hercules-ci · KiaraGrouwstra · Aug 1, 2024 · Aug 3, 2024 · Aug 4, 2024 · Aug 4, 2024
diff --git a/arion-compose.cabal b/arion-compose.cabal
@@ -19,6 +19,7 @@ data-files:          nix/*.nix
                    , nix/modules/composition/*.nix
                    , nix/modules/networks/*.nix
                    , nix/modules/nixos/*.nix
+                   , nix/modules/secrets/*.nix
                    , nix/modules/service/*.nix
                    , nix/modules/lib/*.nix
 

diff --git a/src/haskell/testdata/Arion/NixSpec/arion-compose.json b/src/haskell/testdata/Arion/NixSpec/arion-compose.json
@@ -4,6 +4,7 @@
             "name": "unit-test-data"
         }
     },
+    "secrets": {},
     "services": {
         "webserver": {
             "command": [

diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.json
@@ -4,15 +4,33 @@
             "name": "unit-test-data"
         }
     },
+    "secrets": {
+        "foo": {
+            "environment": "FOO",
+            "external": false
+        }
+    },
     "services": {
         "webserver": {
             "build": {
-                "context": "<STOREPATH>"
+                "context": "<STOREPATH>",
+                "secrets": [
+                    "foo"
+                ]
             },
             "environment": {},
             "ports": [
                 "8080:80"
             ],
+            "secrets": [
+                {
+                    "gid": "123",
+                    "mode": "0440",
+                    "source": "foo",
+                    "target": "/run/secrets/foo",
+                    "uid": "123"
+                }
+            ],
             "sysctls": {},
             "volumes": []
         }

diff --git a/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix b/src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix
@@ -2,8 +2,18 @@
   project.name = "unit-test-data";
   services.webserver.service = {
     build.context = "${./build-context}";
+    build.secrets = ["foo"];
     ports = [
       "8080:80"
     ];
+    secrets = {
+      "foo" = {
+        target = "/run/secrets/foo";
+        uid = "123";
+        gid = "123";
+        mode = "0440";
+      };
+    };
   };
+  secrets.foo.environment = "FOO";
 }
diff --git a/src/nix/lib.nix b/src/nix/lib.nix
@@ -11,11 +11,15 @@ let
   networkRef = fragment:
     ''See ${link "https://github.com/compose-spec/compose-spec/blob/${composeSpecRev}/06-networks.md#${fragment}" "Compose Spec Networks #${fragment}"}'';
 
+  secretRef = fragment:
+    ''See ${link "https://github.com/compose-spec/compose-spec/blob/${composeSpecRev}/09-secrets.md#${fragment}" "Compose Spec Secrets #${fragment}"}'';
+
 in
 {
   inherit
     link
     networkRef
     serviceRef
+    secretRef
     ;
 }
diff --git a/src/nix/modules.nix b/src/nix/modules.nix
@@ -3,6 +3,7 @@
     ./modules/composition/host-environment.nix
     ./modules/composition/images.nix
     ./modules/composition/networks.nix
+    ./modules/composition/secrets.nix
     ./modules/composition/service-info.nix
     ./modules/composition/composition.nix
-]
+]
diff --git a/src/nix/modules/composition/docker-compose.nix b/src/nix/modules/composition/docker-compose.nix
@@ -68,6 +68,14 @@ in
       description = "A attribute set of volume configurations.";
       default = {};
     };
+    docker-compose.secrets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.unspecified;
+      description = ''
+        An attribute set of secret configurations. For more info, see:
+        https://docs.docker.com/compose/compose-file/09-secrets/
+      '';
+      default = {};
+    };
   };
   config = {
     out.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.out.dockerComposeYamlText;
@@ -79,6 +87,7 @@ in
       services = lib.mapAttrs (k: c: c.out.service) config.services;
       x-arion = config.docker-compose.extended;
       volumes = config.docker-compose.volumes;
+      secrets = config.docker-compose.secrets;
     };
   };
 }
diff --git a/src/nix/modules/composition/secrets.nix b/src/nix/modules/composition/secrets.nix
@@ -0,0 +1,33 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    mkOption
+    types
+    ;
+  inherit (import ../../lib.nix { inherit lib; })
+    link
+    ;
+in
+{
+
+  options = {
+    secrets = mkOption {
+      type = types.lazyAttrsOf (types.submoduleWith {
+        modules = [
+          ../secrets/secret.nix
+        ];
+      });
+      description = ''
+        See ${link "https://docs.docker.com/compose/compose-file/09-secrets/" "Docker Compose Secrets"}
+      '';
+    };
+  };
+
+  config = {
+
+    secrets = {};
+    docker-compose.secrets = lib.mapAttrs (k: v: v.out) config.secrets;
+
+  };
+}
diff --git a/src/nix/modules/secrets/secret.nix b/src/nix/modules/secrets/secret.nix
@@ -0,0 +1,65 @@
+{ config, lib, options, ... }:
+
+let
+  inherit (lib)
+    mkOption
+    optionalAttrs
+    types
+    ;
+  inherit (import ../../lib.nix { inherit lib; })
+    secretRef
+    ;
+in
+{
+  options = {
+    file = mkOption {
+      description = ''
+        The secret is created with the contents of the file at the specified path.
+        ${secretRef "file"}
+      '';
+      type = types.nullOr (types.either types.path types.str);
+    };
+
+    environment = mkOption {
+      description = ''
+        The secret is created with the value of an environment variable.
+        ${secretRef "environment"}
+      '';
+      type = types.nullOr types.str;
+    };
+
+    external = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether the value of this secret is set via other means.
+        ${secretRef "secrets"}
+      '';
+    };
+
+    out = mkOption {
+      internal = true;
+      description = ''
+        Defines sensitive data that is granted to the services in your Compose application.
+        The source of the secret is either `file` or `environment`.
+      '';
+      type = lib.types.attrsOf lib.types.raw or lib.types.unspecified;
+    };
+  };
+
+  config = {
+    out =
+      lib.mapAttrs
+        (k: opt: opt.value)
+        (lib.filterAttrs
+          (k: opt: opt.isDefined)
+          {
+            inherit (options)
+              file
+              environment
+              external
+              ;
+          }
+        );
+  };
+}
diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix
@@ -18,6 +18,41 @@ let
   cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
   cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
 
+  serviceSecretType = types.submodule {
+    options = {
+      source = mkOption {
+        type = nullOr str;
+        default = null;
+        description = serviceRef "secrets";
+      };
+      target = mkOption {
+        type = nullOr str;
+        default = null;
+        description = serviceRef "secrets";
+      };
+      uid = mkOption {
+        type = nullOr str;
+        default = null;
+        description = serviceRef "secrets";
+      };
+      gid = mkOption {
+        type = nullOr str;
+        default = null;
+        description = serviceRef "secrets";
+      };
+      mode = mkOption {
+        type = nullOr str;
+        default = null;
+        example = "0444";
+        description = ''
+          The default value of is usually 0444. This option may not be supported
+          when not deploying to a Swarm.
+          ${serviceRef "secrets"}
+        '';
+      };
+    };
+  };
+
 in
 {
   imports = [
@@ -57,30 +92,66 @@ in
       default = [];
       description = serviceRef "tmpfs";
     };
-    service.build.context = mkOption {
-      type = nullOr str;
-      default = null;
-      description = ''
-        Locates a Dockerfile to use for creating an image to use in this service.
+    service.build = mkOption {
+      default = {};
+      description = serviceRef "build";
+      type = submodule ({ options, ...}: {
+        options = {
+          _out = mkOption {
+            internal = true;
+            readOnly = true;
+            default = lib.mapAttrs (k: opt: opt.value) (lib.filterAttrs (_: opt: opt.value != null) { inherit (options) context dockerfile target secrets; });
+          };
+          context = mkOption {
+            type = nullOr str;
+            default = null;
+            description = ''
+              Locates a Dockerfile to use for creating an image to use in this service.
 
-        https://docs.docker.com/compose/compose-file/build/#context
-      '';
-    };
-    service.build.dockerfile = mkOption {
-      type = nullOr str;
-      default = null;
-      description = ''
-        Sets an alternate Dockerfile. A relative path is resolved from the build context.
-        https://docs.docker.com/compose/compose-file/build/#dockerfile
-      '';
+              https://docs.docker.com/compose/compose-file/build/#context
+            '';
+          };
+          dockerfile = mkOption {
+            type = nullOr str;
+            default = null;
+            description = ''
+              Sets an alternate Dockerfile. A relative path is resolved from the build context.
+              https://docs.docker.com/compose/compose-file/build/#dockerfile
+            '';
+          };
+          target = mkOption {
+            type = nullOr str;
+            default = null;
+            description = ''
+              Defines the stage to build as defined inside a multi-stage Dockerfile.
+              https://docs.docker.com/compose/compose-file/build/#target
+            '';
+          };
+          secrets = mkOption {
+            type = nullOr (either (listOf str) (attrsOf serviceSecretType));
+            default = null;
+            description = ''
+              Build-time secrets exposed to the service.
+            '';
+          };
+        };
+      });
     };
-    service.build.target = mkOption {
-      type = nullOr str;
-      default = null;
+    service.secrets = mkOption {
+      type = nullOr (either (listOf str) (attrsOf serviceSecretType));
+      default = [];
       description = ''
-        Defines the stage to build as defined inside a multi-stage Dockerfile.
-        https://docs.docker.com/compose/compose-file/build/#target
+        Run-time secrets exposed to the service.
       '';
+      example = {
+        redis_secret = {
+          source = "web_cache_redis_secret";
+          target = "/run/secrets/web_cache_redis_secret";
+          uid = 123;
+          gid = 123;
+          mode = "0440";
+        };
+      };
     };
     service.hostname = mkOption {
       type = nullOr str;
@@ -353,8 +424,8 @@ in
       ;
   } // lib.optionalAttrs (config.service.image != null) {
     inherit (config.service) image;
-  } // lib.optionalAttrs (config.service.build.context != null ) {
-    build = lib.filterAttrs (n: v: v != null)  config.service.build;
+  } // lib.optionalAttrs (config.service.build._out != {}) {
+    build = config.service.build._out;
   } // lib.optionalAttrs (cap_add != []) {
     inherit cap_add;
   } // lib.optionalAttrs (cap_drop != []) {
@@ -379,6 +450,21 @@ in
     inherit (config.service) external_links;
   } // lib.optionalAttrs (config.service.extra_hosts != []) {
     inherit (config.service) extra_hosts;
+  } // lib.optionalAttrs (config.service.secrets != []) {
+    secrets = lib.mapAttrsToList (k: s: {
+      source = k;
+      target = k;
+    } // lib.optionalAttrs (s.source != null) {
+      inherit (s) source;
+    } // lib.optionalAttrs (s.target != null) {
+      inherit (s) target;
+    } // lib.optionalAttrs (s.uid != null) {
+      inherit (s) uid;
+    } // lib.optionalAttrs (s.gid != null) {
+      inherit (s) gid;
+    } // lib.optionalAttrs (s.mode != null) {
+      inherit (s) mode;
+    }) config.service.secrets;
   } // lib.optionalAttrs (config.service.hostname != null) {
     inherit (config.service) hostname;
   } // lib.optionalAttrs (config.service.dns != []) {