difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth38 let38 let39 inherit (hostArgs.config) system;39 inherit (hostArgs.config) system;40 in40 in41 config.nixpkgs.buildUsing.lib.nixosSystem {41 config.nixpkgs.buildUsing.lib.evalModules {42 inherit system;43 modules = [42 modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [44 (module // { key = "attr<host.nixos>"; })43 (module // { key = "attr<host.nixos>"; })45 (config.nixos // { key = "attr<fleet.nixos>"; })44 (config.nixos // { key = "attr<fleet.nixos>"; })46 ];45 ];57 "input is not a flake, perhaps flake = false was added to te input declaration?"56 "input is not a flake, perhaps flake = false was added to te input declaration?"58 )57 )59 ) inputs;58 ) inputs;60 self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (61 _fleetFlakeRootConfig.perInput system self62 );63 };59 };64 };60 };65 };61 };modules/nixos/secrets.nixdiffbeforeafterboth3 fleetLib,3 fleetLib,4 config,4 config,5 pkgs,5 pkgs,6 host,6 fleetConfiguration,7 fleetConfiguration,7 ...8 ...8}:9}:13 ;14 ;14 inherit (lib.stringsWithDeps) stringAfter;15 inherit (lib.stringsWithDeps) stringAfter;15 inherit (lib.options) mkOption literalExpression;16 inherit (lib.options) mkOption literalExpression;16 inherit (lib.lists) optional;17 inherit (lib.lists) optional elem;17 inherit (lib.attrsets) mapAttrs mapAttrsToList;18 inherit (lib.attrsets) mapAttrs mapAttrsToList;18 inherit (lib.modules) mkIf;19 inherit (lib.modules) mkIf;19 inherit (lib.types)20 inherit (lib.types)109 # C api is broken in regard to thunks110 # C api is broken in regard to thunks110 # https://github.com/NixOS/nix/issues/12800111 # https://github.com/NixOS/nix/issues/12800111 parts = let 112 parts = let 112 hostName = sysConfig.networking.hostName;113 hostName = host._module.args.name;113 generator = config.generator;114 generator = config.generator;114 in builtins.deepSeq [115 in builtins.deepSeq [115 hostName116 hostName154 assertions = mapAttrsToList (name: secret: let155 assertions = mapAttrsToList (name: secret: let155 hasSharedDefinition = fleetConfiguration.secrets ? name;156 hasSharedDefinition = fleetConfiguration.secrets ? name;156 in {157 in {157 assertion = (secret.definition.generator == "shared") == hasSharedDefinition;158 assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);158 message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"159 message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"159 else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";160 else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";160 }) config.secrets;161 }) config.secrets;161162162 systemd.services.fleet-install-secrets = mkIf useSysusers {163 systemd.services.fleet-install-secrets = mkIf useSysusers {modules/secrets.nixdiffbeforeafterboth22 {22 {23 options = {23 options = {24 expectedOwners = mkOption {24 expectedOwners = mkOption {25 type = nullOr (listOf str);25 type = listOf str;26 description = ''26 description = ''27 Specifies the list of hosts authorized to decrypt and access this shared secret.27 Specifies the list of hosts authorized to decrypt and access this shared secret.2829 When null, secret ownership is managed manually via fleet.nix and CLI.30 Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.31 '';28 '';32 default = null;33 };29 };34 regenerateOnOwnerAdded = mkOption {30 regenerateOnOwnerAdded = mkOption {35 type = bool;31 type = bool;