git.delta.rocks / jrsonnet / refs/commits / d97c9fe9e5c4

difftreelog

feat ensure shared generators

pwqmwvyvYaroslav Bolyukin2026-01-22parent: #e89ca39.patch.diff
in: trunk

2 files changed

modifiedmodules/nixos.nixdiffbeforeafterboth
20{20{
21  options = {21  options = {
22    nixos = mkOption {22    nixos = mkOption {
23      description = ''23      description = ''
24        Nixos configuration for all hosts.24        Shared nixos configuration module for all hosts.
25      '';25      '';
26      type = deferredModule;26      type = deferredModule;
27    };27    };
28    hosts = mkHostsOption (hostArgs: {28    hosts = mkHostsOption (hostArgs: {
76            nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;76            nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;
77            hosts = config.hosts;77            hosts = config.hosts;
78            host = hostArgs.config;78            host = hostArgs.config;
79            fleetConfiguration = config;
79          };80          };
80        };81        };
81        nixos_unchecked = hostArgs.config.nixos.extendModules {82        nixos_unchecked = hostArgs.config.nixos.extendModules {
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -3,6 +3,7 @@
   fleetLib,
   config,
   pkgs,
+  fleetConfiguration,
   ...
 }:
 let
@@ -13,7 +14,7 @@
   inherit (lib.stringsWithDeps) stringAfter;
   inherit (lib.options) mkOption literalExpression;
   inherit (lib.lists) optional;
-  inherit (lib.attrsets) mapAttrs;
+  inherit (lib.attrsets) mapAttrs mapAttrsToList;
   inherit (lib.modules) mkIf;
   inherit (lib.types)
     submodule
@@ -23,6 +24,9 @@
     uniq
     functionTo
     package
+    bool
+    enum
+    either
     ;
   inherit (fleetLib.strings) decodeRawSecret;
 
@@ -72,6 +76,7 @@
     }:
     let
       secretName = config._module.args.name;
+      literal = l: enum [l];
     in
     {
       options = {
@@ -80,7 +85,7 @@
           description = "Definition of secret parts";
         };
         generator = mkOption {
-          type = uniq (functionTo package);
+          type = either (functionTo package) (literal "shared");
           description = "Derivation to evaluate for secret generation";
         };
         mode = mkOption {
@@ -146,6 +151,14 @@
   config = {
     environment.systemPackages = [ pkgs.fleet-install-secrets ];
 
+    assertions = mapAttrsToList (name: secret: let
+      hasSharedDefinition = fleetConfiguration.secrets ? name;
+    in {
+      assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
+      message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
+      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
+    }) config.secrets;
+
     systemd.services.fleet-install-secrets = mkIf useSysusers {
       wantedBy = [ "sysinit.target" ];
       after = [ "systemd-sysusers.service" ];