difftreelog
refactor recurse less
in: trunk
5 files changed
lib/default.nixdiffbeforeafterboth--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,29 +1,31 @@
{
- fleetConfiguration = { common ? { modules = []; }, hosts, nixpkgs }@args:
+ fleetConfiguration = { nixpkgs, hosts, ... }@allConfig:
+ let
+ config = builtins.removeAttrs allConfig [ "nixpkgs" ];
+ in
rec {
root = nixpkgs.lib.evalModules {
- modules = [
- (
- { ... }: {
- config = {
- inherit hosts;
- # Secret data is available only via fleet build-systems
- secrets = if builtins?getEnv then
- let
- stringData = builtins.getEnv "SECRET_DATA";
- in
- if stringData != "" then (builtins.fromJSON stringData) else {}
- else {};
- };
-
- }
- )
- ] ++ common.modules ++ import ../modules/modules.nix {
- pkgs = nixpkgs;
- lib = nixpkgs.lib;
- };
-
+ modules =
+ (import ../modules/modules.nix) ++ [
+ config
+ (
+ { ... }: {
+ options = { };
+ config = {
+ # Secret data is available only via fleet build-systems
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
+ }
+ )
+ ];
specialArgs = {
+ inherit nixpkgs;
fleet = import ./fleetLib.nix {
inherit nixpkgs hosts;
};
@@ -32,14 +34,16 @@
configuredHosts = root.config.hosts;
configuredSecrets = root.config.secrets;
configuredSystems = nixpkgs.lib.listToAttrs (
- map (
- name: {
- inherit name; value = nixpkgs.lib.nixosSystem {
- system = configuredHosts.${name}.system;
- modules = configuredHosts.${name}.modules;
- };
- }
- ) (builtins.attrNames hosts)
+ map
+ (
+ name: {
+ inherit name; value = nixpkgs.lib.nixosSystem {
+ system = configuredHosts.${name}.system;
+ modules = configuredHosts.${name}.modules;
+ };
+ }
+ )
+ (builtins.attrNames root.config.hosts)
); #nixpkgs.lib.nixosSystem {}
};
}
lib/fleetLib.nixdiffbeforeafterboth--- a/lib/fleetLib.nix
+++ b/lib/fleetLib.nix
@@ -1,32 +1,34 @@
# Shared functions for fleet configuration, available as `fleet` module argument
{ nixpkgs, hosts }: with nixpkgs.lib; rec {
- mkSecret = let
- system = builtins.currentSystem;
- pkgs = import nixpkgs { inherit system; };
- keys = builtins.getEnv "RAGE_KEYS";
- encryptCmd = "rage ${keys} -a";
- impuritySource = builtins.getEnv "IMPURITY_SOURCE";
- in
- f: let
+ mkSecret =
+ let
+ system = builtins.currentSystem;
+ pkgs = import nixpkgs { inherit system; };
+ keys = builtins.getEnv "RAGE_KEYS";
+ encryptCmd = "rage ${keys} -a";
+ impuritySource = builtins.getEnv "IMPURITY_SOURCE";
+ in
+ f:
+ let
data = f { inherit pkgs encryptCmd; };
in
- builtins.derivation {
- inherit system;
- name = "secret";
+ builtins.derivation {
+ inherit system;
+ name = "secret";
- builder = "${pkgs.bash}/bin/bash";
- args = [
- (
- pkgs.writeTextFile {
- name = "./build-${impuritySource}.sh";
- text = data.script;
- executable = true;
- }
- )
- ];
+ builder = "${pkgs.bash}/bin/bash";
+ args = [
+ (
+ pkgs.writeTextFile {
+ name = "./build-${impuritySource}.sh";
+ text = data.script;
+ executable = true;
+ }
+ )
+ ];
- PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
- };
+ PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
+ };
# Modules can't register hosts because of infinite recursion
hostNames = attrNames hosts;
hostsToAttrs = f: listToAttrs (
@@ -34,17 +36,20 @@
);
hostsCartesian = remove null (
unique (
- crossLists (
- a: b: if a == b then
- null
- else
- hostsPair a b
- ) [ hostNames hostNames ]
+ crossLists
+ (
+ a: b:
+ if a == b then
+ null
+ else
+ hostsPair a b
+ ) [ hostNames hostNames ]
)
);
- hostsPair = this: other: let
- sorted = sort (a: b: a < b) [ this other ];
- in
+ hostsPair = this: other:
+ let
+ sorted = sort (a: b: a < b) [ this other ];
+ in
{
a = elemAt sorted 0;
b = elemAt sorted 1;
modules/modules.nixdiffbeforeafterboth1{ pkgs2, lib3, check ? true4}:5with lib; [1[6 ./networking/wireguard2 ./networking/wireguard7 ./root.nix3 ./root.nix8]4]modules/networking/wireguard/default.nixdiffbeforeafterboth--- a/modules/networking/wireguard/default.nix
+++ b/modules/networking/wireguard/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let
+{ config, lib, fleet, ... }: with lib; with fleet; let
cfg = config.networking.wireguard;
genWgKey = { owners }: {
inherit owners;
@@ -32,25 +32,27 @@
};
hostKeys = listToAttrs (
- map (
- hostName: {
- name = "wg-key-${hostName}";
- value = genWgKey {
- owners = [ hostName ];
- };
- }
- )
+ map
+ (
+ hostName: {
+ name = "wg-key-${hostName}";
+ value = genWgKey {
+ owners = [ hostName ];
+ };
+ }
+ )
hostNames
);
psks = listToAttrs (
- map (
- { a, b }: {
- name = "wg-psk-${a}-${b}";
- value = genWgPsk {
- owners = [ a b ];
- };
- }
- )
+ map
+ (
+ { a, b }: {
+ name = "wg-psk-${a}-${b}";
+ value = genWgPsk {
+ owners = [ a b ];
+ };
+ }
+ )
hostsCartesian
);
in
@@ -82,16 +84,19 @@
networking.wireguard.enable = true;
networking.wireguard.interfaces.fleetwg = {
privateKeyFile = "/run/secrets/wg-key-${hostName}";
- peers = map (
- peer: let
- pair = hostsPair hostName peer;
- in
+ peers = map
+ (
+ peer:
+ let
+ pair = hostsPair hostName peer;
+ in
{
publicKey = config.secrets."wg-key-${peer}".data.key;
presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";
allowedIPs = cfg.allowedIPs.${peer};
}
- ) hostNames;
+ )
+ hostNames;
};
}
];
modules/root.nixdiffbeforeafterboth--- a/modules/root.nix
+++ b/modules/root.nix
@@ -22,7 +22,7 @@
data = mkOption {
type = attrsOf anything;
description = "Generated secret data, do not set it yourself";
- default = {};
+ default = { };
};
};
};
@@ -31,7 +31,7 @@
modules = mkOption {
type = listOf anything;
description = "List of nixos modules";
- default = [];
+ default = [ ];
};
network = mkOption {
type = submodule {
@@ -55,14 +55,22 @@
options = with types; {
hosts = mkOption {
type = attrsOf (submodule host);
- default = {};
+ default = { };
description = "Configurations of individual hosts";
};
secrets = mkOption {
type = attrsOf (submodule secret);
- default = {};
+ default = { };
description = "Secrets";
};
};
- config = {};
+ config = {
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
}