difftreelog
feat use fleet-tf
in: trunk
10 files changed
cmds/fleet/Cargo.tomldiffbeforeafterboth--- a/cmds/fleet/Cargo.toml
+++ b/cmds/fleet/Cargo.toml
@@ -45,10 +45,10 @@
human-repr = { version = "1.1", optional = true }
indicatif = { version = "0.18", optional = true }
nom = "8.0.0"
+opentelemetry = "0.30.0"
+opentelemetry_sdk = "0.30.0"
tracing-indicatif = { version = "0.3", optional = true }
tracing-opentelemetry = "0.31.0"
-opentelemetry = "0.30.0"
-opentelemetry_sdk = "0.30.0"
[features]
default = []
cmds/fleet/src/cmds/tf.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/tf.rs
+++ b/cmds/fleet/src/cmds/tf.rs
@@ -38,7 +38,7 @@
{
debug!("generating terraform configs");
let system = &config.local_system;
- let config = &config.config_field;
+ let config = &config.flake_outputs;
let data = nix_go!(config.tf({ system }));
let data: PathBuf = spawn_blocking(move || data.build("out"))
.await
crates/fleet-base/src/host.rsdiffbeforeafterboth--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -34,6 +34,8 @@
pub nix_args: Vec<OsString>,
/// fleet_config.config
pub config_field: Value,
+ /// flake.output
+ pub flake_outputs: Value,
// TODO: Remove with connectivity refactor
pub localhost: String,
crates/fleet-base/src/opts.rsdiffbeforeafterboth--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -267,6 +267,7 @@
Ok(Config(Arc::new(FleetConfigInternals {
directory,
data,
+ flake_outputs: flake,
local_system: self.local_system.clone(),
nix_args,
config_field,
crates/fleet-shared/src/encoding.rsdiffbeforeafterboth1use std::{2 collections::BTreeMap,3 fmt::{self, Display},4 str::FromStr,5};67use base64::engine::{Engine, general_purpose::STANDARD_NO_PAD};8use serde::{Deserialize, Deserializer, Serialize, de::Error};9use unicode_categories::UnicodeCategories;1011#[derive(Debug, PartialEq, Clone)]12pub struct SecretData {13 pub data: Vec<u8>,14 pub encrypted: bool,15}1617const BASE64_ENCODED_PREFIX: &str = "<BASE64-ENCODED>\n";18const Z85_ENCODED_PREFIX: &str = "<Z85-ENCODED>\n";19// Multiline text in Nix can only end with \n, which is not cool for actual single-line strings.20const PLAINTEXT_NEWLINE_PREFIX: &str = "<PLAINTEXT-NL>\n";21const PLAINTEXT_PREFIX: &str = "<PLAINTEXT>";2223const SECRET_PREFIX: &str = "<ENCRYPTED>";2425impl<'de> Deserialize<'de> for SecretData {26 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>27 where28 D: Deserializer<'de>,29 {30 let string = String::deserialize(deserializer)?;31 string.parse().map_err(D::Error::custom)32 }33}3435impl Serialize for SecretData {36 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>37 where38 S: serde::Serializer,39 {40 self.to_string().serialize(serializer)41 }42}4344impl FromStr for SecretData {45 type Err = String;4647 fn from_str(string: &str) -> Result<Self, Self::Err> {48 let (encrypted, string) = if let Some(unprefixed) = string.strip_prefix(SECRET_PREFIX) {49 (true, unprefixed)50 } else {51 (false, string)52 };53 let data = if let Some(unprefixed) = string.strip_prefix(BASE64_ENCODED_PREFIX) {54 STANDARD_NO_PAD55 .decode(unprefixed.replace(['\n', '\t', ' '], ""))56 .map_err(|e| format!("base64-encoded failed: {e}"))?57 } else if let Some(unprefixed) = string.strip_prefix(Z85_ENCODED_PREFIX) {58 z85::decode(unprefixed.replace(['\n', '\t', ' '], ""))59 .map_err(|e| format!("z85-encoded failed: {e}"))?60 } else if let Some(unprefixed) = string.strip_prefix(PLAINTEXT_NEWLINE_PREFIX) {61 unprefixed.as_bytes().to_owned()62 } else if let Some(unprefixed) = string.strip_prefix(PLAINTEXT_PREFIX) {63 unprefixed.as_bytes().to_owned()64 } else {65 let secret_prefix = format!("{SECRET_PREFIX}{Z85_ENCODED_PREFIX}");66 return Err(format!(67 "unknown secret encoding. If you're migrating from old version of fleet, prefix public secret fields with {PLAINTEXT_PREFIX:?}, and encrypted data with {secret_prefix:?}: {string}"68 ));69 };70 Ok(Self { data, encrypted })71 }72}7374impl Display for SecretData {75 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {76 let mut readable = std::str::from_utf8(&self.data).ok();77 if self.encrypted {78 write!(f, "{SECRET_PREFIX}")?;79 // Always base64-encode encrypted fields.80 readable = None;81 }82 if Some(false) == readable.map(is_printable) {83 readable = None84 };85 // TODO: Check if text is readable, and has no unprintable characters?..86 if let Some(plaintext) = readable {87 if plaintext.ends_with('\n') {88 write!(f, "{PLAINTEXT_NEWLINE_PREFIX}")?;89 } else {90 write!(f, "{PLAINTEXT_PREFIX}")?;91 }92 write!(f, "{plaintext}")?;93 } else {94 write!(f, "{BASE64_ENCODED_PREFIX}")?;95 let encoded = STANDARD_NO_PAD.encode(&self.data);96 for ele in encoded.as_bytes().chunks(64) {97 let chunk = std::str::from_utf8(ele).expect(98 "any slice of base64-encoded text is utf-8 compatible, as it is ascii-based",99 );100 writeln!(f, "{chunk}")?;101 }102 };103 Ok(())104 }105}106107fn is_printable(text: &str) -> bool {108 text.chars().all(|c| {109 c.is_letter()110 || c.is_mark()111 || c.is_number()112 || c.is_punctuation()113 || c.is_separator()114 || c == '\n' || c == '\t'115 // Complete base64 alphabet116 || c == '/' || c == '+'117 || c == '='118 })119}120121#[test]122fn test() {123 fn check_roundtrip(data: SecretData, expected: &str) {124 let string = data.to_string();125 assert_eq!(string, expected, "unexpected encoding");126 let roundtrip: SecretData = string.parse().expect("roundtrip parse");127 assert_eq!(data, roundtrip, "roundtrip didn't match");128 }129 check_roundtrip(130 SecretData {131 data: vec![1, 2, 3, 4, 5, 6],132 encrypted: false,133 },134 "<BASE64-ENCODED>\nAQIDBAUG\n",135 );136 check_roundtrip(137 SecretData {138 data: vec![1, 2, 3, 4, 5, 6],139 encrypted: true,140 },141 "<ENCRYPTED><BASE64-ENCODED>\nAQIDBAUG\n",142 );143 check_roundtrip(144 SecretData {145 data: "Привет, мир!\n".to_owned().into(),146 encrypted: false,147 },148 "<PLAINTEXT-NL>\nПривет, мир!\n",149 );150 check_roundtrip(151 SecretData {152 data: "Привет, мир!".to_owned().into(),153 encrypted: false,154 },155 "<PLAINTEXT>Привет, мир!",156 );157}crates/nix-eval/src/logging.ccdiffbeforeafterboth--- a/crates/nix-eval/src/logging.cc
+++ b/crates/nix-eval/src/logging.cc
@@ -9,12 +9,14 @@
bool isVerbose() override { return true; }
void log(Verbosity lvl, std::string_view s) override {
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s.data()), s.size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s.data()), s.size());
emit_log(lvl, str);
}
void logEI(const ErrorInfo &ei) override {
auto s = ei.msg.str();
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s.data()), s.size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s.data()), s.size());
emit_log(ei.level, str);
}
@@ -27,7 +29,8 @@
b->add_int_field(f.i);
} else if (f.type == Logger::Field::tString) {
auto s = &f.s;
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s->data()), s->size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s->data()), s->size());
b->add_string_field(str);
} else {
unreachable();
@@ -45,7 +48,8 @@
b->add_int_field(f.i);
} else if (f.type == Logger::Field::tString) {
auto s = &f.s;
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s->data()), s->size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s->data()), s->size());
b->add_string_field(str);
} else {
unreachable();
flake.lockdiffbeforeafterboth--- a/flake.lock
+++ b/flake.lock
@@ -71,6 +71,31 @@
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
+ "fleet-tf": {
+ "inputs": {
+ "flake-parts": [
+ "flake-parts"
+ ],
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "shelly": [
+ "shelly"
+ ]
+ },
+ "locked": {
+ "lastModified": 1759080490,
+ "owner": "CertainLach",
+ "repo": "fleet-tf",
+ "rev": "878bd8c23933d628bf750378bbe527b841901c3d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "CertainLach",
+ "repo": "fleet-tf",
+ "type": "github"
+ }
+ },
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
@@ -183,6 +208,7 @@
"inputs": {
"crane": "crane",
"flake-parts": "flake-parts",
+ "fleet-tf": "fleet-tf",
"nix": "nix",
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay",
flake.nixdiffbeforeafterboth--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,12 @@
};
crane.url = "github:ipetkov/crane";
shelly.url = "github:CertainLach/shelly";
+ fleet-tf = {
+ url = "github:CertainLach/fleet-tf";
+ inputs.nixpkgs.follows = "nixpkgs";
+ inputs.shelly.follows = "shelly";
+ inputs.flake-parts.follows = "flake-parts";
+ };
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
@@ -42,7 +48,7 @@
};
flakeModule = flakeModules.default;
- fleetModules.tf = ./modules/extras/tf.nix;
+ flakeModules.fleet-tf = ./modules/extras/tf.nix;
# Used to test nix-eval bindings
testData = {
@@ -114,13 +120,16 @@
{
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
- overlays = [ (inputs.rust-overlay.overlays.default) (final: prev: {
- boehmgc = prev.boehmgc.overrideAttrs (prevAttrs: {
- configureFlags = prevAttrs.configureFlags ++ [
- "--enable-gc-assertions"
- ];
- });
- }) ];
+ overlays = [
+ (inputs.rust-overlay.overlays.default)
+ (final: prev: {
+ boehmgc = prev.boehmgc.overrideAttrs (prevAttrs: {
+ configureFlags = prevAttrs.configureFlags ++ [
+ "--enable-gc-assertions"
+ ];
+ });
+ })
+ ];
};
# Reference fleet package should be built with nightly rust, specified in rust-toolchain.toml.
packages = lib.mkIf deployerSystem (
modules/extras/tf-bootstrap.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/extras/tf-bootstrap.nix
@@ -0,0 +1,37 @@
+{
+ lib,
+ inputs',
+ pkgs,
+ config,
+ ...
+}:
+let
+ inherit (lib.options) mkOption mkPackageOption;
+ inherit (lib.types) listOf package functionTo;
+in
+{
+ options = {
+ tf.package = mkPackageOption pkgs "terraform" {
+ extraDescription = "Terraform package to use";
+ };
+ tf.providers = mkOption {
+ description = "List of used terraform providers";
+ type = functionTo (listOf package);
+ default = _: [ ];
+ };
+ tf.finalPackage = mkOption {
+ description = "Terraform package with all providers";
+ type = package;
+ };
+ };
+ config = {
+ tf.finalPackage = inputs'.fleet-tf.packages.terraform-locked.override {
+ inherit (config.tf) providers;
+ terraform = config.tf.package;
+ };
+ shelly.shells.default = {
+ packages = [ config.tf.finalPackage ];
+ };
+ packages.terraform = config.tf.finalPackage;
+ };
+}
modules/extras/tf.nixdiffbeforeafterboth--- a/modules/extras/tf.nix
+++ b/modules/extras/tf.nix
@@ -11,6 +11,7 @@
inherit (fleetLib.options) mkDataOption;
in
{
+
options = {
tf = mkOption {
type = deferredModule;
@@ -18,7 +19,7 @@
module: system:
inputs.terranix.lib.terranixConfiguration {
inherit system;
- pkgs = config.nixpkgs.buildUsing.legacyPackages.${system};
+ pkgs = inputs.nixpkgs.legacyPackages.${system};
modules = [
module
];
@@ -35,6 +36,8 @@
};
config = {
+ flake.tf = config.tf;
+
tf.output.fleet = {
value = {
managed = true;
@@ -43,6 +46,8 @@
# will be somehow processed by fleet tf.
sensitive = true;
};
- hosts = config.data.extra.terraformHosts;
+ fleetConfigurations.default.hosts = config.data.extra.terraformHosts;
+
+ perSystem.imports = [ ./tf-bootstrap.nix ];
};
}