difftreelog
feat ensure shared generators
in: trunk
2 files changed
modules/nixos.nixdiffbeforeafterboth1{2 lib,3 fleetLib,4 inputs,5 self,6 config,7 _fleetFlakeRootConfig,8 ...9}:10let11 inherit (lib.attrsets) mapAttrs;12 inherit (lib.options) mkOption;13 inherit (lib.types) deferredModule unspecified;14 inherit (lib.modules) mkRemovedOptionModule;15 inherit (lib.strings) escapeNixIdentifier;16 inherit (fleetLib.options) mkHostsOption;1718 _file = ./nixos.nix;19in20{21 options = {22 nixos = mkOption {23 description = ''24 Shared nixos configuration module for all hosts.25 '';26 type = deferredModule;27 };28 hosts = mkHostsOption (hostArgs: {29 inherit _file;30 options = {31 nixos = mkOption {32 description = ''33 Nixos configuration for the current host.34 '';35 type = deferredModule;36 apply =37 module:38 let39 inherit (hostArgs.config) system;40 in41 config.nixpkgs.buildUsing.lib.nixosSystem {42 inherit system;43 modules = [44 (module // { key = "attr<host.nixos>"; })45 (config.nixos // { key = "attr<fleet.nixos>"; })46 ];47 specialArgs = {48 inherit fleetLib inputs self;49 inputs' = mapAttrs (50 inputName: input:51 builtins.addErrorContext52 "while retrieving system-dependent attributes for input ${escapeNixIdentifierinputName}"53 (54 if input._type or null == "flake" then55 _fleetFlakeRootConfig.perInput system input56 else57 "input is not a flake, perhaps flake = false was added to te input declaration?"58 )59 ) inputs;60 self' = builtins.addErrorContext "while retrieving system-dependent attributes for a flake's own outputs" (61 _fleetFlakeRootConfig.perInput system self62 );63 };64 };65 };66 nixos_unchecked = mkOption {67 type = unspecified;68 };69 };70 config = {71 # imports = [72 # (mkRemovedOptionModule ["nixosModules"] "replaced with hosts.*.nixos.imports.")73 # ];74 nixos = {75 config._module.args = {76 nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;77 hosts = config.hosts;78 host = hostArgs.config;79 fleetConfiguration = config;80 };81 };82 nixos_unchecked = hostArgs.config.nixos.extendModules {83 modules = [84 {85 _module.check = false;86 }87 ];88 };89 };90 });91 };92 imports = [93 (mkRemovedOptionModule [ "nixosModules" ] "replaced with nixos.imports.")94 ];95 config.nixos.imports = import ./nixos/module-list.nix;96}modules/nixos/secrets.nixdiffbeforeafterboth--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
fleetLib,
config,
pkgs,
+ fleetConfiguration,
...
}:
let
@@ -13,7 +14,7 @@
inherit (lib.stringsWithDeps) stringAfter;
inherit (lib.options) mkOption literalExpression;
inherit (lib.lists) optional;
- inherit (lib.attrsets) mapAttrs;
+ inherit (lib.attrsets) mapAttrs mapAttrsToList;
inherit (lib.modules) mkIf;
inherit (lib.types)
submodule
@@ -23,6 +24,9 @@
uniq
functionTo
package
+ bool
+ enum
+ either
;
inherit (fleetLib.strings) decodeRawSecret;
@@ -72,6 +76,7 @@
}:
let
secretName = config._module.args.name;
+ literal = l: enum [l];
in
{
options = {
@@ -80,7 +85,7 @@
description = "Definition of secret parts";
};
generator = mkOption {
- type = uniq (functionTo package);
+ type = either (functionTo package) (literal "shared");
description = "Derivation to evaluate for secret generation";
};
mode = mkOption {
@@ -146,6 +151,14 @@
config = {
environment.systemPackages = [ pkgs.fleet-install-secrets ];
+ assertions = mapAttrsToList (name: secret: let
+ hasSharedDefinition = fleetConfiguration.secrets ? name;
+ in {
+ assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+ message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
+ else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+ }) config.secrets;
+
systemd.services.fleet-install-secrets = mkIf useSysusers {
wantedBy = [ "sysinit.target" ];
after = [ "systemd-sysusers.service" ];