12{lib}: let3 inherit (lib.trivial) isFunction;4 inherit (lib.options) mkOption mergeOneOption;5 inherit (lib.modules) mkOverride;6 inherit (lib.types) listOf submodule attrsOf mkOptionType;7 inherit (lib.strings) optionalString hasPrefix removePrefix;8in rec {9 types = {10 overlay = mkOptionType {11 name = "nixpkgs-overlay";12 description = "nixpkgs overlay";13 check = isFunction;14 merge = mergeOneOption;15 };16 listOfOverlay = listOf types.overlay;1718 mkHostsType = module: attrsOf (submodule module);19 mkDataType = module: submodule module;20 };2122 options = {23 mkHostsOption = module:24 mkOption {25 type = types.mkHostsType module;26 };27 mkDataOption = module:28 mkOption {29 type = types.mkDataType module;30 };31 };3233 inherit (options) mkHostsOption;3435 modules = {36 37 38 mkFleetDefault = mkOverride 999;39 40 mkFleetGeneratorDefault = mkOverride 1001;41 };4243 inherit (modules) mkFleetDefault mkFleetGeneratorDefault;4445 secrets = {46 mkPassword = {size ? 32}: {47 coreutils,48 mkSecretGenerator,49 ...50 }:51 mkSecretGenerator {52 script = ''53 mkdir $out54 gh generate password -o $out/secret --size ${toString size}55 '';56 };5758 mkEd25519 = {59 noEmbedPublic ? false,60 encoding ? null,61 }: {mkSecretGenerator, ...}:62 mkSecretGenerator {63 script = ''64 mkdir $out65 gh generate ed25519 -p $out/public -s $out/secret \66 ${optionalString noEmbedPublic "--no-embed-public"} \67 ${optionalString (encoding != null) "--encoding=${encoding}"}68 '';69 };7071 mkX25519 = {encoding ? null}: {mkSecretGenerator, ...}:72 mkSecretGenerator {73 script = ''74 mkdir $out75 gh generate x25519 -p $out/public -s $out/secret \76 ${optionalString (encoding != null) "--encoding=${encoding}"}77 '';78 };7980 mkRsa = {size ? 4096}: {81 openssl,82 mkSecretGenerator,83 ...84 }:85 mkSecretGenerator {86 script = ''87 mkdir $out8889 ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}90 ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key9192 cat rsa_private.key | gh private -o $out/secret93 cat rsa_public.key | gh public -o $out/public94 '';95 };9697 mkBytes = {98 count ? 32,99 encoding,100 noNuls ? false,101 }: {mkSecretGenerator, ...}:102 mkSecretGenerator {103 script = ''104 mkdir $out105 gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \106 ${optionalString noNuls "--no-nuls"}107 '';108 };109 mkHexBytes = {count ? 32}:110 mkBytes {111 inherit count;112 encoding = "hex";113 };114 mkBase64Bytes = {count ? 32}:115 mkBytes {116 inherit count;117 encoding = "base64";118 };119120 121 122 123 };124125 inherit (secrets) mkPassword mkEd25519 mkX25519 mkRsa mkBytes mkHexBytes mkBase64Bytes;126127 strings = let128 plaintextPrefix = "<PLAINTEXT>";129 plaintextNewlinePrefix = "<PLAINTEXT-NL>";130 in {131 decodeRawSecret = raw:132 if hasPrefix plaintextPrefix raw133 then removePrefix plaintextPrefix raw134 else if hasPrefix plaintextNewlinePrefix raw135 then removePrefix plaintextNewlinePrefix raw136 else throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";137 };138139 inherit (strings) decodeRawSecret;140}