difftreelog
refactor recurse less
in: trunk
5 files changed
lib/default.nixdiffbeforeafterboth1{2 fleetConfiguration = { common ? { modules = []; }, hosts, nixpkgs }@args:3 rec {4 root = nixpkgs.lib.evalModules {5 modules = [6 (7 { ... }: {8 config = {9 inherit hosts;10 # Secret data is available only via fleet build-systems11 secrets = if builtins?getEnv then12 let13 stringData = builtins.getEnv "SECRET_DATA";14 in15 if stringData != "" then (builtins.fromJSON stringData) else {}16 else {};17 };1819 }20 )21 ] ++ common.modules ++ import ../modules/modules.nix {22 pkgs = nixpkgs;23 lib = nixpkgs.lib;24 };2526 specialArgs = {27 fleet = import ./fleetLib.nix {28 inherit nixpkgs hosts;29 };30 };31 };32 configuredHosts = root.config.hosts;33 configuredSecrets = root.config.secrets;34 configuredSystems = nixpkgs.lib.listToAttrs (35 map (36 name: {37 inherit name; value = nixpkgs.lib.nixosSystem {38 system = configuredHosts.${}.system;39 modules = configuredHosts.${}.modules;40 };41 }42 ) (builtins.attrNames hosts)43 ); #nixpkgs.lib.nixosSystem {}44 };45}1{2 fleetConfiguration = { nixpkgs, hosts, ... }@allConfig:3 let4 config = builtins.removeAttrs allConfig [ "nixpkgs" ];5 in6 rec {7 root = nixpkgs.lib.evalModules {8 modules =9 (import ../modules/modules.nix) ++ [10 config11 (12 { ... }: {13 options = { };14 config = {15 # Secret data is available only via fleet build-systems16 secrets =17 if builtins?getEnv then18 let19 stringData = builtins.getEnv "SECRET_DATA";20 in21 if stringData != "" then (builtins.fromJSON stringData) else { }22 else { };23 };24 }25 )26 ];27 specialArgs = {28 inherit nixpkgs;29 fleet = import ./fleetLib.nix {30 inherit nixpkgs hosts;31 };32 };33 };34 configuredHosts = root.config.hosts;35 configuredSecrets = root.config.secrets;36 configuredSystems = nixpkgs.lib.listToAttrs (37 map38 (39 name: {40 inherit name; value = nixpkgs.lib.nixosSystem {41 system = configuredHosts.${}.system;42 modules = configuredHosts.${}.modules;43 };44 }45 )46 (builtins.attrNames root.config.hosts)47 ); #nixpkgs.lib.nixosSystem {}48 };49}lib/fleetLib.nixdiffbeforeafterboth--- a/lib/fleetLib.nix
+++ b/lib/fleetLib.nix
@@ -1,32 +1,34 @@
# Shared functions for fleet configuration, available as `fleet` module argument
{ nixpkgs, hosts }: with nixpkgs.lib; rec {
- mkSecret = let
- system = builtins.currentSystem;
- pkgs = import nixpkgs { inherit system; };
- keys = builtins.getEnv "RAGE_KEYS";
- encryptCmd = "rage ${keys} -a";
- impuritySource = builtins.getEnv "IMPURITY_SOURCE";
- in
- f: let
+ mkSecret =
+ let
+ system = builtins.currentSystem;
+ pkgs = import nixpkgs { inherit system; };
+ keys = builtins.getEnv "RAGE_KEYS";
+ encryptCmd = "rage ${keys} -a";
+ impuritySource = builtins.getEnv "IMPURITY_SOURCE";
+ in
+ f:
+ let
data = f { inherit pkgs encryptCmd; };
in
- builtins.derivation {
- inherit system;
- name = "secret";
+ builtins.derivation {
+ inherit system;
+ name = "secret";
- builder = "${pkgs.bash}/bin/bash";
- args = [
- (
- pkgs.writeTextFile {
- name = "./build-${impuritySource}.sh";
- text = data.script;
- executable = true;
- }
- )
- ];
+ builder = "${pkgs.bash}/bin/bash";
+ args = [
+ (
+ pkgs.writeTextFile {
+ name = "./build-${impuritySource}.sh";
+ text = data.script;
+ executable = true;
+ }
+ )
+ ];
- PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
- };
+ PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
+ };
# Modules can't register hosts because of infinite recursion
hostNames = attrNames hosts;
hostsToAttrs = f: listToAttrs (
@@ -34,17 +36,20 @@
);
hostsCartesian = remove null (
unique (
- crossLists (
- a: b: if a == b then
- null
- else
- hostsPair a b
- ) [ hostNames hostNames ]
+ crossLists
+ (
+ a: b:
+ if a == b then
+ null
+ else
+ hostsPair a b
+ ) [ hostNames hostNames ]
)
);
- hostsPair = this: other: let
- sorted = sort (a: b: a < b) [ this other ];
- in
+ hostsPair = this: other:
+ let
+ sorted = sort (a: b: a < b) [ this other ];
+ in
{
a = elemAt sorted 0;
b = elemAt sorted 1;
modules/modules.nixdiffbeforeafterboth--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,8 +1,4 @@
-{ pkgs
-, lib
-, check ? true
-}:
-with lib; [
+[
./networking/wireguard
./root.nix
]
modules/networking/wireguard/default.nixdiffbeforeafterboth--- a/modules/networking/wireguard/default.nix
+++ b/modules/networking/wireguard/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let
+{ config, lib, fleet, ... }: with lib; with fleet; let
cfg = config.networking.wireguard;
genWgKey = { owners }: {
inherit owners;
@@ -32,25 +32,27 @@
};
hostKeys = listToAttrs (
- map (
- hostName: {
- name = "wg-key-${hostName}";
- value = genWgKey {
- owners = [ hostName ];
- };
- }
- )
+ map
+ (
+ hostName: {
+ name = "wg-key-${hostName}";
+ value = genWgKey {
+ owners = [ hostName ];
+ };
+ }
+ )
hostNames
);
psks = listToAttrs (
- map (
- { a, b }: {
- name = "wg-psk-${a}-${b}";
- value = genWgPsk {
- owners = [ a b ];
- };
- }
- )
+ map
+ (
+ { a, b }: {
+ name = "wg-psk-${a}-${b}";
+ value = genWgPsk {
+ owners = [ a b ];
+ };
+ }
+ )
hostsCartesian
);
in
@@ -82,16 +84,19 @@
networking.wireguard.enable = true;
networking.wireguard.interfaces.fleetwg = {
privateKeyFile = "/run/secrets/wg-key-${hostName}";
- peers = map (
- peer: let
- pair = hostsPair hostName peer;
- in
+ peers = map
+ (
+ peer:
+ let
+ pair = hostsPair hostName peer;
+ in
{
publicKey = config.secrets."wg-key-${peer}".data.key;
presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";
allowedIPs = cfg.allowedIPs.${peer};
}
- ) hostNames;
+ )
+ hostNames;
};
}
];
modules/root.nixdiffbeforeafterboth--- a/modules/root.nix
+++ b/modules/root.nix
@@ -22,7 +22,7 @@
data = mkOption {
type = attrsOf anything;
description = "Generated secret data, do not set it yourself";
- default = {};
+ default = { };
};
};
};
@@ -31,7 +31,7 @@
modules = mkOption {
type = listOf anything;
description = "List of nixos modules";
- default = [];
+ default = [ ];
};
network = mkOption {
type = submodule {
@@ -55,14 +55,22 @@
options = with types; {
hosts = mkOption {
type = attrsOf (submodule host);
- default = {};
+ default = { };
description = "Configurations of individual hosts";
};
secrets = mkOption {
type = attrsOf (submodule secret);
- default = {};
+ default = { };
description = "Secrets";
};
};
- config = {};
+ config = {
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
}