1# Shared functions for fleet configuration, available as `fleet` module argument2{ lib }:3let4 inherit (lib.trivial) isFunction;5 inherit (lib.options) mkOption mergeOneOption;6 inherit (lib.modules) mkOverride;7 inherit (lib.types)8 listOf9 submodule10 attrsOf11 mkOptionType12 ;13 inherit (lib.strings) optionalString hasPrefix removePrefix;14in15rec {16 types = {17 overlay = mkOptionType {18 name = "nixpkgs-overlay";19 description = "nixpkgs overlay";20 check = isFunction;21 merge = mergeOneOption;22 };23 listOfOverlay = listOf types.overlay;2425 mkHostsType = module: attrsOf (submodule module);26 mkDataType = module: submodule module;27 };2829 options = {30 mkHostsOption =31 module:32 mkOption {33 type = types.mkHostsType module;34 };35 mkDataOption =36 module:37 mkOption {38 type = types.mkDataType module;39 };40 };4142 inherit (options) mkHostsOption;4344 modules = {45 /**46 Use in places, where fleet might know better than nixpkgs defaults to47 */48 mkFleetDefault = mkOverride 999;49 /**50 Some generators use mkDefault, but optionDefault is set by nixpkgs.51 */52 mkFleetGeneratorDefault = mkOverride 1001;53 };5455 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;5657 secrets = {58 /**59 Generate a random secret password, 32 ascii characters by default6061 Options:62 size: generated password length in ascii characters (bytes).63 noSymbols: by default, character set includes various special characters ($ , ! + * : ~), and might64 not be accepted in some contexts, this option switches charset to just [A-Za-z0-9].6566 Output:67 Resulting secret has only part: secret, which contains encrypted password.68 */69 mkPassword =70 {71 size ? 32,72 }:73 {74 coreutils,75 mkSecretGenerator,76 }:77 mkSecretGenerator {78 script = ''79 mkdir $out80 gh generate password -o $out/secret --size ${toStringsize}81 '';82 };8384 /**85 Generate a random ed25519 keypair8687 Options:88 noEmbedPublic: By default, secret key also embeds public key in itself ("extended" format, 64 bytes)89 When noEmbedPublis is enabled - only the private scalar is included.90 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".9192 Output:93 Resulting secret has two parts: public and secret, where the secret part is encrypted.9495 This secret format is used by e.g Garage S3 server96 */97 mkEd25519 =98 {99 noEmbedPublic ? false,100 encoding ? null,101 }:102 { mkSecretGenerator }:103 mkSecretGenerator {104 script = ''105 mkdir $out106 gh generate ed25519 -p $out/public -s $out/secret \107 ${optionalStringnoEmbedPublic"--no-embed-public"} \108 ${optionalString(encoding!=null)"--encoding=${encoding}"}109 '';110 };111112 /**113 Generate a random x25519 keypair114115 Options:116 encoding: Encoring of public and secret parts, can be "raw" (default), "base64" or "hex".117118 Output:119 Resulting secret has two parts: public and secret, where the secret part is encrypted.120121 This secret format is used by e.g Wireguard VPN for peers (base64-encoded)122 */123 mkX25519 =124 {125 encoding ? null,126 }:127 { mkSecretGenerator }:128 mkSecretGenerator {129 script = ''130 mkdir $out131 gh generate x25519 -p $out/public -s $out/secret \132 ${optionalString(encoding!=null)"--encoding=${encoding}"}133 '';134 };135136 /**137 Generate a random RSA keypair138139 Options:140 size: RSA key size, 4096 by default141142 Output:143 Resulting secret has two parts: public and secret, where the secret part is encrypted.144 Both parts are PEM encoded.145 */146 mkRsa =147 {148 size ? 4096,149 }:150 {151 openssl,152 mkSecretGenerator,153 }:154 mkSecretGenerator {155 script = ''156 mkdir $out157158 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toStringsize}159 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key160161 cat rsa_private.key | gh private -o $out/secret162 cat rsa_public.key | gh public -o $out/public163 '';164 };165166 /**167 Generate a random byte sequence168169 Options:170 size: generated password length in bytes, 32 by default.171 encoding: how the generated bytes should be encoded, "raw" (default), "hex" or "base64"172 noNuls: prevent output byte sequence from containing internal \0, useful for some C applications173 that can't handle their strings properly.174175 Output:176 Resulting secret has only part: secret, which contains encrypted bytes.177178 Might be used for e.g. Wireguard VPN PSK keys (base64-encoded)179 */180 mkBytes =181 {182 count ? 32,183 encoding,184 noNuls ? false,185 }:186 { mkSecretGenerator }:187 mkSecretGenerator {188 script = ''189 mkdir $out190 gh generate bytes --count=${toStringcount} --encoding=${encoding} -o $out/secret \191 ${optionalStringnoNuls"--no-nuls"}192 '';193 };194 /**195 Shorthand for `mkBytes`, which defaults to "hex" encoding196 */197 mkHexBytes =198 {199 count ? 32,200 }:201 mkBytes {202 inherit count;203 encoding = "hex";204 };205 /**206 Shorthand for `mkBytes`, which defaults to "base64" encoding207 */208 mkBase64Bytes =209 {210 count ? 32,211 }:212 mkBytes {213 inherit count;214 encoding = "base64";215 };216217 # Wireguard218 # mkWireguard = {}: mkX25519 {encoding = "base64";};219 # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};220 };221222 inherit (secrets)223 mkPassword224 mkEd25519225 mkX25519226 mkRsa227 mkBytes228 mkHexBytes229 mkBase64Bytes230 ;231232 strings =233 let234 plaintextPrefix = "<PLAINTEXT>";235 plaintextNewlinePrefix = "<PLAINTEXT-NL>";236 in237 {238 /**239 Decode public secret part into string240 */241 decodeRawSecret =242 raw:243 if hasPrefix plaintextPrefix raw then244 removePrefix plaintextPrefix raw245 else if hasPrefix plaintextNewlinePrefix raw then246 removePrefix plaintextNewlinePrefix raw247 else248 throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";249 };250251 inherit (strings) decodeRawSecret;252}difftreelog
source
lib/default.nix6.4 KiBsourcehistory