difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -38,9 +38,8 @@
let
inherit (hostArgs.config) system;
in
- config.nixpkgs.buildUsing.lib.nixosSystem {
- inherit system;
- modules = [
+ config.nixpkgs.buildUsing.lib.evalModules {
+ modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [
(module // { key = "attr<host.nixos>"; })
(config.nixos // { key = "attr<fleet.nixos>"; })
];
@@ -57,9 +56,6 @@
"input is not a flake, perhaps flake = false was added to te input declaration?"
)
) inputs;
- self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (
- _fleetFlakeRootConfig.perInput system self
- );
};
};
};
modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
fleetLib,
config,
pkgs,
+ host,
fleetConfiguration,
...
}:
@@ -13,7 +14,7 @@
;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
- inherit (lib.lists) optional;
+ inherit (lib.lists) optional elem;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
@@ -109,7 +110,7 @@
# C api is broken in regard to thunks
# https://github.com/NixOS/nix/issues/12800
parts = let
- hostName = sysConfig.networking.hostName;
+ hostName = host._module.args.name;
generator = config.generator;
in builtins.deepSeq [
hostName
@@ -154,9 +155,9 @@
assertions = mapAttrsToList (name: secret: let
hasSharedDefinition = fleetConfiguration.secrets ? name;
in {
- assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+ assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
- else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+ else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
}) config.secrets;
systemd.services.fleet-install-secrets = mkIf useSysusers {
modules/secrets.nixdiffbeforeafterboth1{2 lib,3 ...4}:5let6 inherit (lib.options) mkOption literalExpression;7 inherit (lib.types)8 nullOr9 listOf10 str11 bool12 attrsOf13 submodule14 functionTo15 package16 uniq17 ;18 inherit (lib.strings) concatStringsSep;1920 sharedSecret =21 { config, ... }:22 {23 options = {24 expectedOwners = mkOption {25 type = nullOr (listOf str);26 description = ''27 Specifies the list of hosts authorized to decrypt and access this shared secret.2829 When null, secret ownership is managed manually via fleet.nix and CLI.30 Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.31 '';32 default = null;33 };34 regenerateOnOwnerAdded = mkOption {35 type = bool;36 description = ''37 Controls whether the secret must be regenerated when new owners are added.3839 Set to true when the secret contains owner-specific references (e.g., X.509 Subject Alternative Names).40 When true, adding a new owner will trigger secret regeneration instead of simple re-encryption.41 '';42 };43 regenerateOnOwnerRemoved = mkOption {44 default = config.regenerateOnOwnerAdded;45 defaultText = literalExpression "regenerateOnOwnerAdded";46 type = bool;47 description = ''48 Determines secret behavior when owners are removed from the configuration.4950 Typically mirrors regenerateOnOwnerAdded. Override cautiously.51 Set to false if host permissions are revoked through alternative mechanisms like firewall rules.52 '';53 };54 allowDifferent = mkOption {55 type = bool;56 description = ''57 When adding owner, do not update secret value for other owners, instead creating a new distribution58 '';59 };60 generator = mkOption {61 type = uniq (nullOr (functionTo package));62 description = ''63 Function evaluating to nix derivation responsible for (re)generating the secret's content.6465 An input to this function - `pkgs` of a generator host with implementation-defined representation of extra encryption data,66 use `mkSecretGenerator` helpers to implement own generators.67 '';68 default = null;69 };70 };71 };72in73{74 options = {75 secrets = mkOption {76 type = attrsOf (submodule sharedSecret);77 default = { };78 description = "Collection of secrets shared across multiple hosts with configurable ownership";79 };80 };81 config = {82 nixpkgs.overlays = [83 (final: prev: {84 mkSecretGenerators =85 { recipients }:86 rec {87 # TODO: Merge both generators to one with consistent options syntax?88 # Impure generator is built on local machine, then built closure is copied to remote machine,89 # and then it is ran in inpure context, so that this generator may access HSMs and other things.90 mkImpureSecretGenerator =91 {92 script,93 # If set - script will be run on remote machine, otherwise it will be run with fleet project in CWD94 # (Some secrets-encryption-in-git/managed PKI solution is expected)95 impureOn ? null,96 parts,97 }:98 (prev.writeShellScript "impureGenerator.sh" ''99 #!/bin/sh100 set -eu101102 export GENERATOR_HELPER_IDENTITIES="${concatStringsSep"\n"recipients}";103 export PATH=${final.fleet-generator-helper}/bin:$PATH104105 # TODO: Provide tempdir from outside, to make it securely erasurable as needed?106 tmp=mktemp-d107 cd $tmp108 # cd /var/empty109110 created_at=date-u"%Y-%m-%dT%H:%M:%S.%NZ"111112 ${script}113114 if ! test -d $out; then115 echo "impure generator script did not produce expected \$out output"116 exit 1117 fi118119 echo -n $created_at > $out/created_at120 echo -n SUCCESS > $out/marker121 '').overrideAttrs122 (old: {123 passthru = {124 inherit impureOn parts;125 generatorKind = "impure";126 };127 });128 # Pure generators are disabled for now129 mkSecretGenerator = { script, parts }: mkImpureSecretGenerator { inherit script parts; };130131 # TODO: Implement consistent naming132 # Pure secret generator is supposed to be run entirely by nix, using `__impure` derivation type...133 # But for now, it is ran the same way as `impureSecretGenerator`, but on the local machine.134 # mkSecretGenerator = {script}:135 # (prev.writeShellScript "generator.sh" ''136 # #!/bin/sh137 # set -eu138 # # TODO: make nix daemon build secret, not just the script.139 # cd /var/empty140 #141 # created_at=$(date -u +"%Y-%m-%dT%H:%M:%S.%NZ")142 #143 # ${script}144 # if ! test -d $out; then145 # echo "impure generator script did not produce expected \$out output"146 # exit 1147 # fi148 #149 # echo -n $created_at > $out/created_at150 # echo -n SUCCESS > $out/marker151 # '')152 # .overrideAttrs (old: {153 # passthru = {154 # generatorKind = "pure";155 # };156 # # TODO: make nix daemon build secret, not just the script.157 # # __impure = true;158 # });159 };160 })161 ];162 };163}