difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth38 let38 let39 inherit (hostArgs.config) system;39 inherit (hostArgs.config) system;40 in40 in41 config.nixpkgs.buildUsing.lib.nixosSystem {41 config.nixpkgs.buildUsing.lib.evalModules {42 inherit system;43 modules = [42 modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [44 (module // { key = "attr<host.nixos>"; })43 (module // { key = "attr<host.nixos>"; })45 (config.nixos // { key = "attr<fleet.nixos>"; })44 (config.nixos // { key = "attr<fleet.nixos>"; })46 ];45 ];57 "input is not a flake, perhaps flake = false was added to te input declaration?"56 "input is not a flake, perhaps flake = false was added to te input declaration?"58 )57 )59 ) inputs;58 ) inputs;60 self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (61 _fleetFlakeRootConfig.perInput system self62 );63 };59 };64 };60 };65 };61 };modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
fleetLib,
config,
pkgs,
+ host,
fleetConfiguration,
...
}:
@@ -13,7 +14,7 @@
;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
- inherit (lib.lists) optional;
+ inherit (lib.lists) optional elem;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
@@ -109,7 +110,7 @@
# C api is broken in regard to thunks
# https://github.com/NixOS/nix/issues/12800
parts = let
- hostName = sysConfig.networking.hostName;
+ hostName = host._module.args.name;
generator = config.generator;
in builtins.deepSeq [
hostName
@@ -154,9 +155,9 @@
assertions = mapAttrsToList (name: secret: let
hasSharedDefinition = fleetConfiguration.secrets ? name;
in {
- assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+ assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
- else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+ else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
}) config.secrets;
systemd.services.fleet-install-secrets = mkIf useSysusers {
modules/secrets.nixdiffbeforeafterboth--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -22,14 +22,10 @@
{
options = {
expectedOwners = mkOption {
- type = nullOr (listOf str);
+ type = listOf str;
description = ''
Specifies the list of hosts authorized to decrypt and access this shared secret.
-
- When null, secret ownership is managed manually via fleet.nix and CLI.
- Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.
'';
- default = null;
};
regenerateOnOwnerAdded = mkOption {
type = bool;