difftreelog
feat shared secrets expected owners
in: trunk
7 files changed
crates/nixlike/Cargo.tomldiffbeforeafterboth4edition = "2021"4edition = "2021"556[dependencies]6[dependencies]7dprint-core = "0.50.0"7dprint-core = "0.51.0"8linked-hash-map = "0.5.4"8linked-hash-map = "0.5.4"9peg = "0.8.0"9peg = "0.8.0"10serde = "1.0.130"10serde = "1.0.130"lib/default.nixdiffbeforeafterboth1{ flake-utils }: {1{ flake-utils }: {2 fleetConfiguration = { data, nixpkgs, hosts, ... }@allConfig:2 fleetConfiguration = { data, nixpkgs, hosts, ... }@allConfig:3 let3 let4 hostNames = nixpkgs.lib.attrNames hosts;4 config = builtins.removeAttrs allConfig [ "nixpkgs" "data" ];5 config = builtins.removeAttrs allConfig [ "nixpkgs" "data" ];5 fleetLib = import ./fleetLib.nix {6 fleetLib = import ./fleetLib.nix {6 inherit nixpkgs hosts;7 inherit nixpkgs hostNames;7 };8 };8 in9 in9 nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system: rec {10 nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system:10 root = nixpkgs.lib.evalModules {11 let11 modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];12 root = nixpkgs.lib.evalModules {12 specialArgs = {13 modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];13 inherit nixpkgs;14 specialArgs = {14 fleet = fleetLib;15 inherit nixpkgs fleetLib;15 };16 };16 };17 };18 failedAssertions = map (x: x.message) (nixpkgs.lib.filter (x: !x.assertion) root.config.assertions);19 rootAssertWarn =20 if failedAssertions != [ ]21 then throw "Failed assertions:\n${nixpkgs.lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"22 else nixpkgs.lib.showWarnings root.config.warnings root;23 in24 rec {17 configuredHosts = root.config.hosts;25 configuredHosts = rootAssertWarn.config.hosts;18 configuredSecrets = root.config.secrets;26 configuredSecrets = rootAssertWarn.config.secrets;19 configuredSystems = nixpkgs.lib.listToAttrs (27 configuredSystems = nixpkgs.lib.listToAttrs (20 map28 map21 (29 (36 })44 })37 ];45 ];38 specialArgs = {46 specialArgs = {47 inherit fleetLib;39 fleet = fleetLib.hostsToAttrs (host: configuredSystems.${host}.config);48 fleet = fleetLib.hostsToAttrs (host: configuredSystems.${host}.config);40 };49 };41 };50 };42 }51 }43 )52 )44 (builtins.attrNames root.config.hosts)53 (builtins.attrNames rootAssertWarn.config.hosts)45 ); #nixpkgs.lib.nixosSystem {}54 ); #nixpkgs.lib.nixosSystem {}46 });55 });47}56}lib/fleetLib.nixdiffbeforeafterboth1# Shared functions for fleet configuration, available as `fleet` module argument1# Shared functions for fleet configuration, available as `fleet` module argument2{ nixpkgs, hosts }: with nixpkgs.lib; rec {2{ nixpkgs, hostNames }: with nixpkgs.lib; rec {3 # Modules can't register hosts because of infinite recursion4 hostNames = attrNames hosts;5 hostsToAttrs = f: listToAttrs (3 hostsToAttrs = f: listToAttrs (6 map (name: { inherit name; value = f name; }) hostNames4 map (name: { inherit name; value = f name; }) hostNames7 );5 );25 a = elemAt sorted 0;23 a = elemAt sorted 0;26 b = elemAt sorted 1;24 b = elemAt sorted 1;27 };25 };26 hostPairName = this: other:27 if this < other then "${this}-${other}"28 else "${other}-${this}";28}29}2930modules/fleet/_modules.nixdiffbeforeafterboth1[1[2 ./assertions.nix2 ./meta.nix3 ./meta.nix3 ./secrets.nix4 ./secrets.nix4]5]modules/fleet/assertions.nixdiffbeforeafterbothno changes
modules/fleet/meta.nixdiffbeforeafterboth1{ lib, fleet, config, ... }: with lib;1{ lib, fleetLib, config, ... }: with lib;2let2let3 host = with types; {3 host = with types; {4 options = {4 options = {42 };42 };43 };43 };44 config = {44 config = {45 hosts = fleet.hostsToAttrs (host: {45 hosts = fleetLib.hostsToAttrs (host: {46 modules = config.globalModules;46 modules = config.globalModules;47 });47 });48 globalModules = import ../../nixos/modules/module-list.nix;48 globalModules = import ../../nixos/modules/module-list.nix;modules/fleet/secrets.nixdiffbeforeafterboth1{ lib, fleet, config, ... }: with lib;1{ lib, fleetLib, config, ... }: with lib; with fleetLib;2let2let3 sharedSecret = with types; {3 sharedSecret = with types; {4 options = {4 options = {5 owners = mkOption {6 type = listOf str;7 description = ''8 For which owners this secret is currently encrypted,9 if not matches expectedOwners - then this secret is considered outdated, and10 should be regenerated/reencrypted11 '';12 };5 owners = mkOption {13 expectedOwners = mkOption {6 type = listOf str;14 type = listOf str;7 description = ''15 description = ''8 List of hosts to encrypt secret for16 List of hosts to encrypt secret for91710 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners18 Secrets would be decrypted and stored to /run/secrets/$\{name} on owners11 '';19 '';20 default = [ ];12 };21 };13 generator = mkOption {22 generator = mkOption {14 type = package;23 type = package;67 description = "Host secrets";76 description = "Host secrets";68 };77 };69 };78 };70 config = with fleet; {79 config = {80 assertions = mapAttrsToList81 (name: secret: {82 assertion = builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;83 message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}";84 })85 config.sharedSecrets;71 hosts = hostsToAttrs (host: {86 hosts = hostsToAttrs (host: {72 modules =87 modules =73 let88 let83 }98 }84 ];99 ];85 });100 });86 };101 };87}102}88103