dotfiles/extra-builtins.nix

{ exec, ... }: {
  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
    # compress and base64 the file to make it representable in nix,
    # then decompress it back in a derivation (shouldn't there be a better way...)
    copyToStore = pkgs: name: path:
      let
        archive = exec [
          "/bin/sh" "-c"
          "echo '\"' && (cd /etc/nixos/private && tar -I ${pkgs.zstd}/bin/zstd -c -- ${pkgs.lib.escapeShellArg path} 2>/dev/null | base64 -w0) && echo '\"'"
        ];
      in "${pkgs.stdenvNoCC.mkDerivation {
        inherit name;
        unpackPhase = "true";
        buildPhase = "true";
        installPhase = ''
          mkdir -p $out
          cd $out
          echo "${archive}" | base64 -d | tar -I ${pkgs.zstd}/bin/zstd -x
        '';
      }}/${toString path}";
    };
}
store secrets separate from this flake This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work. 2023-05-26 00:40:31 +07:00			`{ exec, ... }: {`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {`
			`# compress and base64 the file to make it representable in nix,`
			`# then decompress it back in a derivation (shouldn't there be a better way...)`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`copyToStore = pkgs: name: path:`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`let`
			`archive = exec [`
update inputs 2023-08-14 03:50:27 +07:00			`"/bin/sh" "-c"`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`"echo '\"' && (cd /etc/nixos/private && tar -I ${pkgs.zstd}/bin/zstd -c -- ${pkgs.lib.escapeShellArg path} 2>/dev/null \| base64 -w0) && echo '\"'"`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`];`
			`in "${pkgs.stdenvNoCC.mkDerivation {`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`inherit name;`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`unpackPhase = "true";`
			`buildPhase = "true";`
			`installPhase = ''`
			`mkdir -p $out`
			`cd $out`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`echo "${archive}" \| base64 -d \| tar -I ${pkgs.zstd}/bin/zstd -x`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`'';`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`}}/${toString path}";`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`};`
store secrets separate from this flake This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work. 2023-05-26 00:40:31 +07:00			`}`