git.delta.rocks / jrsonnet / refs/commits / d97c9fe9e5c4

difftreelog

feat ensure shared generators

pwqmwvyvYaroslav Bolyukin2026-01-22parent: #e89ca39.patch.diff
in: trunk

2 files changed

modifiedmodules/nixos.nixdiffbeforeafterboth
--- a/modules/nixos.nix
+++ b/modules/nixos.nix
@@ -21,7 +21,7 @@
   options = {
     nixos = mkOption {
       description = ''
-        Nixos configuration for all hosts.
+        Shared nixos configuration module for all hosts.
       '';
       type = deferredModule;
     };
@@ -76,6 +76,7 @@
             nixosHosts = mapAttrs (_: value: value.nixos_unchecked.config) config.hosts;
             hosts = config.hosts;
             host = hostArgs.config;
+            fleetConfiguration = config;
           };
         };
         nixos_unchecked = hostArgs.config.nixos.extendModules {
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
3  fleetLib,3  fleetLib,
4  config,4  config,
5  pkgs,5  pkgs,
6  fleetConfiguration,
6  ...7  ...
7}:8}:
8let9let
13  inherit (lib.stringsWithDeps) stringAfter;14  inherit (lib.stringsWithDeps) stringAfter;
14  inherit (lib.options) mkOption literalExpression;15  inherit (lib.options) mkOption literalExpression;
15  inherit (lib.lists) optional;16  inherit (lib.lists) optional;
16  inherit (lib.attrsets) mapAttrs;17  inherit (lib.attrsets) mapAttrs mapAttrsToList;
17  inherit (lib.modules) mkIf;18  inherit (lib.modules) mkIf;
18  inherit (lib.types)19  inherit (lib.types)
19    submodule20    submodule
23    uniq24    uniq
24    functionTo25    functionTo
25    package26    package
27    bool
28    enum
29    either
26    ;30    ;
27  inherit (fleetLib.strings) decodeRawSecret;31  inherit (fleetLib.strings) decodeRawSecret;
2832
72    }:76    }:
73    let77    let
74      secretName = config._module.args.name;78      secretName = config._module.args.name;
79      literal = l: enum [l];
75    in80    in
76    {81    {
77      options = {82      options = {
80          description = "Definition of secret parts";85          description = "Definition of secret parts";
81        };86        };
82        generator = mkOption {87        generator = mkOption {
83          type = uniq (functionTo package);88          type = either (functionTo package) (literal "shared");
84          description = "Derivation to evaluate for secret generation";89          description = "Derivation to evaluate for secret generation";
85        };90        };
86        mode = mkOption {91        mode = mkOption {
146  config = {151  config = {
147    environment.systemPackages = [ pkgs.fleet-install-secrets ];152    environment.systemPackages = [ pkgs.fleet-install-secrets ];
153
154    assertions = mapAttrsToList (name: secret: let
155      hasSharedDefinition = fleetConfiguration.secrets ? name;
156    in {
157      assertion = (secret.definition.generator == "shared") == hasSharedDefinition;
158      message = if hasSharedDefinition then"secret ${name} has host-specific secret generator, secrets with host-specific generators can not have shared generator in fleet configuration"
159      else "secret ${name} is declared as shared, for shared secret fleet configuration should include shared secret generator";
160    }) config.secrets;
148161
149    systemd.services.fleet-install-secrets = mkIf useSysusers {162    systemd.services.fleet-install-secrets = mkIf useSysusers {
150      wantedBy = [ "sysinit.target" ];163      wantedBy = [ "sysinit.target" ];