store secrets separate from this flake

This uses a native plugin (pkgs.nix-plugins) to avoid using --impure,
other options involving secret files are too limited for my use case as
I need eval-time access to secrets. Moving it to a private flake is
another option, but Nix flakes are poorly suited for non-monorepos.
Previously I just renamed .git to .git.bak to make sure Nix pulls the
"private" subdir into store as well, but this new system may be more
robust and can be extended to way be more secure in the future (e.g.
right now I copy the secret .nix files to store, but in general there's
no need to do that).

Of course the main drawback is that now I require a plugin for this
flake to work.
This commit is contained in:
chayleaf 2023-05-26 00:40:31 +07:00
parent febfcb416b
commit 69ce2ffdbc
7 changed files with 66 additions and 28 deletions

View file

@ -1,9 +1,19 @@
# My Nix config
To install, simply run `nixos-rebuild switch --flake .` and
`home-manager switch --flake .`... just kidding, this config relies on a
bunch of secrets that I'm too lazy to make defaults for (such as initial
root password for impermanence), so you won't be able to run it as-is.
Home-manager config and modules are in `./home`, NixOS config and
modules are in `./system`.
Secrets are fetched using a nix plugin at evaluation time to avoid using
`--impure`. I plan to implement a more robust secrets system later
though.
To install, simply run `nixos-rebuild switch --flake . --option
extra-builtins-file $(pwd)/extra-builtins.nix` and
`home-manager switch --flake . --option extra-builtins-file
$(pwd)/extra-builtins.nix`, since this repo relies on build-time
decryption of secrets using a Nix plugin (to be fair you won't be able
to use it since you don't have the secrets, such as initial root
password). If you don't have `nix-plugins` though, you can put the
secrets in plaintext to `/etc/nixos/private` and add `--impure` flag to
bootstrap the config.

19
extra-builtins.nix Normal file
View file

@ -0,0 +1,19 @@
{ exec, ... }: {
# I might get a somewhat better solution later, "enjoy" this for now
secrets = let
archive = exec [
"sh" "-c"
"echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'"
];
in pkgs: import (pkgs.stdenvNoCC.mkDerivation {
name = "private";
unpackPhase = "true";
buildPhase = "true";
installPhase = ''
mkdir -p $out
cd $out
echo "${archive}" | base64 -d | tar xzv
'';
url = builtins.toFile "private.tar.gz" archive;
});
}

View file

@ -32,18 +32,21 @@
outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
let
# IRL-related stuff I'd rather not put into git
priv =
priv = pkgs:
if builtins.pathExists ./private.nix then (import ./private.nix)
else if builtins.pathExists ./private/default.nix then (import ./private)
else { };
# workaround for git flakes not having access to non-checked out files
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs
# yes, this is impure, this is a last ditch effort at getting access to secrets
else import /etc/nixos/private;
# if x has key s, get it. Otherwise return def
getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
# All private config for hostname
getPriv = hostname: getOr { } hostname priv;
getPriv = pkgs: hostname: getOr { } hostname (priv pkgs);
# Private NixOS config for hostname
getPrivSys = hostname: getOr { } "system" (getPriv hostname);
getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname);
# Private home-manager config for hostname and username
getPrivUser = hostname: user: getOr { } user (getPriv hostname);
getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname);
# extended lib
lib = nixpkgs.lib // {
quoteListenAddr = addr:
@ -113,9 +116,12 @@
./system/modules/impermanence.nix
./system/modules/common.nix
impermanence.nixosModule
(getPrivSys hostname)
{
(getPrivSys (import inputs.nixpkgs { inherit system; }) hostname)
({ config, pkgs, ... }: {
nixpkgs.overlays = [ overlay ];
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
nix.registry =
builtins.mapAttrs
@ -130,7 +136,7 @@
})
(lib.filterAttrs (_: v: builtins.pathExists "${v}/default.nix") inputs);
nix.nixPath = [ "/etc/nix/inputs" ];
}
})
] ++ (lib.optionals (home != {} && (getOr true "enableNixosModule" (getOr {} "common" home))) [
# only use NixOS HM module if same nixpkgs as system nixpkgs is used for user
# why? because it seems that HM lacks the option to override pkgs, only change nixpkgs.* settings
@ -147,10 +153,14 @@
nixpkgs = getOr { } "nixpkgs" (getOr { } "common" home);
nix = getOr { } "nix" (getOr { } "common" home);
}
({ pkgs, ...}: {
({ config, pkgs, lib, ...}: {
nixpkgs.overlays = [ overlay ];
nix.package = lib.mkDefault pkgs.nixFlakes;
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
})
(getPrivUser hostname username)
(getPrivUser (import nixpkgs { inherit system; }) hostname username)
];
}) (builtins.removeAttrs home [ "common" ]);
}
@ -170,8 +180,9 @@
(lib.mapAttrsToList
(hostname: sysConfig:
let
system = if sysConfig?system then sysConfig.system else "x86_64-linux";
common = builtins.removeAttrs (getOr { } "common" sysConfig.home) [ "nixpkgs" "enableNixosModule" ];
pkgs = getOr (mkPkgs { system = if sysConfig?system then sysConfig.system else "x86_64-linux"; }) "pkgs" common;
pkgs = getOr (mkPkgs { inherit system; }) "pkgs" common;
common' = common // { inherit pkgs; };
in
lib.mapAttrsToList
@ -179,10 +190,13 @@
(user: homeConfig: {
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
modules = homeConfig ++ [
(getPrivUser hostname user)
({ pkgs, ... }: {
(getPrivUser (import nixpkgs { inherit system; }) hostname user)
({ config, pkgs, lib, ... }: {
nixpkgs.overlays = [ overlay ];
nix.package = pkgs.nixFlakes;
nix.package = lib.mkDefault pkgs.nixFlakes;
nix.extraOptions = ''
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
'';
})
];
});

View file

@ -1,2 +0,0 @@
#!/usr/bin/env bash
mv .git .git.bak

View file

@ -1,2 +0,0 @@
#!/usr/bin/env bash
mv .git.bak .git

View file

@ -1,4 +1,3 @@
#!/usr/bin/env bash
git push
git push github master
./postpush.sh

View file

@ -1,15 +1,15 @@
#!/usr/bin/env bash
cp ~/.config/nixpkgs/overlays.nix ./overlays.nix || (mkdir -p ~/.config/nixpkgs && cp ./overlays.nix ~/.config/nixpkgs)
nix flake update
nvfetcher \
-o ./pkgs/_sources \
-c ./pkgs/nvfetcher.toml || echo "failed to update nvfetcher sources"
mozilla-addons-to-nix \
./pkgs/firefox-addons/addons.json \
./pkgs/firefox-addons/generated.nix || echo "failed to update firefox addons"
nix flake update
if [ -z ${SUDO_ASKPASS+x} ]; then
sudo nixos-rebuild switch --flake .
sudo nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"
else
sudo -A nixos-rebuild switch --flake .
sudo -A nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"
fi
home-manager switch --flake .
home-manager switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"