difftreelog
refactor split fleet and nixos modules
in: trunk
12 files changed
lib/default.nixdiffbeforeafterboth--- a/lib/default.nix
+++ b/lib/default.nix
@@ -5,7 +5,7 @@
in
rec {
root = nixpkgs.lib.evalModules {
- modules = (import ../modules/modules.nix { inherit data; }) ++ [ config ];
+ modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];
specialArgs = {
inherit nixpkgs;
fleet = import ./fleetLib.nix {
modules/fleet/_modules.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/fleet/_modules.nix
@@ -0,0 +1,4 @@
+[
+ ./meta.nix
+ ./secrets.nix
+]
modules/fleet/meta.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/fleet/meta.nix
@@ -0,0 +1,40 @@
+{ lib, fleet, config, ... }: with lib;
+let
+ host = with types; {
+ options = {
+ modules = mkOption {
+ type = listOf anything;
+ description = "List of nixos modules";
+ default = [ ];
+ };
+ system = mkOption {
+ type = str;
+ description = "Type of system";
+ };
+ encryptionKey = mkOption {
+ type = str;
+ description = "Encryption key";
+ };
+ };
+ };
+in
+{
+ options = with types; {
+ hosts = mkOption {
+ type = attrsOf (submodule host);
+ default = { };
+ description = "Configurations of individual hosts";
+ };
+ globalModules = mkOption {
+ type = listOf anything;
+ description = "Modules, which should be added to every system";
+ default = [ ];
+ };
+ };
+ config = {
+ hosts = fleet.hostsToAttrs (host: {
+ modules = config.globalModules;
+ });
+ globalModules = import ../nixos/_modules.nix;
+ };
+}
modules/fleet/secrets.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/fleet/secrets.nix
@@ -0,0 +1,86 @@
+{ lib, fleet, config, ... }: with lib;
+let
+ sharedSecret = with types; {
+ options = {
+ owners = mkOption {
+ type = listOf str;
+ description = ''
+ List of hosts to encrypt secret for
+
+ Secrets would be decrypted and stored to /run/secrets/$\{name} on owners
+ '';
+ };
+ generator = mkOption {
+ type = package;
+ description = "Derivation to execute for secret generation";
+ };
+ expireIn = mkOption {
+ type = nullOr int;
+ description = "Time in hours, in which this secret should be regenerated";
+ default = null;
+ };
+ public = mkOption {
+ type = nullOr str;
+ description = "Secret public data";
+ default = null;
+ };
+ secret = mkOption {
+ type = str;
+ description = "Encrypted secret data";
+ };
+ };
+ };
+ hostSecret = with types; {
+ options = {
+ generator = mkOption {
+ type = package;
+ description = "Derivation to execute for secret generation";
+ };
+ expireIn = mkOption {
+ type = nullOr int;
+ description = "Time in hours, in which this secret should be regenerated";
+ default = null;
+ };
+ public = mkOption {
+ type = nullOr str;
+ description = "Secret public data";
+ default = null;
+ };
+ secret = mkOption {
+ type = str;
+ description = "Encrypted secret data";
+ };
+ };
+ };
+in
+{
+ options = with types; {
+ sharedSecrets = mkOption {
+ type = attrsOf (submodule sharedSecret);
+ default = { };
+ description = "Shared secrets";
+ };
+ hostSecrets = mkOption {
+ type = attrsOf (attrsOf (submodule hostSecret));
+ default = { };
+ description = "Host secrets";
+ };
+ };
+ config = with fleet; {
+ hosts = hostsToAttrs (host: {
+ modules =
+ let
+ cleanupSecret = (secretName: v: {
+ inherit (v) public secret;
+ });
+ in
+ [
+ {
+ secrets = (mapAttrs cleanupSecret
+ (filterAttrs (_: v: builtins.elem host v.owners) config.sharedSecrets)
+ ) // (mapAttrs cleanupSecret (if config.hostSecrets ? host then config.hostSecrets.${host} else {}));
+ }
+ ];
+ });
+ };
+}
modules/hosts.nixdiffbeforeafterboth1{ lib, fleet, ... }: with lib;2let3 host = with types; {4 options = {5 modules = mkOption {6 type = listOf anything;7 description = "List of nixos modules";8 default = [ ];9 };10 network = mkOption {11 type = submodule {12 options = {13 fleetIp = {14 type = str;15 description = "Ip which is available to all hosts in fleet";16 };17 };18 };19 description = "Network definition of host";20 };21 system = mkOption {22 type = str;23 description = "Type of system";24 };25 encryptionKey = mkOption {26 type = str;27 description = "Encryption key";28 };29 };30 };31in32{33 options = with types; {34 hosts = mkOption {35 type = attrsOf (submodule host);36 default = { };37 description = "Configurations of individual hosts";38 };39 };40 config.hosts = fleet.hostsToAttrs (host: {41 modules = [42 ({ ... }: {43 nixpkgs.overlays = [ (import ../pkgs) ];44 })45 ];46 });47}modules/modules.nixdiffbeforeafterboth--- a/modules/modules.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ data }: [
- ./hosts.nix
- ./secrets
- data
-]
modules/nixos/_modules.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/nixos/_modules.nix
@@ -0,0 +1,5 @@
+[
+ ./fleetPkgs.nix
+ ./meta.nix
+ ./secrets.nix
+]
modules/nixos/fleetPkgs.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/nixos/fleetPkgs.nix
@@ -0,0 +1 @@
+{ ... }: { nixpkgs.overlays = [ (import ../../pkgs) ]; }
modules/nixos/meta.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/nixos/meta.nix
@@ -0,0 +1,32 @@
+{ lib, ... }:
+with lib;
+{
+ options = with types; {
+ tags = mkOption {
+ type = listOf str;
+ description = "Host tags";
+ default = [ ];
+ };
+ network = mkOption {
+ type = submodule {
+ options = {
+ internalIps = mkOption {
+ type = listOf str;
+ description = "Internal ips";
+ default = [ ];
+ };
+ externalIps = mkOption {
+ type = listOf str;
+ description = "External ips";
+ default = [ ];
+ };
+ };
+ };
+ description = "Network definition of host";
+ };
+ };
+ config = {
+ tags = [ "all" ];
+ network = { };
+ };
+}
modules/nixos/secrets.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/nixos/secrets.nix
@@ -0,0 +1,60 @@
+{ lib, config, pkgs, ... }: with lib;
+let
+ sysConfig = config;
+ secretType = types.submodule ({ config, ... }: {
+ config = {
+ path = mkOptionDefault "/run/secrets/${config._module.args.name}";
+ };
+ options = {
+ public = mkOption {
+ type = types.nullOr types.str;
+ description = "Secret public data";
+ default = null;
+ };
+ secret = mkOption {
+ type = types.str;
+ description = "Encrypted secret data";
+ };
+ mode = mkOption {
+ type = types.str;
+ description = "Secret mode";
+ default = "0440";
+ };
+ owner = mkOption {
+ type = types.str;
+ description = "Owner of the secret";
+ default = "root";
+ };
+ group = mkOption {
+ type = types.str;
+ description = "Group of the secret";
+ default = sysConfig.users.users.${config.owner}.group;
+ };
+
+ path = mkOption {
+ type = types.str;
+ readOnly = true;
+ description = "Path to the decrypted secret";
+ };
+ };
+ });
+ secretsFile = pkgs.writeTextFile {
+ name = "secrets.json";
+ text = builtins.toJSON config.secrets;
+ };
+in
+{
+ options = {
+ secrets = mkOption {
+ type = types.attrsOf secretType;
+ default = { };
+ description = "Host-local secrets";
+ };
+ };
+ config = {
+ system.activationScripts.decryptSecrets = ''
+ 1>&2 echo "setting up secrets"
+ ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}
+ '';
+ };
+}
modules/secrets/default.nixdiffbeforeafterboth--- a/modules/secrets/default.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-{ lib, fleet, config, ... }: with lib;
-let
- secret = with types; {
- options = {
- owners = mkOption {
- type = listOf str;
- description = ''
- List of hosts to encrypt secret for
-
- Secrets would be decrypted and stored to /run/secrets/$\{name} on owners
- '';
- };
- generator = mkOption {
- type = package;
- description = "Derivation to execute for secret generation";
- };
- expireIn = mkOption {
- type = nullOr int;
- description = "Time in hours, in which this secret should be regenerated";
- default = null;
- };
- public = mkOption {
- type = nullOr str;
- description = "Secret public data";
- default = null;
- };
- secret = mkOption {
- type = str;
- description = "Encrypted secret data";
- };
- };
- };
-in
-{
- options = with types; {
- secrets = mkOption {
- type = attrsOf (submodule secret);
- default = { };
- description = "Secrets";
- };
- };
- config = with fleet; {
- hosts = hostsToAttrs (host: {
- modules = [
- ./nixosModule.nix
- {
- secrets = mapAttrs
- (secretName: v: {
- inherit (v) public secret;
- })
- (filterAttrs (_: v: builtins.elem host v.owners) config.secrets);
- }
- ];
- });
- };
-}
modules/secrets/nixosModule.nixdiffbeforeafterboth--- a/modules/secrets/nixosModule.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ lib, config, pkgs, ... }: with lib;
-let
- sysConfig = config;
- secretType = types.submodule ({ config, ... }: {
- config = {
- path = mkOptionDefault "/run/secrets/${config._module.args.name}";
- };
- options = {
- public = mkOption {
- type = types.nullOr types.str;
- description = "Secret public data";
- default = null;
- };
- secret = mkOption {
- type = types.str;
- description = "Encrypted secret data";
- };
- mode = mkOption {
- type = types.str;
- description = "Secret mode";
- default = "0440";
- };
- owner = mkOption {
- type = types.str;
- description = "Owner of the secret";
- default = "root";
- };
- group = mkOption {
- type = types.str;
- description = "Group of the secret";
- default = sysConfig.users.users.${config.owner}.group;
- };
-
- path = mkOption {
- type = types.str;
- readOnly = true;
- description = "Path to the decrypted secret";
- };
- };
- });
- secretsFile = pkgs.writeTextFile {
- name = "secrets.json";
- text = builtins.toJSON config.secrets;
- };
-in
-{
- options = {
- secrets = mkOption {
- type = types.attrsOf secretType;
- default = { };
- description = "Host-local secrets";
- };
- };
- config = {
- system.activationScripts.decryptSecrets = ''
- 1>&2 echo "setting up secrets"
- ${pkgs.fleet-install-secrets}/bin/fleet-install-secrets ${secretsFile}
- '';
- };
-}