difftreelog
feat shared secrets expected owners
in: trunk
7 files changed
crates/nixlike/Cargo.tomldiffbeforeafterboth--- a/crates/nixlike/Cargo.toml
+++ b/crates/nixlike/Cargo.toml
@@ -4,7 +4,7 @@
edition = "2021"
[dependencies]
-dprint-core = "0.50.0"
+dprint-core = "0.51.0"
linked-hash-map = "0.5.4"
peg = "0.8.0"
serde = "1.0.130"
lib/default.nixdiffbeforeafterboth1{ flake-utils }: {2 fleetConfiguration = { data, nixpkgs, hosts, ... }@allConfig:3 let4 config = builtins.removeAttrs allConfig [ "nixpkgs" "data" ];5 fleetLib = import ./fleetLib.nix {6 inherit nixpkgs hosts;7 };8 in9 nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system: rec {10 root = nixpkgs.lib.evalModules {11 modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];12 specialArgs = {13 inherit nixpkgs;14 fleet = fleetLib;15 };16 };17 configuredHosts = root.config.hosts;18 configuredSecrets = root.config.secrets;19 configuredSystems = nixpkgs.lib.listToAttrs (20 map21 (22 name: {23 inherit name;24 value = nixpkgs.lib.nixosSystem {25 system = configuredHosts.${}.system;26 modules = configuredHosts.${}.modules ++ (27 if configuredHosts.${}.system == "aarch64-linux" then [ (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix") ]28 else [ ]29 ) ++ [30 ({ ... }: {31 nixpkgs.system = system;32 nixpkgs.localSystem.system = system;33 nixpkgs.crossSystem = if system == configuredHosts.${}.system then null else {34 system = configuredHosts.${}.system;35 };36 })37 ];38 specialArgs = {39 fleet = fleetLib.hostsToAttrs (host: configuredSystems.${}.config);40 };41 };42 }43 )44 (builtins.attrNames root.config.hosts)45 ); #nixpkgs.lib.nixosSystem {}46 });47}lib/fleetLib.nixdiffbeforeafterboth--- a/lib/fleetLib.nix
+++ b/lib/fleetLib.nix
@@ -1,7 +1,5 @@
# Shared functions for fleet configuration, available as `fleet` module argument
-{ nixpkgs, hosts }: with nixpkgs.lib; rec {
- # Modules can't register hosts because of infinite recursion
- hostNames = attrNames hosts;
+{ nixpkgs, hostNames }: with nixpkgs.lib; rec {
hostsToAttrs = f: listToAttrs (
map (name: { inherit name; value = f name; }) hostNames
);
@@ -25,4 +23,7 @@
a = elemAt sorted 0;
b = elemAt sorted 1;
};
+ hostPairName = this: other:
+ if this < other then "${this}-${other}"
+ else "${other}-${this}";
}
modules/fleet/_modules.nixdiffbeforeafterboth--- a/modules/fleet/_modules.nix
+++ b/modules/fleet/_modules.nix
@@ -1,4 +1,5 @@
[
+ ./assertions.nix
./meta.nix
./secrets.nix
]
modules/fleet/assertions.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/fleet/assertions.nix
@@ -0,0 +1,34 @@
+{ lib, ... }:
+
+with lib;
+
+{
+
+ options = {
+
+ assertions = mkOption {
+ type = types.listOf types.unspecified;
+ internal = true;
+ default = [ ];
+ example = [{ assertion = false; message = "you can't enable this for that reason"; }];
+ description = ''
+ This option allows modules to express conditions that must
+ hold for the evaluation of the system configuration to
+ succeed, along with associated error messages for the user.
+ '';
+ };
+
+ warnings = mkOption {
+ internal = true;
+ default = [ ];
+ type = types.listOf types.str;
+ example = [ "The `foo' service is deprecated and will go away soon!" ];
+ description = ''
+ This option allows modules to show warnings to users during
+ the evaluation of the system configuration.
+ '';
+ };
+
+ };
+ # impl of assertions is in <fleet/lib/default.nix>
+}
modules/fleet/meta.nixdiffbeforeafterboth--- a/modules/fleet/meta.nix
+++ b/modules/fleet/meta.nix
@@ -1,4 +1,4 @@
-{ lib, fleet, config, ... }: with lib;
+{ lib, fleetLib, config, ... }: with lib;
let
host = with types; {
options = {
@@ -42,7 +42,7 @@
};
};
config = {
- hosts = fleet.hostsToAttrs (host: {
+ hosts = fleetLib.hostsToAttrs (host: {
modules = config.globalModules;
});
globalModules = import ../../nixos/modules/module-list.nix;
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -1,14 +1,23 @@
-{ lib, fleet, config, ... }: with lib;
+{ lib, fleetLib, config, ... }: with lib; with fleetLib;
let
sharedSecret = with types; {
options = {
owners = mkOption {
type = listOf str;
description = ''
+ For which owners this secret is currently encrypted,
+ if not matches expectedOwners - then this secret is considered outdated, and
+ should be regenerated/reencrypted
+ '';
+ };
+ expectedOwners = mkOption {
+ type = listOf str;
+ description = ''
List of hosts to encrypt secret for
Secrets would be decrypted and stored to /run/secrets/$\{name} on owners
'';
+ default = [ ];
};
generator = mkOption {
type = package;
@@ -67,7 +76,13 @@
description = "Host secrets";
};
};
- config = with fleet; {
+ config = {
+ assertions = mapAttrsToList
+ (name: secret: {
+ assertion = builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;
+ message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}";
+ })
+ config.sharedSecrets;
hosts = hostsToAttrs (host: {
modules =
let