From a791ad41ec2b9342e098d09df4164c31dac71a70 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Tue, 1 Jul 2025 21:08:15 +0200 Subject: [PATCH] Inject sources, secrets and keys via module system - avoid `import ../` (#421) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Nicolas “Niols” Jeannerod Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/421 Reviewed-by: Nicolas Jeannerod Reviewed-by: Valentin Gagarin Co-authored-by: Kiara Grouwstra Co-committed-by: Kiara Grouwstra --- deployment/check/basic/flake-part.nix | 5 +++-- deployment/check/cli/flake-part.nix | 5 +++-- deployment/check/common/deployerNode.nix | 5 ++--- deployment/check/common/nixosTest.nix | 5 +++-- deployment/check/common/targetResource.nix | 3 ++- deployment/check/panel/flake-part.nix | 5 +++-- flake.nix | 5 +++++ infra/common/resource.nix | 23 ++++++++++------------ infra/flake-part.nix | 15 +++++++++++--- keys/flake-part.nix | 1 + secrets/default.nix | 4 ++++ secrets/flake-part.nix | 1 + 12 files changed, 49 insertions(+), 28 deletions(-) create mode 100644 keys/flake-part.nix create mode 100644 secrets/default.nix create mode 100644 secrets/flake-part.nix diff --git a/deployment/check/basic/flake-part.nix b/deployment/check/basic/flake-part.nix index 6344f0f0..c7c4fba7 100644 --- a/deployment/check/basic/flake-part.nix +++ b/deployment/check/basic/flake-part.nix @@ -2,6 +2,7 @@ self, inputs, lib, + sources, ... }: @@ -27,7 +28,7 @@ in ../common/nixosTest.nix ./nixosTest.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit targetMachines pathToRoot pathFromRoot; }; }; @@ -44,7 +45,7 @@ in inputs.nixops4-nixos.modules.nixops4Resource.nixos ../common/targetResource.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit nodeName pathToRoot pathFromRoot; nixos.module = { pkgs, ... }: diff --git a/deployment/check/cli/flake-part.nix b/deployment/check/cli/flake-part.nix index 70b1a268..ec2021fc 100644 --- a/deployment/check/cli/flake-part.nix +++ b/deployment/check/cli/flake-part.nix @@ -2,6 +2,7 @@ self, inputs, lib, + sources, ... }: @@ -30,7 +31,7 @@ in ../common/nixosTest.nix ./nixosTest.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit targetMachines pathToRoot @@ -44,7 +45,7 @@ in let makeTargetResource = nodeName: { imports = [ ../common/targetResource.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit nodeName pathToRoot diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix index 048bba5a..284fc65c 100644 --- a/deployment/check/common/deployerNode.nix +++ b/deployment/check/common/deployerNode.nix @@ -3,6 +3,7 @@ lib, pkgs, config, + sources, ... }: @@ -14,8 +15,6 @@ let types ; - sources = import ../../../npins; - in { _class = "nixos"; @@ -78,7 +77,7 @@ in config.system.extraDependenciesFromModule { nixpkgs.hostPlatform = "x86_64-linux"; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; enableAcme = config.enableAcme; acmeNodeIP = config.acmeNodeIP; } diff --git a/deployment/check/common/nixosTest.nix b/deployment/check/common/nixosTest.nix index fc0e935f..3b43719a 100644 --- a/deployment/check/common/nixosTest.nix +++ b/deployment/check/common/nixosTest.nix @@ -3,6 +3,7 @@ lib, config, hostPkgs, + sources, ... }: @@ -61,7 +62,7 @@ in { deployer = { imports = [ ./deployerNode.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; enableAcme = config.enableAcme; acmeNodeIP = config.nodes.acme.networking.primaryIPAddress; }; @@ -88,7 +89,7 @@ in genAttrs config.targetMachines (_: { imports = [ ./targetNode.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; enableAcme = config.enableAcme; acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null; }); diff --git a/deployment/check/common/targetResource.nix b/deployment/check/common/targetResource.nix index 37d47458..53e07f16 100644 --- a/deployment/check/common/targetResource.nix +++ b/deployment/check/common/targetResource.nix @@ -2,6 +2,7 @@ inputs, lib, config, + sources, ... }: @@ -40,7 +41,7 @@ in (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json")) ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; enableAcme = config.enableAcme; acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip")); diff --git a/deployment/check/panel/flake-part.nix b/deployment/check/panel/flake-part.nix index b722b07c..3d268a98 100644 --- a/deployment/check/panel/flake-part.nix +++ b/deployment/check/panel/flake-part.nix @@ -2,6 +2,7 @@ self, inputs, lib, + sources, ... }: @@ -33,7 +34,7 @@ in ../common/nixosTest.nix ./nixosTest.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit targetMachines pathToRoot @@ -47,7 +48,7 @@ in let makeTargetResource = nodeName: { imports = [ ../common/targetResource.nix ]; - _module.args.inputs = inputs; + _module.args = { inherit inputs sources; }; inherit nodeName pathToRoot diff --git a/flake.nix b/flake.nix index dbf01ff0..24e098bb 100644 --- a/flake.nix +++ b/flake.nix @@ -31,6 +31,9 @@ inherit nixpkgs; }; self = self'; + specialArgs = { + inherit sources; + }; } ( { inputs, ... }: @@ -48,6 +51,8 @@ ./deployment/flake-part.nix ./infra/flake-part.nix + ./keys/flake-part.nix + ./secrets/flake-part.nix ]; perSystem = diff --git a/infra/common/resource.nix b/infra/common/resource.nix index a321ec62..c98d8f3e 100644 --- a/infra/common/resource.nix +++ b/infra/common/resource.nix @@ -2,6 +2,9 @@ inputs, lib, config, + sources, + keys, + secrets, ... }: @@ -9,12 +12,6 @@ let inherit (lib) attrValues elem mkDefault; inherit (lib.attrsets) concatMapAttrs optionalAttrs; inherit (lib.strings) removeSuffix; - sources = import ../../npins; - inherit (sources) agenix disko; - - secretsPrefix = ../../secrets; - secrets = import (secretsPrefix + "/secrets.nix"); - keys = import ../../keys; in { @@ -36,8 +33,8 @@ in ## should go into the `./nixos` subdirectory. nixos.module = { imports = [ - "${agenix}/modules/age.nix" - "${disko}/module.nix" + "${sources.agenix}/modules/age.nix" + "${sources.disko}/module.nix" ./options.nix ./nixos ]; @@ -46,15 +43,15 @@ in ## configuration. fediversityVm = config.fediversityVm; - ## Read all the secrets, filter the ones that are supposed to be readable - ## with this host's public key, and add them correctly to the configuration - ## as `age.secrets..file`. + ## Read all the secrets, filter the ones that are supposed to be readable with + ## public key, and create a mapping from `.file` to the absolute path of + ## the secret's file. age.secrets = concatMapAttrs ( name: secret: optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({ - ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}"; + ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}"; }) - ) secrets; + ) secrets.mapping; ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider ## supports users with password-less sudo. diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 31cdc5a3..1b55841c 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,6 +1,9 @@ { inputs, lib, + sources, + keys, + secrets, ... }: @@ -13,7 +16,6 @@ let filterAttrs ; inherit (lib.attrsets) genAttrs; - sources = import ../../npins; ## Given a machine's name and whether it is a test VM, make a resource module, ## except for its missing provider. (Depending on the use of that resource, we @@ -22,7 +24,14 @@ let { vmName, isTestVm }: { # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally - _module.args = { inherit inputs; }; + _module.args = { + inherit + inputs + sources + keys + secrets + ; + }; imports = [ @@ -35,7 +44,7 @@ let { nixos.module.users.users.root.openssh.authorizedKeys.keys = [ # allow our panel vm access to the test machines - (import ../keys).panel + keys.panel ]; } ] diff --git a/keys/flake-part.nix b/keys/flake-part.nix new file mode 100644 index 00000000..ddc1f929 --- /dev/null +++ b/keys/flake-part.nix @@ -0,0 +1 @@ +{ _module.args.keys = import ./.; } diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 00000000..57f0317d --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,4 @@ +{ + mapping = import ./secrets.nix; + rootPath = ./.; +} diff --git a/secrets/flake-part.nix b/secrets/flake-part.nix new file mode 100644 index 00000000..4201f041 --- /dev/null +++ b/secrets/flake-part.nix @@ -0,0 +1 @@ +{ _module.args.secrets = import ./.; }