commit ec13fbd7a8bfe2eff569df5ad77d007599bbffc2
author Skyler Grey <sky@a.starrysky.fyi> Sat Aug 03 08:11:04 2024 +0000
committer Skyler Grey <minion@clicks.codes> Thu Aug 08 21:25:44 2024 +0000
tree 0939effdc252adb440e26e6b55b79e178ad70509
parent d8ae8d9fe17014aab45eeee7bcb17ccc8d9256c3

feat: Make modules evauluate without dependencies

Previously, module checks would stop us from evaluating if we didn't
include all of our dependencies' modules too. This became cumbersome if
someone was importing our flake, especially since as Nix doesn't stop
duplicate dependencies from being imported twice...

...by using optionalAttrs anywhere a dependency is needed, we stop Nix
being able to check that our options are valid, working around the issue

---

It's way too easy to make a mistake here, a first version of this change
had a bug where due to something like this...

x = lib.mkIf cfg.enable {  } // { foo = lib.optionalAttrs ... }

...which evaluates as...

x = { _type = "if"; value = ...; foo = lib.optionalAttrs ...; ...; }

...we ended up dropping the impermanence options which mount our storage

It's really critical, therefore, to check that you aren't munging
attrsets into mkIf statements when you start using a mix of them

Change-Id: I7b786af965b3fd1012d956262aea72305b60db27
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/811
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>

modules/nixos/clicks/security/secrets/default.nix

diff --git a/modules/nixos/clicks/security/secrets/default.nix b/modules/nixos/clicks/security/secrets/default.nix
index 332efbe..8a120f9 100644
--- a/modules/nixos/clicks/security/secrets/default.nix
+++ b/modules/nixos/clicks/security/secrets/default.nix
@@ -12,8 +12,10 @@
     default = config.clicks.defaults.enable;
   };
 
-  config = lib.mkIf cfg.enable {
-    age.rekey = {
+  options.age = {}; # Required definition for lib.optionalAttrs...
+
+  config.age = lib.optionalAttrs cfg.enable {
+    rekey = {
       masterIdentities = [
         "${inputs.self}/secrets/keys/minion/collabora-yubikey.pub"
         "${inputs.self}/secrets/keys/minion/tiny-yubikey.pub"
@@ -24,7 +26,7 @@
       localStorageDir = lib.snowfall.fs.get-snowfall-file "secrets/rekeyed/${config.networking.hostName}";
     };
 
-    age.identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
+    identityPaths = lib.mkIf config.clicks.storage.impermanence.enable [
       "/persist/data/etc/ssh/ssh_host_ed25519_key"
       "/persist/data/etc/ssh/ssh_host_rsa_key"
     ];

modules/nixos/clicks/security/secrets/groupPerms/default.nix

diff --git a/modules/nixos/clicks/security/secrets/groupPerms/default.nix b/modules/nixos/clicks/security/secrets/groupPerms/default.nix
index 1f176ac..8337643 100644
--- a/modules/nixos/clicks/security/secrets/groupPerms/default.nix
+++ b/modules/nixos/clicks/security/secrets/groupPerms/default.nix
@@ -15,11 +15,8 @@
   options.age = {
     secrets = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule (submodule: {
-        config = {
-          mode = lib.pipe "0440" [
-            (lib.mkOverride 999)
-            (lib.mkIf config.clicks.security.secrets.groupPerms.enable)
-          ];
+        config = lib.optionalAttrs config.clicks.security.secrets.groupPerms.enable {
+          mode = lib.mkOverride 999 "0440";
         };
       }));
     };

modules/nixos/clicks/security/secrets/instability/default.nix

diff --git a/modules/nixos/clicks/security/secrets/instability/default.nix b/modules/nixos/clicks/security/secrets/instability/default.nix
index f1362a4..e276c13 100644
--- a/modules/nixos/clicks/security/secrets/instability/default.nix
+++ b/modules/nixos/clicks/security/secrets/instability/default.nix
@@ -20,6 +20,9 @@
     secrets = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule (submodule: {
         options = {
+          name = lib.mkOption {
+            type = lib.types.str;
+          };
           unstableName = lib.mkOption {
             type = lib.types.bool;
             default = config.clicks.security.secrets.instability.enable;
@@ -38,12 +41,12 @@
             '';
           };
         };
-        config = {
+        config = lib.mkIf submodule.config.unstableName {
           # Calculate the name as the sha256 hash of the rekeyFile or file... whichever happens to exist for this secret
           name = let
             dependency = submodule.config.rekeyFile or submodule.config.file;
             hash = builtins.hashFile "sha256" dependency;
-          in lib.mkIf submodule.config.unstableName hash;
+          in hash;
         };
       }));
     };