difftreelog
style add treefmt
in: trunk
27 files changed
Cargo.tomldiffbeforeafterbothno syntactic changes
cmds/fleet/Cargo.tomldiffbeforeafterbothno syntactic changes
cmds/install-secrets/src/main.rsdiffbeforeafterboth200200201 if data.is_empty() {201 if data.is_empty() {202 info!("no secrets to install");202 info!("no secrets to install");203 return Ok(())203 return Ok(());204 }204 }205205206 let identity = host_identity()?;206 let identity = host_identity()?;crates/nixlike/fuzz/fuzz_targets/fuzz_target_1.rsdiffbeforeafterbothno syntactic changes
flake.lockdiffbeforeafterboth57 "flake-parts": "flake-parts",57 "flake-parts": "flake-parts",58 "nixpkgs": "nixpkgs",58 "nixpkgs": "nixpkgs",59 "rust-overlay": "rust-overlay",59 "rust-overlay": "rust-overlay",60 "shelly": "shelly"60 "shelly": "shelly",61 "treefmt-nix": "treefmt-nix"61 }62 }62 },63 },63 "rust-overlay": {64 "rust-overlay": {94 "repo": "shelly",95 "repo": "shelly",95 "type": "github"96 "type": "github"96 }97 }97 }98 },99 "treefmt-nix": {100 "inputs": {101 "nixpkgs": [102 "nixpkgs"103 ]104 },105 "locked": {106 "lastModified": 1744961264,107 "narHash": "sha256-aRmUh0AMwcbdjJHnytg1e5h5ECcaWtIFQa6d9gI85AI=",108 "owner": "numtide",109 "repo": "treefmt-nix",110 "rev": "8d404a69efe76146368885110f29a2ca3700bee6",111 "type": "github"112 },113 "original": {114 "owner": "numtide",115 "repo": "treefmt-nix",116 "type": "github"117 }118 }98 },119 },99 "root": "root",120 "root": "root",100 "version": 7121 "version": 7flake.nixdiffbeforeafterboth1{1{2 description = "NixOS configuration management";2 description = "NixOS cluster configuration management";334 inputs = {4 inputs = {5 nixpkgs.url = "github:nixos/nixpkgs/release-24.11";5 nixpkgs.url = "github:nixos/nixpkgs/release-24.11";13 };13 };14 crane.url = "github:ipetkov/crane";14 crane.url = "github:ipetkov/crane";15 shelly.url = "github:CertainLach/shelly";15 shelly.url = "github:CertainLach/shelly";16 treefmt-nix = {17 url = "github:numtide/treefmt-nix";18 inputs.nixpkgs.follows = "nixpkgs";19 };16 };20 };17 outputs =21 outputs =18 inputs:22 inputs:75 config,79 config,76 system,80 system,77 pkgs,81 pkgs,82 self,78 ...83 ...79 }:84 }:80 let85 let92 lib = pkgs.lib;97 lib = pkgs.lib;93 rust = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;98 rust = pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;94 craneLib = (inputs.crane.mkLib pkgs).overrideToolchain rust;99 craneLib = (inputs.crane.mkLib pkgs).overrideToolchain rust;100 treefmt = (inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix).config.build;95 in101 in96 {102 {97 _module.args.pkgs = import inputs.nixpkgs {103 _module.args.pkgs = import inputs.nixpkgs {129 (prefixAttrs "nixpkgs-" {135 (prefixAttrs "nixpkgs-" {130 inherit (packages) fleet-install-secrets;136 inherit (packages) fleet-install-secrets;131 });137 })138 // {139 checks.formatting = treefmt.check self;140 };132 # TODO: It should be possible to move lib.mkIf to default attribute, instead of disabling the whole141 # TODO: It should be possible to move lib.mkIf to default attribute, instead of disabling the whole133 # devShells block, yet nix flake check fails here, due to no default shell found. It is nix or flake-parts bug?142 # devShells block, yet nix flake check fails here, due to no default shell found. It is nix or flake-parts bug?134 shelly.shells.default = lib.mkIf deployerSystem {143 shelly.shells.default = lib.mkIf deployerSystem {151 ];160 ];152 environment.PROTOC = "${pkgs.protobuf}/bin/protoc";161 environment.PROTOC = "${pkgs.protobuf}/bin/protoc";153 };162 };154 formatter = pkgs.alejandra;163 formatter = treefmt.wrapper;155 };164 };156 };165 };157}166}lib/default.nixdiffbeforeafterboth59 */68 */60 mkPassword = {size ? 32}: {69 mkPassword =70 {71 size ? 32,72 }:73 {61 coreutils,74 coreutils,107 */122 */108 mkX25519 = {encoding ? null}: {mkSecretGenerator}:123 mkX25519 =124 {125 encoding ? null,126 }:127 { mkSecretGenerator }:109 mkSecretGenerator {128 mkSecretGenerator {126 */145 */127 mkRsa = {size ? 4096}: {146 mkRsa =147 {148 size ? 4096,149 }:150 {128 openssl,151 openssl,171 */196 */172 mkHexBytes = {count ? 32}:197 mkHexBytes =198 {199 count ? 32,200 }:173 mkBytes {201 mkBytes {174 inherit count;202 inherit count;179 */207 */180 mkBase64Bytes = {count ? 32}:208 mkBase64Bytes =209 {210 count ? 32,211 }:181 mkBytes {212 mkBytes {182 inherit count;213 inherit count;lib/flakePart.nixdiffbeforeafterbothno syntactic changes
modules/assertions.nixdiffbeforeafterbothno syntactic changes
modules/extras/tf.nixdiffbeforeafterbothno syntactic changes
modules/fleetLib.nixdiffbeforeafterbothno syntactic changes
modules/hosts.nixdiffbeforeafterboth61 };70 };627163 tags = mkOption {72 tags = mkOption {64 description = ''73 description = ''65 Tags for host classification.74 Tags for host classification.66 Used for host selection via @tag syntax in CLI tools.75 Used for host selection via @tag syntax in CLI tools.67 '';76 '';68 type = listOf str;77 type = listOf str;69 };78 };7079modules/meta.nixdiffbeforeafterbothno syntactic changes
modules/nixos.nixdiffbeforeafterbothno syntactic changes
modules/nixos/nix-sign.nixdiffbeforeafterbothno syntactic changes
modules/nixos/online.nixdiffbeforeafterboth37 name: value:50 name: value:38 if isString value51 if isString value then39 then {52 {40 text = ''53 text = ''41 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then54 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then42 ${value}55 ${value}43 fi56 fi44 '';57 '';45 deps = ["onlineActivation"];58 deps = [ "onlineActivation" ];46 }59 }47 else60 else48 value61 value49 // {62 // {50 deps = ["onlineActivation"] ++ value.deps;63 deps = [ "onlineActivation" ] ++ value.deps;51 text = ''64 text = ''52 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then65 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then53 ${value.text}66 ${value.text}54 fi67 fi55 '';68 '';56 }69 }57 )70 ) set;58 set;59 };71 };607261 config.system.activationScripts =73 config.system.activationScripts = {62 {63 onlineActivation = {74 onlineActivation = {64 text = ''75 text = ''65 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then76 if [ ! -z ''${FLEET_ONLINE_ACTIVATION+x} ]; then66 1>&2 echo "online activation; hello, fleet!"77 1>&2 echo "online activation; hello, fleet!"67 fi78 fi68 '';79 '';69 supportsDryActivation = true;80 supportsDryActivation = true;70 };81 };71 }82 } // config.system.onlineActivationScripts;modules/nixos/rollback.nixdiffbeforeafterbothno syntactic changes
modules/nixos/secrets.nixdiffbeforeafterbothno syntactic changes
modules/nixpkgs.nixdiffbeforeafterbothno syntactic changes
modules/secrets-data.nixdiffbeforeafterboth109 assertion = secret.expectedOwners == null || sort (a: b: a < b) config.data.sharedSecrets.${name}.owners == sort (a: b: a < b) secret.expectedOwners;129 assertion =130 secret.expectedOwners == null131 ||132 sort (a: b: a < b) (config.data.sharedSecrets.${name} or { owners = [ ]; }).owners133 == sort (a: b: a < b) secret.expectedOwners;110 message = "Shared secret ${name} is expected to be encrypted for ${toJSON secret.expectedOwners}, but it is encrypted for ${toJSON config.data.sharedSecrets.${name}.owners}. Run fleet secrets regenerate to fix";134 message = "Shared secret ${name} is expected to be encrypted for ${toJSON secret.expectedOwners}, but it is encrypted for ${135 toJSON config.data.sharedSecrets.${name}.owners136 }. Run fleet secrets regenerate to fix";111 })137 }) config.sharedSecrets)112 config.sharedSecrets)113 ++ (mapAttrsToList138 ++ (mapAttrsToList (name: secret: {114 (name: secret: {115 # TODO: Same aassertion should be in host secrets139 # TODO: Same aassertion should be in host secrets116 assertion = config.data.sharedSecrets.${name}.generationData == secret.expectedGenerationData;140 assertion = config.data.sharedSecrets.${name}.generationData == secret.expectedGenerationData;117 message = "Shared secret ${name} has unexpected generation data ${toJSON secret.expectedGenerationData} != ${toJSON config.data.sharedSecrets.${name}.expectedGenerationData}. Run fleet secrets regenerate to fix";141 message = "Shared secret ${name} has unexpected generation data ${toJSON secret.expectedGenerationData} != ${142 toJSON config.data.sharedSecrets.${name}.expectedGenerationData143 }. Run fleet secrets regenerate to fix";118 })144 }) config.sharedSecrets);119 config.sharedSecrets);120 sharedSecrets =145 sharedSecrets = mapAttrs (_: _: { }) config.data.sharedSecrets;modules/secrets.nixdiffbeforeafterboth12 options = {26 options = {13 expectedOwners = mkOption {27 expectedOwners = mkOption {14 type = nullOr (listOf str);28 type = nullOr (listOf str);15 description = ''29 description = ''16 Specifies the list of hosts authorized to decrypt and access this shared secret.30 Specifies the list of hosts authorized to decrypt and access this shared secret.173118 When null, secret ownership is managed manually via fleet.nix and CLI.32 When null, secret ownership is managed manually via fleet.nix and CLI.19 Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.33 Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.20 '';34 '';21 default = null;35 default = null;22 };36 };23 regenerateOnOwnerAdded = mkOption {37 regenerateOnOwnerAdded = mkOption {24 type = bool;38 type = bool;25 description = ''39 description = ''26 Controls whether the secret must be regenerated when new owners are added.40 Controls whether the secret must be regenerated when new owners are added.274128 Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).42 Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).29 When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.43 When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.30 '';44 '';31 };45 };32 regenerateOnOwnerRemoved = mkOption {46 regenerateOnOwnerRemoved = mkOption {33 default = config.regenerateOnOwnerAdded;47 default = config.regenerateOnOwnerAdded;34 defaultText = literalExpression "regenerateOnOwnerAdded";48 defaultText = literalExpression "regenerateOnOwnerAdded";35 type = bool;49 type = bool;36 description = ''50 description = ''37 Determines secret behavior when owners are removed from the configuration.51 Determines secret behavior when owners are removed from the configuration.385239 Typically mirrors regenerateOnOwnerAdded. Override cautiously.53 Typically mirrors regenerateOnOwnerAdded. Override cautiously.40 Set to false if host permissions are revoked through alternative mechanisms like firewall rules.54 Set to false if host permissions are revoked through alternative mechanisms like firewall rules.41 '';55 '';42 };56 };43 generator = mkOption {57 generator = mkOption {44 type = uniq (nullOr (functionTo package));58 type = uniq (nullOr (functionTo package));45 description = ''59 description = ''46 Function evaluating to nix derivation responsible for (re)generating the secret's content.60 Function evaluating to nix derivation responsible for (re)generating the secret's content.476148 An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,62 An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,49 use `mkSecretGenerator` helpers to implement own generators.63 use `mkSecretGenerator` helpers to implement own generators.50 '';64 '';51 default = null;65 default = null;52 };66 };53 expectedGenerationData = mkOption {67 expectedGenerationData = mkOption {83 # (Some secrets-encryption-in-git/managed PKI solution is expected)106 # (Some secrets-encryption-in-git/managed PKI solution is expected)84 impureOn ? null,107 impureOn ? null,85 }:108 }:86 (prev.writeShellScript "impureGenerator.sh" ''109 (prev.writeShellScript "impureGenerator.sh" ''87 #!/bin/sh110 #!/bin/sh88 set -eu111 set -eu8911290 export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";113 export GENERATOR_HELPER_IDENTITIES="${concatStringsSep "\n" recipients}";91 export PATH=${final.fleet-generator-helper}/bin:$PATH114 export PATH=${final.fleet-generator-helper}/bin:$PATH9211593 # TODO: Provide tempdir from outside, to make it securely erasurable as needed?116 # TODO: Provide tempdir from outside, to make it securely erasurable as needed?94 tmp=$(mktemp -d)117 tmp=$(mktemp -d)95 cd $tmp118 cd $tmp96 # cd /var/empty119 # cd /var/empty9712098 created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")121 created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")99122100 ${script}123 ${script}101124102 if ! test -d $out; then125 if ! test -d $out; then103 echo "impure generator script did not produce expected \$out output"126 echo "impure generator script did not produce expected \$out output"104 exit 1127 exit 1105 fi128 fi106129107 echo -n $created_at > $out/created_at130 echo -n $created_at > $out/created_at108 echo -n SUCCESS > $out/marker131 echo -n SUCCESS > $out/marker109 '')132 '').overrideAttrs110 .overrideAttrs (old: {133 (old: {111 passthru = {134 passthru = {112 inherit impureOn;135 inherit impureOn;pkgs/default.nixdiffbeforeafterbothno syntactic changes
pkgs/fleet-generator-helper.nixdiffbeforeafterbothno syntactic changes
pkgs/fleet-install-secrets.nixdiffbeforeafterbothno syntactic changes
pkgs/fleet.nixdiffbeforeafterbothno syntactic changes
scripts/install-trusted-cert.shdiffbeforeafterbothno syntactic changes
treefmt.nixdiffbeforeafterbothno changes