--- a/cmds/fleet/src/cmds/secrets/mod.rs +++ b/cmds/fleet/src/cmds/secrets/mod.rs @@ -265,13 +265,14 @@ let generator = nix_go!(secret.generator); let on: Option = nix_go_json!(default_generator.impureOn); + let nixpkgs = &config.nixpkgs; + let host = if let Some(on) = &on { config.host(on).await? } else { config.local_host() }; let on_pkgs = host.pkgs().await?; - let call_package = nix_go!(on_pkgs.callPackage); let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators); let mut recipients = Vec::new(); @@ -280,8 +281,11 @@ recipients.push(key); } let generators = nix_go!(mk_secret_generators(Obj { recipients })); + let pkgs_and_generators = nix_go!(on_pkgs + generators); + + let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators)); - let generator = nix_go!(call_package(generator)(generators)); + let generator = nix_go!(call_package(generator)(Obj {})); let generator = generator.build_maybe_batch(batch).await?; let generator = generator @@ -353,8 +357,8 @@ bail!("generator should be lambda, got {gen_ty}"); } } + let nixpkgs = &config.nixpkgs; let default_pkgs = &config.default_pkgs; - let default_call_package = nix_go!(default_pkgs.callPackage); let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators); // Generators provide additional information in passthru, to access // passthru we should call generator, but information about where this generator is supposed to build @@ -367,7 +371,10 @@ let generators = nix_go!(default_mk_secret_generators(Obj { recipients: >::new(), })); - let default_generator = nix_go!(default_call_package(generator)(generators)); + let pkgs_and_generators = nix_go!(default_pkgs + generators); + + let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators)); + let default_generator = nix_go!(call_package(generator)(Obj {})); let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind); --- a/crates/fleet-base/src/host.rs +++ b/crates/fleet-base/src/host.rs @@ -34,6 +34,7 @@ /// import nixpkgs {system = local}; pub default_pkgs: Value, + pub nixpkgs: Value, pub nix_session: NixSession, } --- a/crates/fleet-base/src/opts.rs +++ b/crates/fleet-base/src/opts.rs @@ -225,6 +225,7 @@ nix_args, config_field, default_pkgs, + nixpkgs, localhost: self.localhost.to_owned(), }))) } --- a/crates/nix-eval/src/macros.rs +++ b/crates/nix-eval/src/macros.rs @@ -231,6 +231,9 @@ (@o($o:ident) | $($var:tt)*) => { $o.push(Index::Pipe($crate::nix_expr_inner!($($var)+))); }; + (@o($o:ident) + $($var:tt)*) => { + $o.push(Index::Merge($crate::nix_expr_inner!($($var)+))); + }; (@o($o:ident)) => {}; ($field:ident $($tt:tt)+) => {{ use $crate::{nix_go, Index}; --- a/crates/nix-eval/src/value.rs +++ b/crates/nix-eval/src/value.rs @@ -15,6 +15,7 @@ Expr(NixExprBuilder), ExprApply(NixExprBuilder), Pipe(NixExprBuilder), + Merge(NixExprBuilder), } impl Index { pub fn var(v: impl AsRef) -> Self { @@ -56,6 +57,9 @@ Index::Pipe(e) => { write!(f, "({})", e.out) } + Index::Merge(e) => { + write!(f, "//({})", e.out) + } } } } @@ -157,6 +161,12 @@ let index = format!("sess_field_{}", index.0.value.expect("value")); query = format!("({index} {query})"); } + Index::Merge(v) => { + let index = Value::new(self.0.session.clone(), &v.out).await?; + used_fields.push(index.clone()); + let index = format!("sess_field_{}", index.0.value.expect("value")); + query = format!("({query} // {index})"); + } } } --- a/lib/default.nix +++ b/lib/default.nix @@ -46,7 +46,6 @@ mkPassword = {size ? 32}: { coreutils, mkSecretGenerator, - ... }: mkSecretGenerator { script = '' @@ -58,7 +57,7 @@ mkEd25519 = { noEmbedPublic ? false, encoding ? null, - }: {mkSecretGenerator, ...}: + }: {mkSecretGenerator}: mkSecretGenerator { script = '' mkdir $out @@ -68,7 +67,7 @@ ''; }; - mkX25519 = {encoding ? null}: {mkSecretGenerator, ...}: + mkX25519 = {encoding ? null}: {mkSecretGenerator}: mkSecretGenerator { script = '' mkdir $out @@ -80,7 +79,6 @@ mkRsa = {size ? 4096}: { openssl, mkSecretGenerator, - ... }: mkSecretGenerator { script = '' @@ -98,7 +96,7 @@ count ? 32, encoding, noNuls ? false, - }: {mkSecretGenerator, ...}: + }: {mkSecretGenerator}: mkSecretGenerator { script = '' mkdir $out