don't put private files to store by default

This commit is contained in:
chayleaf 2023-05-26 01:38:17 +07:00
parent 69ce2ffdbc
commit 1f0800986e
5 changed files with 37 additions and 31 deletions

View file

@ -1,19 +1,23 @@
{ exec, ... }: { { exec, ... }: {
# I might get a somewhat better solution later, "enjoy" this for now secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
secrets = let # compress and base64 the file to make it representable in nix,
archive = exec [ # then decompress it back in a derivation (shouldn't there be a better way...)
"sh" "-c" copyToStore = pkgs: path:
"echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'" let
]; archive = exec [
in pkgs: import (pkgs.stdenvNoCC.mkDerivation { "sh" "-c"
name = "private"; "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'"
unpackPhase = "true"; ];
buildPhase = "true"; in "${pkgs.stdenvNoCC.mkDerivation {
installPhase = '' name = "private";
mkdir -p $out unpackPhase = "true";
cd $out buildPhase = "true";
echo "${archive}" | base64 -d | tar xzv installPhase = ''
''; mkdir -p $out
url = builtins.toFile "private.tar.gz" archive; cd $out
}); echo "${archive}" | base64 -d | tar xzv
'';
url = builtins.toFile "private.tar.gz.base64" archive;
}}/${path}";
};
} }

View file

@ -32,21 +32,21 @@
outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }: outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
let let
# IRL-related stuff I'd rather not put into git # IRL-related stuff I'd rather not put into git
priv = pkgs: priv =
if builtins.pathExists ./private.nix then (import ./private.nix) if builtins.pathExists ./private.nix then (import ./private.nix { })
else if builtins.pathExists ./private/default.nix then (import ./private) else if builtins.pathExists ./private/default.nix then (import ./private { })
# workaround for git flakes not having access to non-checked out files # workaround for git flakes not having access to non-checked out files
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
# yes, this is impure, this is a last ditch effort at getting access to secrets # yes, this is impure, this is a last ditch effort at getting access to secrets
else import /etc/nixos/private; else import /etc/nixos/private { };
# if x has key s, get it. Otherwise return def # if x has key s, get it. Otherwise return def
getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def; getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
# All private config for hostname # All private config for hostname
getPriv = pkgs: hostname: getOr { } hostname (priv pkgs); getPriv = hostname: getOr { } hostname priv;
# Private NixOS config for hostname # Private NixOS config for hostname
getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname); getPrivSys = hostname: getOr { } "system" (getPriv hostname);
# Private home-manager config for hostname and username # Private home-manager config for hostname and username
getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname); getPrivUser = hostname: user: getOr { } user (getPriv hostname);
# extended lib # extended lib
lib = nixpkgs.lib // { lib = nixpkgs.lib // {
quoteListenAddr = addr: quoteListenAddr = addr:
@ -116,7 +116,7 @@
./system/modules/impermanence.nix ./system/modules/impermanence.nix
./system/modules/common.nix ./system/modules/common.nix
impermanence.nixosModule impermanence.nixosModule
(getPrivSys (import inputs.nixpkgs { inherit system; }) hostname) (getPrivSys hostname)
({ config, pkgs, ... }: { ({ config, pkgs, ... }: {
nixpkgs.overlays = [ overlay ]; nixpkgs.overlays = [ overlay ];
nix.extraOptions = '' nix.extraOptions = ''
@ -160,7 +160,7 @@
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
''; '';
}) })
(getPrivUser (import nixpkgs { inherit system; }) hostname username) (getPrivUser hostname username)
]; ];
}) (builtins.removeAttrs home [ "common" ]); }) (builtins.removeAttrs home [ "common" ]);
} }
@ -190,7 +190,7 @@
(user: homeConfig: { (user: homeConfig: {
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
modules = homeConfig ++ [ modules = homeConfig ++ [
(getPrivUser (import nixpkgs { inherit system; }) hostname user) (getPrivUser hostname user)
({ config, pkgs, lib, ... }: { ({ config, pkgs, lib, ... }: {
nixpkgs.overlays = [ overlay ]; nixpkgs.overlays = [ overlay ];
nix.package = lib.mkDefault pkgs.nixFlakes; nix.package = lib.mkDefault pkgs.nixFlakes;

View file

@ -1,4 +1,7 @@
{ # copy a path to store (needed because I don't copy the secrets to store by default)
# arg must be a string because of how nix handles relative paths as absolute
{ copyToStore ? (pkgs: x: ./. + x)
, ... }: {
nixmsi = { nixmsi = {
system = { pkgs, ... }: { system = { pkgs, ... }: {
# insert private config here # insert private config here

View file

@ -44,7 +44,6 @@ in {
grub = { grub = {
enable = true; enable = true;
device = "nodev"; device = "nodev";
version = 2;
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
}; };

View file

@ -27,7 +27,7 @@ in {
enable = true; enable = true;
fqdn = "mail.${cfg.domainName}"; fqdn = "mail.${cfg.domainName}";
domains = [ cfg.domainName ]; domains = [ cfg.domainName ];
certificateScheme = 1; certificateScheme = "acme";
certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem"; certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem";
keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem"; keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem";
localDnsResolver = false; localDnsResolver = false;