difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -38,9 +38,8 @@
let
inherit (hostArgs.config) system;
in
- config.nixpkgs.buildUsing.lib.nixosSystem {
- inherit system;
- modules = [
+ config.nixpkgs.buildUsing.lib.evalModules {
+ modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [
(module // { key = "attr<host.nixos>"; })
(config.nixos // { key = "attr<fleet.nixos>"; })
];
@@ -57,9 +56,6 @@
"input is not a flake, perhaps flake = false was added to te input declaration?"
)
) inputs;
- self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (
- _fleetFlakeRootConfig.perInput system self
- );
};
};
};
modules/nixos/secrets.nixdiffbeforeafterboth3 fleetLib,3 fleetLib,4 config,4 config,5 pkgs,5 pkgs,6 host,6 fleetConfiguration,7 fleetConfiguration,7 ...8 ...8}:9}:13 ;14 ;14 inherit (lib.stringsWithDeps) stringAfter;15 inherit (lib.stringsWithDeps) stringAfter;15 inherit (lib.options) mkOption literalExpression;16 inherit (lib.options) mkOption literalExpression;16 inherit (lib.lists) optional;17 inherit (lib.lists) optional elem;17 inherit (lib.attrsets) mapAttrs mapAttrsToList;18 inherit (lib.attrsets) mapAttrs mapAttrsToList;18 inherit (lib.modules) mkIf;19 inherit (lib.modules) mkIf;19 inherit (lib.types)20 inherit (lib.types)109 # C api is broken in regard to thunks110 # C api is broken in regard to thunks110 # https://github.com/NixOS/nix/issues/12800111 # https://github.com/NixOS/nix/issues/12800111 parts = let 112 parts = let 112 hostName = sysConfig.networking.hostName;113 hostName = host._module.args.name;113 generator = config.generator;114 generator = config.generator;114 in builtins.deepSeq [115 in builtins.deepSeq [115 hostName116 hostName154 assertions = mapAttrsToList (name: secret: let155 assertions = mapAttrsToList (name: secret: let155 hasSharedDefinition = fleetConfiguration.secrets ? name;156 hasSharedDefinition = fleetConfiguration.secrets ? name;156 in {157 in {157 assertion = (secret.definition.generator == "shared") == hasSharedDefinition;158 assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);158 message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"159 message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"159 else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";160 else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";160 }) config.secrets;161 }) config.secrets;161162162 systemd.services.fleet-install-secrets = mkIf useSysusers {163 systemd.services.fleet-install-secrets = mkIf useSysusers {modules/secrets.nixdiffbeforeafterboth--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -22,14 +22,10 @@
{
options = {
expectedOwners = mkOption {
- type = nullOr (listOf str);
+ type = listOf str;
description = ''
Specifies the list of hosts authorized to decrypt and access this shared secret.
-
- When null, secret ownership is managed manually via fleet.nix and CLI.
- Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.
'';
- default = null;
};
regenerateOnOwnerAdded = mkOption {
type = bool;