difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -38,9 +38,8 @@
let
inherit (hostArgs.config) system;
in
- config.nixpkgs.buildUsing.lib.nixosSystem {
- inherit system;
- modules = [
+ config.nixpkgs.buildUsing.lib.evalModules {
+ modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [
(module // { key = "attr<host.nixos>"; })
(config.nixos // { key = "attr<fleet.nixos>"; })
];
@@ -57,9 +56,6 @@
"input is not a flake, perhaps flake = false was added to te input declaration?"
)
) inputs;
- self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (
- _fleetFlakeRootConfig.perInput system self
- );
};
};
};
modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
fleetLib,
config,
pkgs,
+ host,
fleetConfiguration,
...
}:
@@ -13,7 +14,7 @@
;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
- inherit (lib.lists) optional;
+ inherit (lib.lists) optional elem;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
@@ -109,7 +110,7 @@
# C api is broken in regard to thunks
# https://github.com/NixOS/nix/issues/12800
parts = let
- hostName = sysConfig.networking.hostName;
+ hostName = host._module.args.name;
generator = config.generator;
in builtins.deepSeq [
hostName
@@ -154,9 +155,9 @@
assertions = mapAttrsToList (name: secret: let
hasSharedDefinition = fleetConfiguration.secrets ? name;
in {
- assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+ assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
- else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+ else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
}) config.secrets;
systemd.services.fleet-install-secrets = mkIf useSysusers {
modules/secrets.nixdiffbeforeafterboth1{2 lib,3 ...4}:5let6 inherit (lib.options) mkOption literalExpression;7 inherit (lib.types)8 nullOr9 listOf10 str11 bool12 attrsOf13 submodule14 functionTo15 package16 uniq17 ;18 inherit (lib.strings) concatStringsSep;1920 sharedSecret =21 { config, ... }:22 {23 options = {24 expectedOwners = mkOption {25 type = listOf str;26 description = ''27 Specifies the list of hosts authorized to decrypt and access this shared secret.28 '';29 };30 regenerateOnOwnerAdded = mkOption {31 type = bool;32 description = ''33 Controls whether the secret must be regenerated when new owners are added.3435 Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).36 When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.37 '';38 };39 regenerateOnOwnerRemoved = mkOption {40 default = config.regenerateOnOwnerAdded;41 defaultText = literalExpression "regenerateOnOwnerAdded";42 type = bool;43 description = ''44 Determines secret behavior when owners are removed from the configuration.4546 Typically mirrors regenerateOnOwnerAdded. Override cautiously.47 Set to false if host permissions are revoked through alternative mechanisms like firewall rules.48 '';49 };50 allowDifferent = mkOption {51 type = bool;52 description = ''53 When adding owner, do not update secret value for other owners, instead creating a new distribution54 '';55 };56 generator = mkOption {57 type = uniq (nullOr (functionTo package));58 description = ''59 Function evaluating to nix derivation responsible for (re)generating the secret's content.6061 An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,62 use `mkSecretGenerator` helpers to implement own generators.63 '';64 default = null;65 };66 };67 };68in69{70 options = {71 secrets = mkOption {72 type = attrsOf (submodule sharedSecret);73 default = { };74 description = "Collection of secrets shared across multiple hosts with configurable ownership";75 };76 };77 config = {78 nixpkgs.overlays = [79 (final: prev: {80 mkSecretGenerators =81 { recipients }:82 rec {83 # TODO: Merge both generators to one with consistent options syntax?84 # Impure generator is built on local machine, then built closure is copied to remote machine,85 # and then it is ran in inpure context, so that this generator may access HSMs and other things.86 mkImpureSecretGenerator =87 {88 script,89 # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD90 # (Some secrets-encryption-in-git/managed PKI solution is expected)91 impureOn ? null,92 parts,93 }:94 (prev.writeShellScript "impureGenerator.sh" ''95 #!/bin/sh96 set -eu9798 export GENERATOR_HELPER_IDENTITIES="${concatStringsSep"\n"recipients}";99 export PATH=${final.fleet-generator-helper}/bin:$PATH100101 # TODO: Provide tempdir from outside, to make it securely erasurable as needed?102 tmp=mktemp-d103 cd $tmp104 # cd /var/empty105106 created_at=date-u"%Y-%m-%dT%H:%M:%S.%NZ"107108 ${script}109110 if ! test -d $out; then111 echo "impure generator script did not produce expected \$out output"112 exit 1113 fi114115 echo -n $created_at > $out/created_at116 echo -n SUCCESS > $out/marker117 '').overrideAttrs118 (old: {119 passthru = {120 inherit impureOn parts;121 generatorKind = "impure";122 };123 });124 # Pure generators are disabled for now125 mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };126127 # TODO: Implement consistent naming128 # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...129 # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.130 # mkSecretGenerator = {script}:131 # (prev.writeShellScript "generator.sh" ''132 # #!/bin/sh133 # set -eu134 # # TODO: make nix daemon build secret, not just the script.135 # cd /var/empty136 #137 # created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")138 #139 # ${script}140 # if ! test -d $out; then141 # echo "impure generator script did not produce expected \$out output"142 # exit 1143 # fi144 #145 # echo -n $created_at > $out/created_at146 # echo -n SUCCESS > $out/marker147 # '')148 # .overrideAttrs (old: {149 # passthru = {150 # generatorKind = "pure";151 # };152 # # TODO: make nix daemon build secret, not just the script.153 # # __impure = true;154 # });155 };156 })157 ];158 };159}