git.delta.rocks / jrsonnet / refs/commits / cc4ecd613a27

difftreelog

source

lib/default.nix3.2 KiBsourcehistory
1# Shared functions for fleet configuration, available as `fleet` module argument2{lib}: let3  inherit (lib.trivial) isFunction;4  inherit (lib.options) mkOption mergeOneOption;5  inherit (lib.modules) mkOverride;6  inherit (lib.types) listOf submodule attrsOf mkOptionType;7  inherit (lib.strings) optionalString;8in rec {9  types = {10    overlay = mkOptionType {11      name = "nixpkgs-overlay";12      description = "nixpkgs overlay";13      check = isFunction;14      merge = mergeOneOption;15    };16    listOfOverlay = listOf types.overlay;1718    mkHostsType = module: attrsOf (submodule module);19  };2021  options = {22    mkHostsOption = module:23      mkOption {24        type = types.mkHostsType module;25      };26  };2728  inherit (options) mkHostsOption;2930  modules = {31    # mkDefault = mkOverride 100032    # For places, where fleet knows better than nixpkgs defaults.33    mkFleetDefault = mkOverride 999;34    # Some generators use mkDefault, but optionDefault is set by nixpkgs.35    mkFleetGeneratorDefault = mkOverride 1001;36  };3738  inherit (modules) mkFleetDefault mkFleetGeneratorDefault;3940  secrets = {41    mkPassword = {size ? 32}: {42      coreutils,43      mkSecretGenerator,44      ...45    }:46      mkSecretGenerator {47        script = ''48          mkdir $out49          gh generate password -o $out/secret --size ${toString size}50        '';51      };5253    mkEd25519 = {54      noEmbedPublic ? false,55      encoding ? null,56    }: {mkSecretGenerator, ...}:57      mkSecretGenerator {58        script = ''59          mkdir $out60          gh generate ed25519 -p $out/public -s $out/secret \61            ${optionalString noEmbedPublic "--no-embed-public"} \62            ${optionalString (encoding != null) "--encoding=${encoding}"}63        '';64      };6566    mkX25519 = {encoding ? null}: {mkSecretGenerator, ...}:67      mkSecretGenerator {68        script = ''69          mkdir $out70          gh generate x25519 -p $out/public -s $out/secret \71            ${optionalString (encoding != null) "--encoding=${encoding}"}72        '';73      };7475    mkRsa = {size ? 4096}: {76      openssl,77      mkSecretGenerator,78      ...79    }:80      mkSecretGenerator {81        script = ''82          mkdir $out8384          ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}85          ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key8687          cat rsa_private.key | gh private -o $out/secret88          cat rsa_public.key | gh public -o $out/public89        '';90      };9192    mkBytes = {93      count ? 32,94      encoding,95      noNuls ? false,96    }: {mkSecretGenerator, ...}:97      mkSecretGenerator {98        script = ''99          mkdir $out100          gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \101            ${optionalString noNuls "--no-nuls"}102        '';103      };104    mkHexBytes = {count ? 32}:105      mkBytes {106        inherit count;107        encoding = "hex";108      };109    mkBase64Bytes = {count ? 32}:110      mkBytes {111        inherit count;112        encoding = "base64";113      };114115    # Wireguard116    # mkWireguard = {}: mkX25519 {encoding = "base64";};117    # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};118  };119120  inherit (secrets) mkPassword mkEd25519 mkX25519 mkRsa mkBytes mkHexBytes mkBase64Bytes;121}