difftreelog
feat use fleet-tf
in: trunk
10 files changed
cmds/fleet/Cargo.tomldiffbeforeafterboth--- a/cmds/fleet/Cargo.toml
+++ b/cmds/fleet/Cargo.toml
@@ -45,10 +45,10 @@
human-repr = { version = "1.1", optional = true }
indicatif = { version = "0.18", optional = true }
nom = "8.0.0"
+opentelemetry = "0.30.0"
+opentelemetry_sdk = "0.30.0"
tracing-indicatif = { version = "0.3", optional = true }
tracing-opentelemetry = "0.31.0"
-opentelemetry = "0.30.0"
-opentelemetry_sdk = "0.30.0"
[features]
default = []
cmds/fleet/src/cmds/tf.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/tf.rs
+++ b/cmds/fleet/src/cmds/tf.rs
@@ -38,7 +38,7 @@
{
debug!("generating terraform configs");
let system = &config.local_system;
- let config = &config.config_field;
+ let config = &config.flake_outputs;
let data = nix_go!(config.tf({ system }));
let data: PathBuf = spawn_blocking(move || data.build("out"))
.await
crates/fleet-base/src/host.rsdiffbeforeafterboth--- a/crates/fleet-base/src/host.rs
+++ b/crates/fleet-base/src/host.rs
@@ -34,6 +34,8 @@
pub nix_args: Vec<OsString>,
/// fleet_config.config
pub config_field: Value,
+ /// flake.output
+ pub flake_outputs: Value,
// TODO: Remove with connectivity refactor
pub localhost: String,
crates/fleet-base/src/opts.rsdiffbeforeafterboth--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -267,6 +267,7 @@
Ok(Config(Arc::new(FleetConfigInternals {
directory,
data,
+ flake_outputs: flake,
local_system: self.local_system.clone(),
nix_args,
config_field,
crates/fleet-shared/src/encoding.rsdiffbeforeafterboth1use std::{2 collections::BTreeMap, fmt::{self, Display}, str::FromStr3};45use base64::engine::{Engine, general_purpose::STANDARD_NO_PAD};6use serde::{Deserialize, Deserializer, Serialize, de::Error};7use unicode_categories::UnicodeCategories;89#[derive(Debug, PartialEq, Clone)]10pub struct SecretData {11 pub data: Vec<u8>,12 pub encrypted: bool,13}1415const BASE64_ENCODED_PREFIX: &str = "<BASE64-ENCODED>\n";16const Z85_ENCODED_PREFIX: &str = "<Z85-ENCODED>\n";17// Multiline text in Nix can only end with \n, which is not cool for actual single-line strings.18const PLAINTEXT_NEWLINE_PREFIX: &str = "<PLAINTEXT-NL>\n";19const PLAINTEXT_PREFIX: &str = "<PLAINTEXT>";2021const SECRET_PREFIX: &str = "<ENCRYPTED>";2223impl<'de> Deserialize<'de> for SecretData {24 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>25 where26 D: Deserializer<'de>,27 {28 let string = String::deserialize(deserializer)?;29 string.parse().map_err(D::Error::custom)30 }31}3233impl Serialize for SecretData {34 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>35 where36 S: serde::Serializer,37 {38 self.to_string().serialize(serializer)39 }40}4142impl FromStr for SecretData {43 type Err = String;4445 fn from_str(string: &str) -> Result<Self, Self::Err> {46 let (encrypted, string) = if let Some(unprefixed) = string.strip_prefix(SECRET_PREFIX) {47 (true, unprefixed)48 } else {49 (false, string)50 };51 let data = if let Some(unprefixed) = string.strip_prefix(BASE64_ENCODED_PREFIX) {52 STANDARD_NO_PAD53 .decode(unprefixed.replace(['\n', '\t', ' '], ""))54 .map_err(|e| format!("base64-encoded failed: {e}"))?55 } else if let Some(unprefixed) = string.strip_prefix(Z85_ENCODED_PREFIX) {56 z85::decode(unprefixed.replace(['\n', '\t', ' '], ""))57 .map_err(|e| format!("z85-encoded failed: {e}"))?58 } else if let Some(unprefixed) = string.strip_prefix(PLAINTEXT_NEWLINE_PREFIX) {59 unprefixed.as_bytes().to_owned()60 } else if let Some(unprefixed) = string.strip_prefix(PLAINTEXT_PREFIX) {61 unprefixed.as_bytes().to_owned()62 } else {63 let secret_prefix = format!("{SECRET_PREFIX}{Z85_ENCODED_PREFIX}");64 return Err(format!(65 "unknown secret encoding. If you're migrating from old version of fleet, prefix public secret fields with {PLAINTEXT_PREFIX:?}, and encrypted data with {secret_prefix:?}: {string}"66 ));67 };68 Ok(Self { data, encrypted })69 }70}7172impl Display for SecretData {73 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {74 let mut readable = std::str::from_utf8(&self.data).ok();75 if self.encrypted {76 write!(f, "{SECRET_PREFIX}")?;77 // Always base64-encode encrypted fields.78 readable = None;79 }80 if Some(false) == readable.map(is_printable) {81 readable = None82 };83 // TODO: Check if text is readable, and has no unprintable characters?..84 if let Some(plaintext) = readable {85 if plaintext.ends_with('\n') {86 write!(f, "{PLAINTEXT_NEWLINE_PREFIX}")?;87 } else {88 write!(f, "{PLAINTEXT_PREFIX}")?;89 }90 write!(f, "{plaintext}")?;91 } else {92 write!(f, "{BASE64_ENCODED_PREFIX}")?;93 let encoded = STANDARD_NO_PAD.encode(&self.data);94 for ele in encoded.as_bytes().chunks(64) {95 let chunk = std::str::from_utf8(ele).expect(96 "any slice of base64-encoded text is utf-8 compatible, as it is ascii-based",97 );98 writeln!(f, "{chunk}")?;99 }100 };101 Ok(())102 }103}104105fn is_printable(text: &str) -> bool {106 text.chars().all(|c| {107 c.is_letter()108 || c.is_mark()109 || c.is_number()110 || c.is_punctuation()111 || c.is_separator()112 || c == '\n' || c == '\t'113 // Complete base64 alphabet114 || c == '/' || c == '+'115 || c == '='116 })117}118119#[test]120fn test() {121 fn check_roundtrip(data: SecretData, expected: &str) {122 let string = data.to_string();123 assert_eq!(string, expected, "unexpected encoding");124 let roundtrip: SecretData = string.parse().expect("roundtrip parse");125 assert_eq!(data, roundtrip, "roundtrip didn't match");126 }127 check_roundtrip(128 SecretData {129 data: vec![1, 2, 3, 4, 5, 6],130 encrypted: false,131 },132 "<BASE64-ENCODED>\nAQIDBAUG\n",133 );134 check_roundtrip(135 SecretData {136 data: vec![1, 2, 3, 4, 5, 6],137 encrypted: true,138 },139 "<ENCRYPTED><BASE64-ENCODED>\nAQIDBAUG\n",140 );141 check_roundtrip(142 SecretData {143 data: "Привет, мир!\n".to_owned().into(),144 encrypted: false,145 },146 "<PLAINTEXT-NL>\nПривет, мир!\n",147 );148 check_roundtrip(149 SecretData {150 data: "Привет, мир!".to_owned().into(),151 encrypted: false,152 },153 "<PLAINTEXT>Привет, мир!",154 );155}crates/nix-eval/src/logging.ccdiffbeforeafterboth--- a/crates/nix-eval/src/logging.cc
+++ b/crates/nix-eval/src/logging.cc
@@ -9,12 +9,14 @@
bool isVerbose() override { return true; }
void log(Verbosity lvl, std::string_view s) override {
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s.data()), s.size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s.data()), s.size());
emit_log(lvl, str);
}
void logEI(const ErrorInfo &ei) override {
auto s = ei.msg.str();
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s.data()), s.size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s.data()), s.size());
emit_log(ei.level, str);
}
@@ -27,7 +29,8 @@
b->add_int_field(f.i);
} else if (f.type == Logger::Field::tString) {
auto s = &f.s;
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s->data()), s->size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s->data()), s->size());
b->add_string_field(str);
} else {
unreachable();
@@ -45,7 +48,8 @@
b->add_int_field(f.i);
} else if (f.type == Logger::Field::tString) {
auto s = &f.s;
- rust::Slice<const unsigned char> str(reinterpret_cast<const unsigned char*>(s->data()), s->size());
+ rust::Slice<const unsigned char> str(
+ reinterpret_cast<const unsigned char *>(s->data()), s->size());
b->add_string_field(str);
} else {
unreachable();
flake.lockdiffbeforeafterboth--- a/flake.lock
+++ b/flake.lock
@@ -71,6 +71,31 @@
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
+ "fleet-tf": {
+ "inputs": {
+ "flake-parts": [
+ "flake-parts"
+ ],
+ "nixpkgs": [
+ "nixpkgs"
+ ],
+ "shelly": [
+ "shelly"
+ ]
+ },
+ "locked": {
+ "lastModified": 1759080490,
+ "owner": "CertainLach",
+ "repo": "fleet-tf",
+ "rev": "878bd8c23933d628bf750378bbe527b841901c3d",
+ "type": "github"
+ },
+ "original": {
+ "owner": "CertainLach",
+ "repo": "fleet-tf",
+ "type": "github"
+ }
+ },
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
@@ -183,6 +208,7 @@
"inputs": {
"crane": "crane",
"flake-parts": "flake-parts",
+ "fleet-tf": "fleet-tf",
"nix": "nix",
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay",
flake.nixdiffbeforeafterboth--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,12 @@
};
crane.url = "github:ipetkov/crane";
shelly.url = "github:CertainLach/shelly";
+ fleet-tf = {
+ url = "github:CertainLach/fleet-tf";
+ inputs.nixpkgs.follows = "nixpkgs";
+ inputs.shelly.follows = "shelly";
+ inputs.flake-parts.follows = "flake-parts";
+ };
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
@@ -42,7 +48,7 @@
};
flakeModule = flakeModules.default;
- fleetModules.tf = ./modules/extras/tf.nix;
+ flakeModules.fleet-tf = ./modules/extras/tf.nix;
# Used to test nix-eval bindings
testData = {
@@ -114,13 +120,16 @@
{
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
- overlays = [ (inputs.rust-overlay.overlays.default) (final: prev: {
- boehmgc = prev.boehmgc.overrideAttrs (prevAttrs: {
- configureFlags = prevAttrs.configureFlags ++ [
- "--enable-gc-assertions"
- ];
- });
- }) ];
+ overlays = [
+ (inputs.rust-overlay.overlays.default)
+ (final: prev: {
+ boehmgc = prev.boehmgc.overrideAttrs (prevAttrs: {
+ configureFlags = prevAttrs.configureFlags ++ [
+ "--enable-gc-assertions"
+ ];
+ });
+ })
+ ];
};
# Reference fleet package should be built with nightly rust, specified in rust-toolchain.toml.
packages = lib.mkIf deployerSystem (
modules/extras/tf-bootstrap.nixdiffbeforeafterboth--- /dev/null
+++ b/modules/extras/tf-bootstrap.nix
@@ -0,0 +1,37 @@
+{
+ lib,
+ inputs',
+ pkgs,
+ config,
+ ...
+}:
+let
+ inherit (lib.options) mkOption mkPackageOption;
+ inherit (lib.types) listOf package functionTo;
+in
+{
+ options = {
+ tf.package = mkPackageOption pkgs "terraform" {
+ extraDescription = "Terraform package to use";
+ };
+ tf.providers = mkOption {
+ description = "List of used terraform providers";
+ type = functionTo (listOf package);
+ default = _: [ ];
+ };
+ tf.finalPackage = mkOption {
+ description = "Terraform package with all providers";
+ type = package;
+ };
+ };
+ config = {
+ tf.finalPackage = inputs'.fleet-tf.packages.terraform-locked.override {
+ inherit (config.tf) providers;
+ terraform = config.tf.package;
+ };
+ shelly.shells.default = {
+ packages = [ config.tf.finalPackage ];
+ };
+ packages.terraform = config.tf.finalPackage;
+ };
+}
modules/extras/tf.nixdiffbeforeafterboth--- a/modules/extras/tf.nix
+++ b/modules/extras/tf.nix
@@ -11,6 +11,7 @@
inherit (fleetLib.options) mkDataOption;
in
{
+
options = {
tf = mkOption {
type = deferredModule;
@@ -18,7 +19,7 @@
module: system:
inputs.terranix.lib.terranixConfiguration {
inherit system;
- pkgs = config.nixpkgs.buildUsing.legacyPackages.${system};
+ pkgs = inputs.nixpkgs.legacyPackages.${system};
modules = [
module
];
@@ -35,6 +36,8 @@
};
config = {
+ flake.tf = config.tf;
+
tf.output.fleet = {
value = {
managed = true;
@@ -43,6 +46,8 @@
# will be somehow processed by fleet tf.
sensitive = true;
};
- hosts = config.data.extra.terraformHosts;
+ fleetConfigurations.default.hosts = config.data.extra.terraformHosts;
+
+ perSystem.imports = [ ./tf-bootstrap.nix ];
};
}