git.delta.rocks / jrsonnet / refs/commits / d97c9fe9e5c4

difftreelog

feat ensure shared generators

pwqmwvyvYaroslav Bolyukin2026-01-22parent: #e89ca39.patch.diff
in: trunk

2 files changed

modifiedmodules/nixos.nixdiffbeforeafterboth
20{20{
21  options = {21  options = {
22    nixos = mkOption {22    nixos = mkOption {
23      description = ''23      description = ''
24        Nixos configuration for all hosts.24        Shared nixos configuration module for all hosts.
25      '';25      '';
26      type = deferredModule;26      type = deferredModule;
27    };27    };
28    hosts = mkHostsOption (hostArgs: {28    hosts = mkHostsOption (hostArgs: {
76            nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;76            nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;
77            hosts = config.hosts;77            hosts = config.hosts;
78            host = hostArgs.config;78            host = hostArgs.config;
79            fleetConfiguration = config;
79          };80          };
80        };81        };
81        nixos_unchecked = hostArgs.config.nixos.extendModules {82        nixos_unchecked = hostArgs.config.nixos.extendModules {
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
3  fleetLib,3  fleetLib,
4  config,4  config,
5  pkgs,5  pkgs,
6  fleetConfiguration,
6  ...7  ...
7}:8}:
8let9let
13  inherit (lib.stringsWithDeps) stringAfter;14  inherit (lib.stringsWithDeps) stringAfter;
14  inherit (lib.options) mkOption literalExpression;15  inherit (lib.options) mkOption literalExpression;
15  inherit (lib.lists) optional;16  inherit (lib.lists) optional;
16  inherit (lib.attrsets) mapAttrs;17  inherit (lib.attrsets) mapAttrs mapAttrsToList;
17  inherit (lib.modules) mkIf;18  inherit (lib.modules) mkIf;
18  inherit (lib.types)19  inherit (lib.types)
19    submodule20    submodule
23    uniq24    uniq
24    functionTo25    functionTo
25    package26    package
27    bool
28    enum
29    either
26    ;30    ;
27  inherit (fleetLib.strings) decodeRawSecret;31  inherit (fleetLib.strings) decodeRawSecret;
2832
72    }:76    }:
73    let77    let
74      secretName = config._module.args.name;78      secretName = config._module.args.name;
79      literal = l: enum [l];
75    in80    in
76    {81    {
77      options = {82      options = {
80          description = "Definition of secret parts";85          description = "Definition of secret parts";
81        };86        };
82        generator = mkOption {87        generator = mkOption {
83          type = uniq (functionTo package);88          type = either (functionTo package) (literal "shared");
84          description = "Derivation to evaluate for secret generation";89          description = "Derivation to evaluate for secret generation";
85        };90        };
86        mode = mkOption {91        mode = mkOption {
146  config = {151  config = {
147    environment.systemPackages = [ pkgs.fleet-install-secrets ];152    environment.systemPackages = [ pkgs.fleet-install-secrets ];
153
154    assertions = mapAttrsToList (name: secret: let
155      hasSharedDefinition = fleetConfiguration.secrets ? name;
156    in {
157      assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
158      message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
159      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
160    }) config.secrets;
148161
149    systemd.services.fleet-install-secrets = mkIf useSysusers {162    systemd.services.fleet-install-secrets = mkIf useSysusers {
150      wantedBy = [ "sysinit.target" ];163      wantedBy = [ "sysinit.target" ];