git.delta.rocks / jrsonnet / refs/commits / 5973a7af816c

difftreelog

feat use nixos module-list directly

rqlxknyxYaroslav Bolyukin2026-01-22parent: #ad5819a.patch.diff
in: trunk

3 files changed

modifiedmodules/nixos.nixdiffbeforeafterboth
after · modules/nixos.nix
1{2  lib,3  fleetLib,4  inputs,5  self,6  config,7  _fleetFlakeRootConfig,8  ...9}:10let11  inherit (lib.attrsets) mapAttrs;12  inherit (lib.options) mkOption;13  inherit (lib.types) deferredModule unspecified;14  inherit (lib.modules) mkRemovedOptionModule;15  inherit (lib.strings) escapeNixIdentifier;16  inherit (fleetLib.options) mkHostsOption;1718  _file = ./nixos.nix;19in20{21  options = {22    nixos = mkOption {23      description = ''24        Shared nixos configuration module for all hosts.25      '';26      type = deferredModule;27    };28    hosts = mkHostsOption (hostArgs: {29      inherit _file;30      options = {31        nixos = mkOption {32          description = ''33            Nixos configuration for the current host.34          '';35          type = deferredModule;36          apply =37            module:38            let39              inherit (hostArgs.config) system;40            in41            config.nixpkgs.buildUsing.lib.evalModules {42              modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [43                (module // { key = "attr<host.nixos>"; })44                (config.nixos // { key = "attr<fleet.nixos>"; })45              ];46              specialArgs = {47                inherit fleetLib inputs self;48                inputs' = mapAttrs (49                  inputName: input:50                  builtins.addErrorContext51                    "while retrieving system-dependent attributes for input ${escapeNixIdentifier inputName}"52                    (53                      if input._type or null == "flake" then54                        _fleetFlakeRootConfig.perInput system input55                      else56                        "input is not a flake, perhaps flake = false was added to te input declaration?"57                    )58                ) inputs;59              };60            };61        };62        nixos_unchecked = mkOption {63          type = unspecified;64        };65      };66      config = {67        # imports = [68        #   (mkRemovedOptionModule ["nixosModules"] "replaced with hosts.*.nixos.imports.")69        # ];70        nixos = {71          config._module.args = {72            nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;73            hosts = config.hosts;74            host = hostArgs.config;75            fleetConfiguration = config;76          };77        };78        nixos_unchecked = hostArgs.config.nixos.extendModules {79          modules = [80            {81              _module.check = false;82            }83          ];84        };85      };86    });87  };88  imports = [89    (mkRemovedOptionModule [ "nixosModules" ] "replaced with nixos.imports.")90  ];91  config.nixos.imports = import ./nixos/module-list.nix;92}
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
   fleetLib,
   config,
   pkgs,
+  host,
   fleetConfiguration,
   ...
 }:
@@ -13,7 +14,7 @@
     ;
   inherit (lib.stringsWithDeps) stringAfter;
   inherit (lib.options) mkOption literalExpression;
-  inherit (lib.lists) optional;
+  inherit (lib.lists) optional elem;
   inherit (lib.attrsets) mapAttrs mapAttrsToList;
   inherit (lib.modules) mkIf;
   inherit (lib.types)
@@ -109,7 +110,7 @@
         # C api is broken in regard to thunks
         # https://github.com/NixOS/nix/issues/12800
         parts = let 
-          hostName = sysConfig.networking.hostName;
+          hostName = host._module.args.name;
           generator = config.generator;
         in builtins.deepSeq [
           hostName
@@ -154,9 +155,9 @@
     assertions = mapAttrsToList (name: secret: let
       hasSharedDefinition = fleetConfiguration.secrets ? name;
     in {
-      assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+      assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
       message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
-      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
     }) config.secrets;
 
     systemd.services.fleet-install-secrets = mkIf useSysusers {
modifiedmodules/secrets.nixdiffbeforeafterboth
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -22,14 +22,10 @@
     {
       options = {
         expectedOwners = mkOption {
-          type = nullOr (listOf str);
+          type = listOf str;
           description = ''
             Specifies the list of hosts authorized to decrypt and access this shared secret.
-
-            When null, secret ownership is managed manually via fleet.nix and CLI.
-            Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.
           '';
-          default = null;
         };
         regenerateOnOwnerAdded = mkOption {
           type = bool;