difftreelog
feat shared secrets expected owners
in: trunk
7 files changed
crates/nixlike/Cargo.tomldiffbeforeafterboth--- a/crates/nixlike/Cargo.toml
+++ b/crates/nixlike/Cargo.toml
@@ -4,7 +4,7 @@
edition = "2021"
[dependencies]
-dprint-core = "0.50.0"
+dprint-core = "0.51.0"
linked-hash-map = "0.5.4"
peg = "0.8.0"
serde = "1.0.130"
lib/default.nixdiffbeforeafterboth1{ flake-utils }: {1{ flake-utils }: {2 fleetConfiguration = { data, nixpkgs, hosts, ... }@allConfig:2 fleetConfiguration = { data, nixpkgs, hosts, ... }@allConfig:3 let3 let4 hostNames = nixpkgs.lib.attrNames hosts;4 config = builtins.removeAttrs allConfig [ "nixpkgs" "data" ];5 config = builtins.removeAttrs allConfig [ "nixpkgs" "data" ];5 fleetLib = import ./fleetLib.nix {6 fleetLib = import ./fleetLib.nix {6 inherit nixpkgs hosts;7 inherit nixpkgs hostNames;7 };8 };8 in9 in9 nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system: rec {10 nixpkgs.lib.genAttrs flake-utils.lib.defaultSystems (system:10 root = nixpkgs.lib.evalModules {11 let11 modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];12 root = nixpkgs.lib.evalModules {12 specialArgs = {13 modules = (import ../modules/fleet/_modules.nix) ++ [ config data ];13 inherit nixpkgs;14 specialArgs = {14 fleet = fleetLib;15 inherit nixpkgs fleetLib;15 };16 };16 };17 };18 failedAssertions = map (x: x.message) (nixpkgs.lib.filter (x: !x.assertion) root.config.assertions);19 rootAssertWarn =20 if failedAssertions != [ ]21 then throw "Failed assertions:\n${nixpkgs.lib.concatStringsSep "\n" (map (x: "- ${x}") failedAssertions)}"22 else nixpkgs.lib.showWarnings root.config.warnings root;23 in24 rec {17 configuredHosts = root.config.hosts;25 configuredHosts = rootAssertWarn.config.hosts;18 configuredSecrets = root.config.secrets;26 configuredSecrets = rootAssertWarn.config.secrets;19 configuredSystems = nixpkgs.lib.listToAttrs (27 configuredSystems = nixpkgs.lib.listToAttrs (20 map28 map21 (29 (36 })44 })37 ];45 ];38 specialArgs = {46 specialArgs = {47 inherit fleetLib;39 fleet = fleetLib.hostsToAttrs (host: configuredSystems.${host}.config);48 fleet = fleetLib.hostsToAttrs (host: configuredSystems.${host}.config);40 };49 };41 };50 };42 }51 }43 )52 )44 (builtins.attrNames root.config.hosts)53 (builtins.attrNames rootAssertWarn.config.hosts)45 ); #nixpkgs.lib.nixosSystem {}54 ); #nixpkgs.lib.nixosSystem {}46 });55 });47}56}lib/fleetLib.nixdiffbeforeafterboth--- a/lib/fleetLib.nix
+++ b/lib/fleetLib.nix
@@ -1,7 +1,5 @@
# Shared functions for fleet configuration, available as `fleet` module argument
-{ nixpkgs, hosts }: with nixpkgs.lib; rec {
- # Modules can't register hosts because of infinite recursion
- hostNames = attrNames hosts;
+{ nixpkgs, hostNames }: with nixpkgs.lib; rec {
hostsToAttrs = f: listToAttrs (
map (name: { inherit name; value = f name; }) hostNames
);
@@ -25,4 +23,7 @@
a = elemAt sorted 0;
b = elemAt sorted 1;
};
+ hostPairName = this: other:
+ if this < other then "${this}-${other}"
+ else "${other}-${this}";
}
modules/fleet/_modules.nixdiffbeforeafterboth--- a/modules/fleet/_modules.nix
+++ b/modules/fleet/_modules.nix
@@ -1,4 +1,5 @@
[
+ ./assertions.nix
./meta.nix
./secrets.nix
]
modules/fleet/assertions.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/fleet/assertions.nix
@@ -0,0 +1,34 @@
+{ lib, ... }:
+
+with lib;
+
+{
+
+ options = {
+
+ assertions = mkOption {
+ type = types.listOf types.unspecified;
+ internal = true;
+ default = [ ];
+ example = [{ assertion = false; message = "you can't enable this for that reason"; }];
+ description = ''
+ This option allows modules to express conditions that must
+ hold for the evaluation of the system configuration to
+ succeed, along with associated error messages for the user.
+ '';
+ };
+
+ warnings = mkOption {
+ internal = true;
+ default = [ ];
+ type = types.listOf types.str;
+ example = [ "The `foo' service is deprecated and will go away soon!" ];
+ description = ''
+ This option allows modules to show warnings to users during
+ the evaluation of the system configuration.
+ '';
+ };
+
+ };
+ # impl of assertions is in <fleet/lib/default.nix>
+}
modules/fleet/meta.nixdiffbeforeafterboth--- a/modules/fleet/meta.nix
+++ b/modules/fleet/meta.nix
@@ -1,4 +1,4 @@
-{ lib, fleet, config, ... }: with lib;
+{ lib, fleetLib, config, ... }: with lib;
let
host = with types; {
options = {
@@ -42,7 +42,7 @@
};
};
config = {
- hosts = fleet.hostsToAttrs (host: {
+ hosts = fleetLib.hostsToAttrs (host: {
modules = config.globalModules;
});
globalModules = import ../../nixos/modules/module-list.nix;
modules/fleet/secrets.nixdiffbeforeafterboth--- a/modules/fleet/secrets.nix
+++ b/modules/fleet/secrets.nix
@@ -1,14 +1,23 @@
-{ lib, fleet, config, ... }: with lib;
+{ lib, fleetLib, config, ... }: with lib; with fleetLib;
let
sharedSecret = with types; {
options = {
owners = mkOption {
type = listOf str;
description = ''
+ For which owners this secret is currently encrypted,
+ if not matches expectedOwners - then this secret is considered outdated, and
+ should be regenerated/reencrypted
+ '';
+ };
+ expectedOwners = mkOption {
+ type = listOf str;
+ description = ''
List of hosts to encrypt secret for
Secrets would be decrypted and stored to /run/secrets/$\{name} on owners
'';
+ default = [ ];
};
generator = mkOption {
type = package;
@@ -67,7 +76,13 @@
description = "Host secrets";
};
};
- config = with fleet; {
+ config = {
+ assertions = mapAttrsToList
+ (name: secret: {
+ assertion = builtins.sort (a: b: a < b) secret.owners == builtins.sort (a: b: a < b) secret.expectedOwners;
+ message = "Shared secret ${name} is expected to be encrypted for ${builtins.toJSON secret.expectedOwners}, but it is encrypted for ${builtins.toJSON secret.owners}";
+ })
+ config.sharedSecrets;
hosts = hostsToAttrs (host: {
modules =
let