--- a/lib/default.nix +++ b/lib/default.nix @@ -1,29 +1,31 @@ { - fleetConfiguration = { common ? { modules = []; }, hosts, nixpkgs }@args: + fleetConfiguration = { nixpkgs, hosts, ... }@allConfig: + let + config = builtins.removeAttrs allConfig [ "nixpkgs" ]; + in rec { root = nixpkgs.lib.evalModules { - modules = [ - ( - { ... }: { - config = { - inherit hosts; - # Secret data is available only via fleet build-systems - secrets = if builtins?getEnv then - let - stringData = builtins.getEnv "SECRET_DATA"; - in - if stringData != "" then (builtins.fromJSON stringData) else {} - else {}; - }; - - } - ) - ] ++ common.modules ++ import ../modules/modules.nix { - pkgs = nixpkgs; - lib = nixpkgs.lib; - }; - + modules = + (import ../modules/modules.nix) ++ [ + config + ( + { ... }: { + options = { }; + config = { + # Secret data is available only via fleet build-systems + secrets = + if builtins?getEnv then + let + stringData = builtins.getEnv "SECRET_DATA"; + in + if stringData != "" then (builtins.fromJSON stringData) else { } + else { }; + }; + } + ) + ]; specialArgs = { + inherit nixpkgs; fleet = import ./fleetLib.nix { inherit nixpkgs hosts; }; @@ -32,14 +34,16 @@ configuredHosts = root.config.hosts; configuredSecrets = root.config.secrets; configuredSystems = nixpkgs.lib.listToAttrs ( - map ( - name: { - inherit name; value = nixpkgs.lib.nixosSystem { - system = configuredHosts.${name}.system; - modules = configuredHosts.${name}.modules; - }; - } - ) (builtins.attrNames hosts) + map + ( + name: { + inherit name; value = nixpkgs.lib.nixosSystem { + system = configuredHosts.${name}.system; + modules = configuredHosts.${name}.modules; + }; + } + ) + (builtins.attrNames root.config.hosts) ); #nixpkgs.lib.nixosSystem {} }; } --- a/lib/fleetLib.nix +++ b/lib/fleetLib.nix @@ -1,32 +1,34 @@ # Shared functions for fleet configuration, available as `fleet` module argument { nixpkgs, hosts }: with nixpkgs.lib; rec { - mkSecret = let - system = builtins.currentSystem; - pkgs = import nixpkgs { inherit system; }; - keys = builtins.getEnv "RAGE_KEYS"; - encryptCmd = "rage ${keys} -a"; - impuritySource = builtins.getEnv "IMPURITY_SOURCE"; - in - f: let + mkSecret = + let + system = builtins.currentSystem; + pkgs = import nixpkgs { inherit system; }; + keys = builtins.getEnv "RAGE_KEYS"; + encryptCmd = "rage ${keys} -a"; + impuritySource = builtins.getEnv "IMPURITY_SOURCE"; + in + f: + let data = f { inherit pkgs encryptCmd; }; in - builtins.derivation { - inherit system; - name = "secret"; + builtins.derivation { + inherit system; + name = "secret"; - builder = "${pkgs.bash}/bin/bash"; - args = [ - ( - pkgs.writeTextFile { - name = "./build-${impuritySource}.sh"; - text = data.script; - executable = true; - } - ) - ]; + builder = "${pkgs.bash}/bin/bash"; + args = [ + ( + pkgs.writeTextFile { + name = "./build-${impuritySource}.sh"; + text = data.script; + executable = true; + } + ) + ]; - PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}"; - }; + PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}"; + }; # Modules can't register hosts because of infinite recursion hostNames = attrNames hosts; hostsToAttrs = f: listToAttrs ( @@ -34,17 +36,20 @@ ); hostsCartesian = remove null ( unique ( - crossLists ( - a: b: if a == b then - null - else - hostsPair a b - ) [ hostNames hostNames ] + crossLists + ( + a: b: + if a == b then + null + else + hostsPair a b + ) [ hostNames hostNames ] ) ); - hostsPair = this: other: let - sorted = sort (a: b: a < b) [ this other ]; - in + hostsPair = this: other: + let + sorted = sort (a: b: a < b) [ this other ]; + in { a = elemAt sorted 0; b = elemAt sorted 1; --- a/modules/modules.nix +++ b/modules/modules.nix @@ -1,8 +1,4 @@ -{ pkgs -, lib -, check ? true -}: -with lib; [ +[ ./networking/wireguard ./root.nix ] --- a/modules/networking/wireguard/default.nix +++ b/modules/networking/wireguard/default.nix @@ -1,4 +1,4 @@ -{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let +{ config, lib, fleet, ... }: with lib; with fleet; let cfg = config.networking.wireguard; genWgKey = { owners }: { inherit owners; @@ -32,25 +32,27 @@ }; hostKeys = listToAttrs ( - map ( - hostName: { - name = "wg-key-${hostName}"; - value = genWgKey { - owners = [ hostName ]; - }; - } - ) + map + ( + hostName: { + name = "wg-key-${hostName}"; + value = genWgKey { + owners = [ hostName ]; + }; + } + ) hostNames ); psks = listToAttrs ( - map ( - { a, b }: { - name = "wg-psk-${a}-${b}"; - value = genWgPsk { - owners = [ a b ]; - }; - } - ) + map + ( + { a, b }: { + name = "wg-psk-${a}-${b}"; + value = genWgPsk { + owners = [ a b ]; + }; + } + ) hostsCartesian ); in @@ -82,16 +84,19 @@ networking.wireguard.enable = true; networking.wireguard.interfaces.fleetwg = { privateKeyFile = "/run/secrets/wg-key-${hostName}"; - peers = map ( - peer: let - pair = hostsPair hostName peer; - in + peers = map + ( + peer: + let + pair = hostsPair hostName peer; + in { publicKey = config.secrets."wg-key-${peer}".data.key; presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}"; allowedIPs = cfg.allowedIPs.${peer}; } - ) hostNames; + ) + hostNames; }; } ]; --- a/modules/root.nix +++ b/modules/root.nix @@ -22,7 +22,7 @@ data = mkOption { type = attrsOf anything; description = "Generated secret data, do not set it yourself"; - default = {}; + default = { }; }; }; }; @@ -31,7 +31,7 @@ modules = mkOption { type = listOf anything; description = "List of nixos modules"; - default = []; + default = [ ]; }; network = mkOption { type = submodule { @@ -55,14 +55,22 @@ options = with types; { hosts = mkOption { type = attrsOf (submodule host); - default = {}; + default = { }; description = "Configurations of individual hosts"; }; secrets = mkOption { type = attrsOf (submodule secret); - default = {}; + default = { }; description = "Secrets"; }; }; - config = {}; + config = { + secrets = + if builtins?getEnv then + let + stringData = builtins.getEnv "SECRET_DATA"; + in + if stringData != "" then (builtins.fromJSON stringData) else { } + else { }; + }; }