From 1f0800986e8a3fadc559bd3cd9d98fc465a61def Mon Sep 17 00:00:00 2001 From: chayleaf Date: Fri, 26 May 2023 01:38:17 +0700 Subject: [PATCH] don't put private files to store by default --- extra-builtins.nix | 38 +++++++++++++++------------ flake.nix | 22 ++++++++-------- private.nix.sample | 5 +++- system/hosts/nixserver/default.nix | 1 - system/hosts/nixserver/mailserver.nix | 2 +- 5 files changed, 37 insertions(+), 31 deletions(-) diff --git a/extra-builtins.nix b/extra-builtins.nix index c58f9c2..7b511a0 100644 --- a/extra-builtins.nix +++ b/extra-builtins.nix @@ -1,19 +1,23 @@ { exec, ... }: { - # I might get a somewhat better solution later, "enjoy" this for now - secrets = let - archive = exec [ - "sh" "-c" - "echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'" - ]; - in pkgs: import (pkgs.stdenvNoCC.mkDerivation { - name = "private"; - unpackPhase = "true"; - buildPhase = "true"; - installPhase = '' - mkdir -p $out - cd $out - echo "${archive}" | base64 -d | tar xzv - ''; - url = builtins.toFile "private.tar.gz" archive; - }); + secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] { + # compress and base64 the file to make it representable in nix, + # then decompress it back in a derivation (shouldn't there be a better way...) + copyToStore = pkgs: path: + let + archive = exec [ + "sh" "-c" + "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'" + ]; + in "${pkgs.stdenvNoCC.mkDerivation { + name = "private"; + unpackPhase = "true"; + buildPhase = "true"; + installPhase = '' + mkdir -p $out + cd $out + echo "${archive}" | base64 -d | tar xzv + ''; + url = builtins.toFile "private.tar.gz.base64" archive; + }}/${path}"; + }; } diff --git a/flake.nix b/flake.nix index b3ab2cd..a6a11d9 100644 --- a/flake.nix +++ b/flake.nix @@ -32,21 +32,21 @@ outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }: let # IRL-related stuff I'd rather not put into git - priv = pkgs: - if builtins.pathExists ./private.nix then (import ./private.nix) - else if builtins.pathExists ./private/default.nix then (import ./private) + priv = + if builtins.pathExists ./private.nix then (import ./private.nix { }) + else if builtins.pathExists ./private/default.nix then (import ./private { }) # workaround for git flakes not having access to non-checked out files - else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs + else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets # yes, this is impure, this is a last ditch effort at getting access to secrets - else import /etc/nixos/private; + else import /etc/nixos/private { }; # if x has key s, get it. Otherwise return def getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def; # All private config for hostname - getPriv = pkgs: hostname: getOr { } hostname (priv pkgs); + getPriv = hostname: getOr { } hostname priv; # Private NixOS config for hostname - getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname); + getPrivSys = hostname: getOr { } "system" (getPriv hostname); # Private home-manager config for hostname and username - getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname); + getPrivUser = hostname: user: getOr { } user (getPriv hostname); # extended lib lib = nixpkgs.lib // { quoteListenAddr = addr: @@ -116,7 +116,7 @@ ./system/modules/impermanence.nix ./system/modules/common.nix impermanence.nixosModule - (getPrivSys (import inputs.nixpkgs { inherit system; }) hostname) + (getPrivSys hostname) ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay ]; nix.extraOptions = '' @@ -160,7 +160,7 @@ plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so ''; }) - (getPrivUser (import nixpkgs { inherit system; }) hostname username) + (getPrivUser hostname username) ]; }) (builtins.removeAttrs home [ "common" ]); } @@ -190,7 +190,7 @@ (user: homeConfig: { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // { modules = homeConfig ++ [ - (getPrivUser (import nixpkgs { inherit system; }) hostname user) + (getPrivUser hostname user) ({ config, pkgs, lib, ... }: { nixpkgs.overlays = [ overlay ]; nix.package = lib.mkDefault pkgs.nixFlakes; diff --git a/private.nix.sample b/private.nix.sample index 52fb5c7..19c1fc9 100644 --- a/private.nix.sample +++ b/private.nix.sample @@ -1,4 +1,7 @@ -{ +# copy a path to store (needed because I don't copy the secrets to store by default) +# arg must be a string because of how nix handles relative paths as absolute +{ copyToStore ? (pkgs: x: ./. + x) +, ... }: { nixmsi = { system = { pkgs, ... }: { # insert private config here diff --git a/system/hosts/nixserver/default.nix b/system/hosts/nixserver/default.nix index 27cb489..e4c4e43 100644 --- a/system/hosts/nixserver/default.nix +++ b/system/hosts/nixserver/default.nix @@ -44,7 +44,6 @@ in { grub = { enable = true; device = "nodev"; - version = 2; efiSupport = true; efiInstallAsRemovable = true; }; diff --git a/system/hosts/nixserver/mailserver.nix b/system/hosts/nixserver/mailserver.nix index 238dbeb..2b776a9 100644 --- a/system/hosts/nixserver/mailserver.nix +++ b/system/hosts/nixserver/mailserver.nix @@ -27,7 +27,7 @@ in { enable = true; fqdn = "mail.${cfg.domainName}"; domains = [ cfg.domainName ]; - certificateScheme = 1; + certificateScheme = "acme"; certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem"; keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem"; localDnsResolver = false;