1# Shared functions for fleet configuration, available as `fleet` module argument2{ lib }:3let4 inherit (lib.trivial) isFunction functionArgs;5 inherit (lib.options) mkOption mergeOneOption;6 inherit (lib.modules) mkOverride;7 inherit (lib.types)8 listOf9 submodule10 attrsOf11 mkOptionType12 ;13 inherit (lib.strings) optionalString hasPrefix removePrefix;14in15rec {16 types = {17 overlay = mkOptionType {18 name = "nixpkgs-overlay";19 description = "nixpkgs overlay";20 check = isFunction;21 merge = mergeOneOption;22 };23 listOfOverlay = listOf types.overlay;2425 mkHostsType = module: attrsOf (submodule module);26 mkDataType = module: submodule module;27 };2829 options = {30 mkHostsOption =31 module:32 mkOption {33 type = types.mkHostsType module;34 };35 mkDataOption =36 module:37 mkOption {38 type = types.mkDataType module;39 };40 };4142 inherit (options) mkHostsOption;4344 modules = {45 /**46 Use in places, where fleet might know better than nixpkgs defaults to47 */48 mkFleetDefault = mkOverride 999;49 /**50 Some generators use mkDefault, but optionDefault is set by nixpkgs.51 */52 mkFleetGeneratorDefault = mkOverride 1001;53 };5455 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;5657 secrets =58 let59 describedGenerator =60 generator: {parts ? {}}:61 {parts = {};}62 // {63 __functionArgs = functionArgs generator;64 __functor = _: generator;65 };66 in67 {68 inherit describedGenerator;6970 /**71 Generate a random secret password, 32 ascii characters by default7273 Options:74 size: generated password length in ascii characters (bytes).75 noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might76 not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].7778 Output:79 Resulting secret has only part: secret, which contains encrypted password.80 */81 mkPassword =82 {83 size ? 32,84 }:85 describedGenerator86 (87 {88 coreutils,89 mkSecretGenerator,90 }:91 mkSecretGenerator {92 script = ''93 mkdir $out94 gh generate password -o $out/secret --size ${toStringsize}95 '';96 }97 )98 {99 parts.secret.encrypted = true;100 };101102 /**103 Generate a random ed25519 keypair104105 Options:106 noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)107 When noEmbedPublis is enabled - only the private scalar is included.108 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".109110 Output:111 Resulting secret has two parts: public and secret, where the secret part is encrypted.112113 This secret format is used by e.g Garage S3 server114 */115 mkEd25519 =116 {117 noEmbedPublic ? false,118 encoding ? null,119 }:120 describedGenerator121 (122 { mkSecretGenerator }:123 mkSecretGenerator {124 script = ''125 mkdir $out126 gh generate ed25519 -p $out/public -s $out/secret \127 ${optionalStringnoEmbedPublic"--no-embed-public"} \128 ${optionalString(encoding!=null)"--encoding=${encoding}"}129 '';130 }131 )132 {133 parts.secret.encrypted = true;134 parts.public.encrypted = false;135 };136137 /**138 Generate a random x25519 keypair139140 Options:141 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".142143 Output:144 Resulting secret has two parts: public and secret, where the secret part is encrypted.145146 This secret format is used by e.g Wireguard VPN for peers (base64-encoded)147 */148 mkX25519 =149 {150 encoding ? null,151 }:152 describedGenerator153 (154 { mkSecretGenerator }:155 mkSecretGenerator {156 script = ''157 mkdir $out158 gh generate x25519 -p $out/public -s $out/secret \159 ${optionalString(encoding!=null)"--encoding=${encoding}"}160 '';161 }162 )163 {164 parts.secret.encrypted = true;165 parts.public.encrypted = false;166 };167168 /**169 Generate a random RSA keypair170171 Options:172 size: RSA key size, 4096 by default173174 Output:175 Resulting secret has two parts: public and secret, where the secret part is encrypted.176 Both parts are PEM encoded.177 */178 mkRsa =179 {180 size ? 4096,181 }:182 describedGenerator183 (184 {185 openssl,186 mkSecretGenerator,187 }:188 mkSecretGenerator {189 script = ''190 mkdir $out191192 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toStringsize}193 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key194195 cat rsa_private.key | gh private -o $out/secret196 cat rsa_public.key | gh public -o $out/public197 '';198 }199 )200 {201 parts.secret.encrypted = true;202 parts.public.encrypted = false;203 };204205 /**206 Generate a random byte sequence207208 Options:209 size: generated password length in bytes, 32 by default.210 encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"211 noNuls: prevent output byte sequence from containing internal \0, useful for some C applications212 that can't handle their strings properly.213214 Output:215 Resulting secret has only part: secret, which contains encrypted bytes.216217 Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)218 */219 mkBytes =220 {221 count ? 32,222 encoding,223 noNuls ? false,224 }:225 describedGenerator226 (227 { mkSecretGenerator }:228 mkSecretGenerator {229 script = ''230 mkdir $out231 gh generate bytes --count=${toStringcount} --encoding=${encoding} -o $out/secret \232 ${optionalStringnoNuls"--no-nuls"}233 '';234 }235 )236 {237 parts.secret.encrypted = true;238 };239 /**240 Shorthand for `mkBytes`, which defaults to "hex" encoding241 */242 mkHexBytes =243 {244 count ? 32,245 }:246 mkBytes {247 inherit count;248 encoding = "hex";249 };250 /**251 Shorthand for `mkBytes`, which defaults to "base64" encoding252 */253 mkBase64Bytes =254 {255 count ? 32,256 }:257 mkBytes {258 inherit count;259 encoding = "base64";260 };261262 # Wireguard263 # mkWireguard = {}: mkX25519 {encoding = "base64";};264 # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};265 };266267 inherit (secrets)268 mkPassword269 mkEd25519270 mkX25519271 mkRsa272 mkBytes273 mkHexBytes274 mkBase64Bytes275 ;276277 strings =278 let279 plaintextPrefix = "<PLAINTEXT>";280 plaintextNewlinePrefix = "<PLAINTEXT-NL>";281 in282 {283 /**284 Decode public secret part into string285 */286 decodeRawSecret =287 raw:288 if hasPrefix plaintextPrefix raw then289 removePrefix plaintextPrefix raw290 else if hasPrefix plaintextNewlinePrefix raw then291 removePrefix plaintextNewlinePrefix raw292 else293 throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";294 };295296 inherit (strings) decodeRawSecret;297}difftreelog
source
lib/default.nix7.9 KiBsourcehistory