) // { - parts = mapAttrs (_: part: removeAttrs part ["data"]) s.definition.parts; + default = mapAttrs ( + _: s: + (removeAttrs s.definition [ "generator" ]) + // { + parts = mapAttrs (_: part: removeAttrs part [ "data" ]) s.definition.parts; } ) config.secrets; description = "secrets.json contents"; @@ -152,13 +153,25 @@ config = { environment.systemPackages = [ pkgs.fleet-install-secrets ]; - assertions = mapAttrsToList (name: secret: let - hasSharedDefinition = fleetConfiguration.secrets ? name; - in { - assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners); - message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration" - else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host"; - }) config.secrets; + assertions = mapAttrsToList ( + name: secret: + let + hasSharedDefinition = fleetConfiguration.secrets ? ${name}; + in + { + assertion = + (secret.definition.generator == "shared") == hasSharedDefinition + && ( + hasSharedDefinition + -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners) + ); + message = + if hasSharedDefinition then + "secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration" + else + "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host"; + } + ) config.secrets; systemd.services.fleet-install-secrets = mkIf useSysusers { wantedBy = [ "sysinit.target" ]; --- a/modules/nixos/top-level.nix +++ b/modules/nixos/top-level.nix @@ -2,6 +2,7 @@ pkgs, config, lib, + ... }: let inherit (lib.strings) optionalString; -- gitstuff