don't put private files to store by default

2023-05-26 01:38:17 +07:00 · 2023-05-26 01:38:17 +07:00 · 1f0800986e
parent 69ce2ffdbc
commit 1f0800986e
5 changed files with 37 additions and 31 deletions
--- a/extra-builtins.nix
+++ b/extra-builtins.nix
@ -1,19 +1,23 @@
 { exec, ... }: {
-  # I might get a somewhat better solution later, "enjoy" this for now
-  secrets = let
-    archive = exec [
-      "sh" "-c"
-      "echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'"
-    ];
-  in pkgs: import (pkgs.stdenvNoCC.mkDerivation {
-    name = "private";
-    unpackPhase = "true";
-    buildPhase = "true";
-    installPhase = ''
-      mkdir -p $out
-      cd $out
-      echo "${archive}" | base64 -d | tar xzv
-    '';
-    url = builtins.toFile "private.tar.gz" archive;
-  });
+  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
+    # compress and base64 the file to make it representable in nix,
+    # then decompress it back in a derivation (shouldn't there be a better way...)
+    copyToStore = pkgs: path:
+      let
+        archive = exec [
+          "sh" "-c"
+          "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'"
+        ];
+      in "${pkgs.stdenvNoCC.mkDerivation {
+        name = "private";
+        unpackPhase = "true";
+        buildPhase = "true";
+        installPhase = ''
+          mkdir -p $out
+          cd $out
+          echo "${archive}" | base64 -d | tar xzv
+        '';
+        url = builtins.toFile "private.tar.gz.base64" archive;
+      }}/${path}";
+    };
 }
--- a/flake.nix
+++ b/flake.nix
@ -32,21 +32,21 @@
  outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
  let
    # IRL-related stuff I'd rather not put into git
-    priv = pkgs:
-      if builtins.pathExists ./private.nix then (import ./private.nix)
-      else if builtins.pathExists ./private/default.nix then (import ./private)
+    priv =
+      if builtins.pathExists ./private.nix then (import ./private.nix { })
+      else if builtins.pathExists ./private/default.nix then (import ./private { })
      # workaround for git flakes not having access to non-checked out files
-      else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs
+      else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
      # yes, this is impure, this is a last ditch effort at getting access to secrets
-      else import /etc/nixos/private;
+      else import /etc/nixos/private { };
    # if x has key s, get it. Otherwise return def
    getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
    # All private config for hostname
-    getPriv = pkgs: hostname: getOr { } hostname (priv pkgs);
+    getPriv = hostname: getOr { } hostname priv;
    # Private NixOS config for hostname
-    getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname);
+    getPrivSys = hostname: getOr { } "system" (getPriv hostname);
    # Private home-manager config for hostname and username
-    getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname);
+    getPrivUser = hostname: user: getOr { } user (getPriv hostname);
    # extended lib
    lib = nixpkgs.lib // {
      quoteListenAddr = addr:
@ -116,7 +116,7 @@
          ./system/modules/impermanence.nix
          ./system/modules/common.nix
          impermanence.nixosModule 
-          (getPrivSys (import inputs.nixpkgs { inherit system; }) hostname)
+          (getPrivSys hostname)
          ({ config, pkgs, ... }: {
            nixpkgs.overlays = [ overlay ];
            nix.extraOptions = ''
@ -160,7 +160,7 @@
                    plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
                  '';
                })
-                (getPrivUser (import nixpkgs { inherit system; }) hostname username)
+                (getPrivUser hostname username)
              ];
            }) (builtins.removeAttrs home [ "common" ]);
          }
@ -190,7 +190,7 @@
                (user: homeConfig: {
                  "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
                    modules = homeConfig ++ [
-                      (getPrivUser (import nixpkgs { inherit system; }) hostname user)
+                      (getPrivUser hostname user)
                      ({ config, pkgs, lib, ... }: {
                        nixpkgs.overlays = [ overlay ];
                        nix.package = lib.mkDefault pkgs.nixFlakes;
--- a/private.nix.sample
+++ b/private.nix.sample
@ -1,4 +1,7 @@
-{
+# copy a path to store (needed because I don't copy the secrets to store by default)
+# arg must be a string because of how nix handles relative paths as absolute
+{ copyToStore ? (pkgs: x: ./. + x)
+, ... }: {
  nixmsi = {
    system = { pkgs, ... }: {
      # insert private config here
--- a/system/hosts/nixserver/default.nix
+++ b/system/hosts/nixserver/default.nix
@ -44,7 +44,6 @@ in {
      grub = {
        enable = true;
        device = "nodev";
-        version = 2;
        efiSupport = true;
        efiInstallAsRemovable = true;
      };
--- a/system/hosts/nixserver/mailserver.nix
+++ b/system/hosts/nixserver/mailserver.nix
@ -27,7 +27,7 @@ in {
    enable = true;
    fqdn = "mail.${cfg.domainName}";
    domains = [ cfg.domainName ];
-    certificateScheme = 1;
+    certificateScheme = "acme";
    certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem";
    keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem";
    localDnsResolver = false;