git.delta.rocks / jrsonnet / refs/commits / ffbc7e982cb4

1# Shared functions for fleet configuration, available as `fleet` module argument2{lib}: let3  inherit (lib.trivial) isFunction;4  inherit (lib.options) mkOption mergeOneOption;5  inherit (lib.modules) mkOverride;6  inherit (lib.types) listOf submodule attrsOf mkOptionType;7  inherit (lib.strings) optionalString hasPrefix removePrefix;8in rec {9  types = {10    overlay = mkOptionType {11      name = "nixpkgs-overlay";12      description = "nixpkgs overlay";13      check = isFunction;14      merge = mergeOneOption;15    };16    listOfOverlay = listOf types.overlay;1718    mkHostsType = module: attrsOf (submodule module);19    mkDataType = module: submodule module;20  };2122  options = {23    mkHostsOption = module:24      mkOption {25        type = types.mkHostsType module;26      };27    mkDataOption = module:28      mkOption {29        type = types.mkDataType module;30      };31  };3233  inherit (options) mkHostsOption;3435  modules = {36    # mkDefault = mkOverride 100037    # For places, where fleet knows better than nixpkgs defaults.38    mkFleetDefault = mkOverride 999;39    # Some generators use mkDefault, but optionDefault is set by nixpkgs.40    mkFleetGeneratorDefault = mkOverride 1001;41  };4243  inherit (modules) mkFleetDefault mkFleetGeneratorDefault;4445  secrets = {46    mkPassword = {size ? 32}: {47      coreutils,48      mkSecretGenerator,49    }:50      mkSecretGenerator {51        script = ''52          mkdir $out53          gh generate password -o $out/secret --size ${toString size}54        '';55      };5657    mkEd25519 = {58      noEmbedPublic ? false,59      encoding ? null,60    }: {mkSecretGenerator}:61      mkSecretGenerator {62        script = ''63          mkdir $out64          gh generate ed25519 -p $out/public -s $out/secret \65            ${optionalString noEmbedPublic "--no-embed-public"} \66            ${optionalString (encoding != null) "--encoding=${encoding}"}67        '';68      };6970    mkX25519 = {encoding ? null}: {mkSecretGenerator}:71      mkSecretGenerator {72        script = ''73          mkdir $out74          gh generate x25519 -p $out/public -s $out/secret \75            ${optionalString (encoding != null) "--encoding=${encoding}"}76        '';77      };7879    mkRsa = {size ? 4096}: {80      openssl,81      mkSecretGenerator,82    }:83      mkSecretGenerator {84        script = ''85          mkdir $out8687          ${openssl}/bin/openssl genrsa -out rsa_private.key ${toString size}88          ${openssl}/bin/openssl rsa -in rsa_private.key -pubout -out rsa_public.key8990          cat rsa_private.key | gh private -o $out/secret91          cat rsa_public.key | gh public -o $out/public92        '';93      };9495    mkBytes = {96      count ? 32,97      encoding,98      noNuls ? false,99    }: {mkSecretGenerator}:100      mkSecretGenerator {101        script = ''102          mkdir $out103          gh generate bytes --count=${toString count} --encoding=${encoding} -o $out/secret \104            ${optionalString noNuls "--no-nuls"}105        '';106      };107    mkHexBytes = {count ? 32}:108      mkBytes {109        inherit count;110        encoding = "hex";111      };112    mkBase64Bytes = {count ? 32}:113      mkBytes {114        inherit count;115        encoding = "base64";116      };117118    # Wireguard119    # mkWireguard = {}: mkX25519 {encoding = "base64";};120    # mkWireguardPsk = {}: mkBase64Bytes {count = 32;};121  };122123  inherit (secrets) mkPassword mkEd25519 mkX25519 mkRsa mkBytes mkHexBytes mkBase64Bytes;124125  strings = let126    plaintextPrefix = "<PLAINTEXT>";127    plaintextNewlinePrefix = "<PLAINTEXT-NL>";128  in {129    decodeRawSecret = raw:130      if hasPrefix plaintextPrefix raw131      then removePrefix plaintextPrefix raw132      else if hasPrefix plaintextNewlinePrefix raw133      then removePrefix plaintextNewlinePrefix raw134      else throw "decodeRawSecret only works with plaintext-encoded secret public parts, got ${raw}";135  };136137  inherit (strings) decodeRawSecret;138}