dotfiles/extra-builtins.nix

{ exec, ... }: {
  secrets = exec [ "cat" "/secrets/nixos/default.nix" ] {
    # compress and base64 the file to make it representable in nix,
    # then decompress it back in a derivation (shouldn't there be a better way...)
    copyToStore = pkgs: name: path:
      let
        archive = exec [ "${pkgs.bash}/bin/bash" "-c" ''
          cd /secrets/nixos
          echo '"'"$(
            ${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \
              --transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \
              -c -- ${pkgs.lib.escapeShellArg path} | base64 -w0
          )"'"'
        '' ];
      in derivation {
        __contentAddressed = true;
        outputHashAlgo = "sha256";
        outputHashMode = "recursive";
        preferLocalBuild = true;
        allowSubstitutes = false;
        allowedReferences = [];
        passAsFile = [ "archive" ];
        inherit name archive;
        inherit (pkgs) system;
        builder = "${pkgs.bash}/bin/bash";
        args = [ "-c" ''
          ${pkgs.coreutils}/bin/base64 -d "$archivePath" |
            ${pkgs.gnutar}/bin/tar -P --transform="s#!#$out#" -I ${pkgs.zstd}/bin/zstd -x
        '' ];
      };
    };
}
store secrets separate from this flake This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work. 2023-05-26 00:40:31 +07:00			`{ exec, ... }: {`
flake/secrets: move from /etc/nixos/private to /secrets/nixos 2023-12-25 04:13:25 +07:00			`secrets = exec [ "cat" "/secrets/nixos/default.nix" ] {`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`# compress and base64 the file to make it representable in nix,`
			`# then decompress it back in a derivation (shouldn't there be a better way...)`
nixserver->server; start working on phone config 2023-10-17 20:25:03 +07:00			`copyToStore = pkgs: name: path:`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`let`
server: add swap 2023-10-17 23:12:08 +07:00			`archive = exec [ "${pkgs.bash}/bin/bash" "-c" ''`
flake/secrets: move from /etc/nixos/private to /secrets/nixos 2023-12-25 04:13:25 +07:00			`cd /secrets/nixos`
server: add swap 2023-10-17 23:12:08 +07:00			`echo '"'"$(`
			`${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \`
			`--transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \`
			`-c -- ${pkgs.lib.escapeShellArg path} \| base64 -w0`
			`)"'"'`
			`'' ];`
			`in derivation {`
work around https://github.com/NixOS/hydra/issues/1186 2023-10-18 18:35:41 +07:00			`__contentAddressed = true;`
			`outputHashAlgo = "sha256";`
			`outputHashMode = "recursive";`
			`preferLocalBuild = true;`
			`allowSubstitutes = false;`
			`allowedReferences = [];`
			`passAsFile = [ "archive" ];`
			`inherit name archive;`
server: add swap 2023-10-17 23:12:08 +07:00			`inherit (pkgs) system;`
			`builder = "${pkgs.bash}/bin/bash";`
			`args = [ "-c" ''`
work around https://github.com/NixOS/hydra/issues/1186 2023-10-18 18:35:41 +07:00			`${pkgs.coreutils}/bin/base64 -d "$archivePath" \|`
server: add swap 2023-10-17 23:12:08 +07:00			`${pkgs.gnutar}/bin/tar -P --transform="s#!#$out#" -I ${pkgs.zstd}/bin/zstd -x`
			`'' ];`
			`};`
don't put private files to store by default 2023-05-26 01:38:17 +07:00			`};`
store secrets separate from this flake This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work. 2023-05-26 00:40:31 +07:00			`}`