difftreelog
refactor recurse less
in: trunk
5 files changed
lib/default.nixdiffbeforeafterboth--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,29 +1,31 @@
{
- fleetConfiguration = { common ? { modules = []; }, hosts, nixpkgs }@args:
+ fleetConfiguration = { nixpkgs, hosts, ... }@allConfig:
+ let
+ config = builtins.removeAttrs allConfig [ "nixpkgs" ];
+ in
rec {
root = nixpkgs.lib.evalModules {
- modules = [
- (
- { ... }: {
- config = {
- inherit hosts;
- # Secret data is available only via fleet build-systems
- secrets = if builtins?getEnv then
- let
- stringData = builtins.getEnv "SECRET_DATA";
- in
- if stringData != "" then (builtins.fromJSON stringData) else {}
- else {};
- };
-
- }
- )
- ] ++ common.modules ++ import ../modules/modules.nix {
- pkgs = nixpkgs;
- lib = nixpkgs.lib;
- };
-
+ modules =
+ (import ../modules/modules.nix) ++ [
+ config
+ (
+ { ... }: {
+ options = { };
+ config = {
+ # Secret data is available only via fleet build-systems
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
+ }
+ )
+ ];
specialArgs = {
+ inherit nixpkgs;
fleet = import ./fleetLib.nix {
inherit nixpkgs hosts;
};
@@ -32,14 +34,16 @@
configuredHosts = root.config.hosts;
configuredSecrets = root.config.secrets;
configuredSystems = nixpkgs.lib.listToAttrs (
- map (
- name: {
- inherit name; value = nixpkgs.lib.nixosSystem {
- system = configuredHosts.${name}.system;
- modules = configuredHosts.${name}.modules;
- };
- }
- ) (builtins.attrNames hosts)
+ map
+ (
+ name: {
+ inherit name; value = nixpkgs.lib.nixosSystem {
+ system = configuredHosts.${name}.system;
+ modules = configuredHosts.${name}.modules;
+ };
+ }
+ )
+ (builtins.attrNames root.config.hosts)
); #nixpkgs.lib.nixosSystem {}
};
}
lib/fleetLib.nixdiffbeforeafterboth1# Shared functions for fleet configuration, available as `fleet` module argument2{ nixpkgs, hosts }: with nixpkgs.lib; rec {3 mkSecret = let4 system = builtins.currentSystem;5 pkgs = import nixpkgs { inherit system; };6 keys = builtins.getEnv "RAGE_KEYS";7 encryptCmd = "rage ${keys} -a";8 impuritySource = builtins.getEnv "IMPURITY_SOURCE";9 in10 f: let11 data = f { inherit pkgs encryptCmd; };12 in13 builtins.derivation {14 inherit system;15 name = "secret";1617 builder = "${pkgs.bash}/bin/bash";18 args = [19 (20 pkgs.writeTextFile {21 name = "./build-${impuritySource}.sh";22 text = data.script;23 executable = true;24 }25 )26 ];2728 PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep""(builtins.map(n":${n}/bin")data.utils)}";29 };30 # Modules can't register hosts because of infinite recursion31 hostNames = attrNames hosts;32 hostsToAttrs = f: listToAttrs (33 map (name: { inherit name; value = f name; }) hostNames34 );35 hostsCartesian = remove null (36 unique (37 crossLists (38 a: b: if a == b then39 null40 else41 hostsPair a b42 ) [ hostNames hostNames ]43 )44 );45 hostsPair = this: other: let46 sorted = sort (a: b: a < b) [ this other ];47 in48 {49 a = elemAt sorted 0;50 b = elemAt sorted 1;51 };52}modules/modules.nixdiffbeforeafterboth--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,8 +1,4 @@
-{ pkgs
-, lib
-, check ? true
-}:
-with lib; [
+[
./networking/wireguard
./root.nix
]
modules/networking/wireguard/default.nixdiffbeforeafterboth--- a/modules/networking/wireguard/default.nix
+++ b/modules/networking/wireguard/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let
+{ config, lib, fleet, ... }: with lib; with fleet; let
cfg = config.networking.wireguard;
genWgKey = { owners }: {
inherit owners;
@@ -32,25 +32,27 @@
};
hostKeys = listToAttrs (
- map (
- hostName: {
- name = "wg-key-${hostName}";
- value = genWgKey {
- owners = [ hostName ];
- };
- }
- )
+ map
+ (
+ hostName: {
+ name = "wg-key-${hostName}";
+ value = genWgKey {
+ owners = [ hostName ];
+ };
+ }
+ )
hostNames
);
psks = listToAttrs (
- map (
- { a, b }: {
- name = "wg-psk-${a}-${b}";
- value = genWgPsk {
- owners = [ a b ];
- };
- }
- )
+ map
+ (
+ { a, b }: {
+ name = "wg-psk-${a}-${b}";
+ value = genWgPsk {
+ owners = [ a b ];
+ };
+ }
+ )
hostsCartesian
);
in
@@ -82,16 +84,19 @@
networking.wireguard.enable = true;
networking.wireguard.interfaces.fleetwg = {
privateKeyFile = "/run/secrets/wg-key-${hostName}";
- peers = map (
- peer: let
- pair = hostsPair hostName peer;
- in
+ peers = map
+ (
+ peer:
+ let
+ pair = hostsPair hostName peer;
+ in
{
publicKey = config.secrets."wg-key-${peer}".data.key;
presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";
allowedIPs = cfg.allowedIPs.${peer};
}
- ) hostNames;
+ )
+ hostNames;
};
}
];
modules/root.nixdiffbeforeafterboth--- a/modules/root.nix
+++ b/modules/root.nix
@@ -22,7 +22,7 @@
data = mkOption {
type = attrsOf anything;
description = "Generated secret data, do not set it yourself";
- default = {};
+ default = { };
};
};
};
@@ -31,7 +31,7 @@
modules = mkOption {
type = listOf anything;
description = "List of nixos modules";
- default = [];
+ default = [ ];
};
network = mkOption {
type = submodule {
@@ -55,14 +55,22 @@
options = with types; {
hosts = mkOption {
type = attrsOf (submodule host);
- default = {};
+ default = { };
description = "Configurations of individual hosts";
};
secrets = mkOption {
type = attrsOf (submodule secret);
- default = {};
+ default = { };
description = "Secrets";
};
};
- config = {};
+ config = {
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
}