difftreelog
feat use nixos module-list directly
in: trunk
3 files changed
modules/nixos.nixdiffbeforeafterboth--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -38,9 +38,8 @@
let
inherit (hostArgs.config) system;
in
- config.nixpkgs.buildUsing.lib.nixosSystem {
- inherit system;
- modules = [
+ config.nixpkgs.buildUsing.lib.evalModules {
+ modules = (import "${config.nixpkgs.buildUsing}/nixos/modules/module-list.nix") ++ [
(module // { key = "attr<host.nixos>"; })
(config.nixos // { key = "attr<fleet.nixos>"; })
];
@@ -57,9 +56,6 @@
"input is not a flake, perhaps flake = false was added to te input declaration?"
)
) inputs;
- self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (
- _fleetFlakeRootConfig.perInput system self
- );
};
};
};
modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
fleetLib,
config,
pkgs,
+ host,
fleetConfiguration,
...
}:
@@ -13,7 +14,7 @@
;
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
- inherit (lib.lists) optional;
+ inherit (lib.lists) optional elem;
inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
@@ -109,7 +110,7 @@
# C api is broken in regard to thunks
# https://github.com/NixOS/nix/issues/12800
parts = let
- hostName = sysConfig.networking.hostName;
+ hostName = host._module.args.name;
generator = config.generator;
in builtins.deepSeq [
hostName
@@ -154,9 +155,9 @@
assertions = mapAttrsToList (name: secret: let
hasSharedDefinition = fleetConfiguration.secrets ? name;
in {
- assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+ assertion = (secret.definition.generator == "shared") == hasSharedDefinition && hasSharedDefinition -> (elem host._module.args.name fleetConfiguration.secrets.${name}.expectedOwners);
message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
- else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+ else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator, and expectedOwners should contain this host";
}) config.secrets;
systemd.services.fleet-install-secrets = mkIf useSysusers {
modules/secrets.nixdiffbeforeafterboth22 {22 {23 options = {23 options = {24 expectedOwners = mkOption {24 expectedOwners = mkOption {25 type = nullOr (listOf str);25 type = listOf str;26 description = ''26 description = ''27 Specifies the list of hosts authorized to decrypt and access this shared secret.27 Specifies the list of hosts authorized to decrypt and access this shared secret.2829 When null, secret ownership is managed manually via fleet.nix and CLI.30 Decrypted secrets will be stored at /run/secrets/$\{name} on authorized hosts.31 '';28 '';32 default = null;33 };29 };34 regenerateOnOwnerAdded = mkOption {30 regenerateOnOwnerAdded = mkOption {35 type = bool;31 type = bool;