difftreelog
refactor recurse less
in: trunk
5 files changed
lib/default.nixdiffbeforeafterboth--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,29 +1,31 @@
{
- fleetConfiguration = { common ? { modules = []; }, hosts, nixpkgs }@args:
+ fleetConfiguration = { nixpkgs, hosts, ... }@allConfig:
+ let
+ config = builtins.removeAttrs allConfig [ "nixpkgs" ];
+ in
rec {
root = nixpkgs.lib.evalModules {
- modules = [
- (
- { ... }: {
- config = {
- inherit hosts;
- # Secret data is available only via fleet build-systems
- secrets = if builtins?getEnv then
- let
- stringData = builtins.getEnv "SECRET_DATA";
- in
- if stringData != "" then (builtins.fromJSON stringData) else {}
- else {};
- };
-
- }
- )
- ] ++ common.modules ++ import ../modules/modules.nix {
- pkgs = nixpkgs;
- lib = nixpkgs.lib;
- };
-
+ modules =
+ (import ../modules/modules.nix) ++ [
+ config
+ (
+ { ... }: {
+ options = { };
+ config = {
+ # Secret data is available only via fleet build-systems
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
+ }
+ )
+ ];
specialArgs = {
+ inherit nixpkgs;
fleet = import ./fleetLib.nix {
inherit nixpkgs hosts;
};
@@ -32,14 +34,16 @@
configuredHosts = root.config.hosts;
configuredSecrets = root.config.secrets;
configuredSystems = nixpkgs.lib.listToAttrs (
- map (
- name: {
- inherit name; value = nixpkgs.lib.nixosSystem {
- system = configuredHosts.${name}.system;
- modules = configuredHosts.${name}.modules;
- };
- }
- ) (builtins.attrNames hosts)
+ map
+ (
+ name: {
+ inherit name; value = nixpkgs.lib.nixosSystem {
+ system = configuredHosts.${name}.system;
+ modules = configuredHosts.${name}.modules;
+ };
+ }
+ )
+ (builtins.attrNames root.config.hosts)
); #nixpkgs.lib.nixosSystem {}
};
}
lib/fleetLib.nixdiffbeforeafterboth--- a/lib/fleetLib.nix
+++ b/lib/fleetLib.nix
@@ -1,32 +1,34 @@
# Shared functions for fleet configuration, available as `fleet` module argument
{ nixpkgs, hosts }: with nixpkgs.lib; rec {
- mkSecret = let
- system = builtins.currentSystem;
- pkgs = import nixpkgs { inherit system; };
- keys = builtins.getEnv "RAGE_KEYS";
- encryptCmd = "rage ${keys} -a";
- impuritySource = builtins.getEnv "IMPURITY_SOURCE";
- in
- f: let
+ mkSecret =
+ let
+ system = builtins.currentSystem;
+ pkgs = import nixpkgs { inherit system; };
+ keys = builtins.getEnv "RAGE_KEYS";
+ encryptCmd = "rage ${keys} -a";
+ impuritySource = builtins.getEnv "IMPURITY_SOURCE";
+ in
+ f:
+ let
data = f { inherit pkgs encryptCmd; };
in
- builtins.derivation {
- inherit system;
- name = "secret";
+ builtins.derivation {
+ inherit system;
+ name = "secret";
- builder = "${pkgs.bash}/bin/bash";
- args = [
- (
- pkgs.writeTextFile {
- name = "./build-${impuritySource}.sh";
- text = data.script;
- executable = true;
- }
- )
- ];
+ builder = "${pkgs.bash}/bin/bash";
+ args = [
+ (
+ pkgs.writeTextFile {
+ name = "./build-${impuritySource}.sh";
+ text = data.script;
+ executable = true;
+ }
+ )
+ ];
- PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
- };
+ PATH = "${pkgs.coreutils}/bin:${pkgs.rage}/bin${builtins.concatStringsSep "" (builtins.map (n: ":${n}/bin") data.utils)}";
+ };
# Modules can't register hosts because of infinite recursion
hostNames = attrNames hosts;
hostsToAttrs = f: listToAttrs (
@@ -34,17 +36,20 @@
);
hostsCartesian = remove null (
unique (
- crossLists (
- a: b: if a == b then
- null
- else
- hostsPair a b
- ) [ hostNames hostNames ]
+ crossLists
+ (
+ a: b:
+ if a == b then
+ null
+ else
+ hostsPair a b
+ ) [ hostNames hostNames ]
)
);
- hostsPair = this: other: let
- sorted = sort (a: b: a < b) [ this other ];
- in
+ hostsPair = this: other:
+ let
+ sorted = sort (a: b: a < b) [ this other ];
+ in
{
a = elemAt sorted 0;
b = elemAt sorted 1;
modules/modules.nixdiffbeforeafterboth--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -1,8 +1,4 @@
-{ pkgs
-, lib
-, check ? true
-}:
-with lib; [
+[
./networking/wireguard
./root.nix
]
modules/networking/wireguard/default.nixdiffbeforeafterboth1{ config, lib, nixpkgs, fleet, ... }: with lib; with fleet; let2 cfg = config.networking.wireguard;3 genWgKey = { owners }: {4 inherit owners;5 generator = mkSecret (6 { pkgs, encryptCmd }: {7 utils = [ pkgs.wireguard-tools ];8 script = ''9 key=wg10 pub=echo$key|wg1112 mkdir -p $out13 echo $key | ${encryptCmd} >$out/key14 echo $pub >$out/pub_key15 '';16 }17 );18 };19 genWgPsk = { owners }: {20 inherit owners;21 generator = mkSecret (22 { pkgs, encryptCmd }: {23 utils = [ pkgs.wireguard-tools ];24 script = ''25 key=wg2627 mkdir -p $out28 echo $key | ${encryptCmd} >$out/key29 '';30 }31 );32 };3334 hostKeys = listToAttrs (35 map (36 hostName: {37 name = "wg-key-${hostName}";38 value = genWgKey {39 owners = [ hostName ];40 };41 }42 )43 hostNames44 );45 psks = listToAttrs (46 map (47 { a, b }: {48 name = "wg-psk-${a}-${b}";49 value = genWgPsk {50 owners = [ a b ];51 };52 }53 )54 hostsCartesian55 );56in57{58 options.networking.wireguard = with types; {59 enable = mkEnableOption "wireguard";60 interface = mkOption {61 type = str;62 description = "Interface name for wireguard network";63 default = "fleet";64 };65 port = mkOption {66 type = int;67 description = "Port, on which wireguard interface should listen";68 default = 51871;69 };70 allowedIPs = mkOption {71 type = attrsOf (listOf str);72 description = "Per host allowed ips";73 };74 };75 config = mkIf cfg.enable {76 secrets =77 (hostKeys // psks);78 hosts = hostsToAttrs (79 hostName: {80 modules = [81 {82 networking.wireguard.enable = true;83 networking.wireguard.interfaces.fleetwg = {84 privateKeyFile = "/run/secrets/wg-key-${hostName}";85 peers = map (86 peer: let87 pair = hostsPair hostName peer;88 in89 {90 publicKey = config.secrets."wg-key-${peer}".data.key;91 presharedKey = "/run/secrets/wg-psk-${pair.a}-${pair.b}";92 allowedIPs = cfg.allowedIPs.${peer};93 }94 ) hostNames;95 };96 }97 ];98 }99 );100 };101}modules/root.nixdiffbeforeafterboth--- a/modules/root.nix
+++ b/modules/root.nix
@@ -22,7 +22,7 @@
data = mkOption {
type = attrsOf anything;
description = "Generated secret data, do not set it yourself";
- default = {};
+ default = { };
};
};
};
@@ -31,7 +31,7 @@
modules = mkOption {
type = listOf anything;
description = "List of nixos modules";
- default = [];
+ default = [ ];
};
network = mkOption {
type = submodule {
@@ -55,14 +55,22 @@
options = with types; {
hosts = mkOption {
type = attrsOf (submodule host);
- default = {};
+ default = { };
description = "Configurations of individual hosts";
};
secrets = mkOption {
type = attrsOf (submodule secret);
- default = {};
+ default = { };
description = "Secrets";
};
};
- config = {};
+ config = {
+ secrets =
+ if builtins?getEnv then
+ let
+ stringData = builtins.getEnv "SECRET_DATA";
+ in
+ if stringData != "" then (builtins.fromJSON stringData) else { }
+ else { };
+ };
}