store secrets separate from this flake
This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work.
This commit is contained in:
parent
febfcb416b
commit
69ce2ffdbc
20
README.md
20
README.md
|
@ -1,9 +1,19 @@
|
||||||
# My Nix config
|
# My Nix config
|
||||||
|
|
||||||
To install, simply run `nixos-rebuild switch --flake .` and
|
|
||||||
`home-manager switch --flake .`... just kidding, this config relies on a
|
|
||||||
bunch of secrets that I'm too lazy to make defaults for (such as initial
|
|
||||||
root password for impermanence), so you won't be able to run it as-is.
|
|
||||||
|
|
||||||
Home-manager config and modules are in `./home`, NixOS config and
|
Home-manager config and modules are in `./home`, NixOS config and
|
||||||
modules are in `./system`.
|
modules are in `./system`.
|
||||||
|
|
||||||
|
Secrets are fetched using a nix plugin at evaluation time to avoid using
|
||||||
|
`--impure`. I plan to implement a more robust secrets system later
|
||||||
|
though.
|
||||||
|
|
||||||
|
To install, simply run `nixos-rebuild switch --flake . --option
|
||||||
|
extra-builtins-file $(pwd)/extra-builtins.nix` and
|
||||||
|
`home-manager switch --flake . --option extra-builtins-file
|
||||||
|
$(pwd)/extra-builtins.nix`, since this repo relies on build-time
|
||||||
|
decryption of secrets using a Nix plugin (to be fair you won't be able
|
||||||
|
to use it since you don't have the secrets, such as initial root
|
||||||
|
password). If you don't have `nix-plugins` though, you can put the
|
||||||
|
secrets in plaintext to `/etc/nixos/private` and add `--impure` flag to
|
||||||
|
bootstrap the config.
|
||||||
|
|
||||||
|
|
19
extra-builtins.nix
Normal file
19
extra-builtins.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ exec, ... }: {
|
||||||
|
# I might get a somewhat better solution later, "enjoy" this for now
|
||||||
|
secrets = let
|
||||||
|
archive = exec [
|
||||||
|
"sh" "-c"
|
||||||
|
"echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'"
|
||||||
|
];
|
||||||
|
in pkgs: import (pkgs.stdenvNoCC.mkDerivation {
|
||||||
|
name = "private";
|
||||||
|
unpackPhase = "true";
|
||||||
|
buildPhase = "true";
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out
|
||||||
|
cd $out
|
||||||
|
echo "${archive}" | base64 -d | tar xzv
|
||||||
|
'';
|
||||||
|
url = builtins.toFile "private.tar.gz" archive;
|
||||||
|
});
|
||||||
|
}
|
42
flake.nix
42
flake.nix
|
@ -32,18 +32,21 @@
|
||||||
outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
|
outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
|
||||||
let
|
let
|
||||||
# IRL-related stuff I'd rather not put into git
|
# IRL-related stuff I'd rather not put into git
|
||||||
priv =
|
priv = pkgs:
|
||||||
if builtins.pathExists ./private.nix then (import ./private.nix)
|
if builtins.pathExists ./private.nix then (import ./private.nix)
|
||||||
else if builtins.pathExists ./private/default.nix then (import ./private)
|
else if builtins.pathExists ./private/default.nix then (import ./private)
|
||||||
else { };
|
# workaround for git flakes not having access to non-checked out files
|
||||||
|
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs
|
||||||
|
# yes, this is impure, this is a last ditch effort at getting access to secrets
|
||||||
|
else import /etc/nixos/private;
|
||||||
# if x has key s, get it. Otherwise return def
|
# if x has key s, get it. Otherwise return def
|
||||||
getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
|
getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
|
||||||
# All private config for hostname
|
# All private config for hostname
|
||||||
getPriv = hostname: getOr { } hostname priv;
|
getPriv = pkgs: hostname: getOr { } hostname (priv pkgs);
|
||||||
# Private NixOS config for hostname
|
# Private NixOS config for hostname
|
||||||
getPrivSys = hostname: getOr { } "system" (getPriv hostname);
|
getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname);
|
||||||
# Private home-manager config for hostname and username
|
# Private home-manager config for hostname and username
|
||||||
getPrivUser = hostname: user: getOr { } user (getPriv hostname);
|
getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname);
|
||||||
# extended lib
|
# extended lib
|
||||||
lib = nixpkgs.lib // {
|
lib = nixpkgs.lib // {
|
||||||
quoteListenAddr = addr:
|
quoteListenAddr = addr:
|
||||||
|
@ -113,9 +116,12 @@
|
||||||
./system/modules/impermanence.nix
|
./system/modules/impermanence.nix
|
||||||
./system/modules/common.nix
|
./system/modules/common.nix
|
||||||
impermanence.nixosModule
|
impermanence.nixosModule
|
||||||
(getPrivSys hostname)
|
(getPrivSys (import inputs.nixpkgs { inherit system; }) hostname)
|
||||||
{
|
({ config, pkgs, ... }: {
|
||||||
nixpkgs.overlays = [ overlay ];
|
nixpkgs.overlays = [ overlay ];
|
||||||
|
nix.extraOptions = ''
|
||||||
|
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
|
||||||
|
'';
|
||||||
|
|
||||||
nix.registry =
|
nix.registry =
|
||||||
builtins.mapAttrs
|
builtins.mapAttrs
|
||||||
|
@ -130,7 +136,7 @@
|
||||||
})
|
})
|
||||||
(lib.filterAttrs (_: v: builtins.pathExists "${v}/default.nix") inputs);
|
(lib.filterAttrs (_: v: builtins.pathExists "${v}/default.nix") inputs);
|
||||||
nix.nixPath = [ "/etc/nix/inputs" ];
|
nix.nixPath = [ "/etc/nix/inputs" ];
|
||||||
}
|
})
|
||||||
] ++ (lib.optionals (home != {} && (getOr true "enableNixosModule" (getOr {} "common" home))) [
|
] ++ (lib.optionals (home != {} && (getOr true "enableNixosModule" (getOr {} "common" home))) [
|
||||||
# only use NixOS HM module if same nixpkgs as system nixpkgs is used for user
|
# only use NixOS HM module if same nixpkgs as system nixpkgs is used for user
|
||||||
# why? because it seems that HM lacks the option to override pkgs, only change nixpkgs.* settings
|
# why? because it seems that HM lacks the option to override pkgs, only change nixpkgs.* settings
|
||||||
|
@ -147,10 +153,14 @@
|
||||||
nixpkgs = getOr { } "nixpkgs" (getOr { } "common" home);
|
nixpkgs = getOr { } "nixpkgs" (getOr { } "common" home);
|
||||||
nix = getOr { } "nix" (getOr { } "common" home);
|
nix = getOr { } "nix" (getOr { } "common" home);
|
||||||
}
|
}
|
||||||
({ pkgs, ...}: {
|
({ config, pkgs, lib, ...}: {
|
||||||
nixpkgs.overlays = [ overlay ];
|
nixpkgs.overlays = [ overlay ];
|
||||||
|
nix.package = lib.mkDefault pkgs.nixFlakes;
|
||||||
|
nix.extraOptions = ''
|
||||||
|
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
|
||||||
|
'';
|
||||||
})
|
})
|
||||||
(getPrivUser hostname username)
|
(getPrivUser (import nixpkgs { inherit system; }) hostname username)
|
||||||
];
|
];
|
||||||
}) (builtins.removeAttrs home [ "common" ]);
|
}) (builtins.removeAttrs home [ "common" ]);
|
||||||
}
|
}
|
||||||
|
@ -170,8 +180,9 @@
|
||||||
(lib.mapAttrsToList
|
(lib.mapAttrsToList
|
||||||
(hostname: sysConfig:
|
(hostname: sysConfig:
|
||||||
let
|
let
|
||||||
|
system = if sysConfig?system then sysConfig.system else "x86_64-linux";
|
||||||
common = builtins.removeAttrs (getOr { } "common" sysConfig.home) [ "nixpkgs" "enableNixosModule" ];
|
common = builtins.removeAttrs (getOr { } "common" sysConfig.home) [ "nixpkgs" "enableNixosModule" ];
|
||||||
pkgs = getOr (mkPkgs { system = if sysConfig?system then sysConfig.system else "x86_64-linux"; }) "pkgs" common;
|
pkgs = getOr (mkPkgs { inherit system; }) "pkgs" common;
|
||||||
common' = common // { inherit pkgs; };
|
common' = common // { inherit pkgs; };
|
||||||
in
|
in
|
||||||
lib.mapAttrsToList
|
lib.mapAttrsToList
|
||||||
|
@ -179,10 +190,13 @@
|
||||||
(user: homeConfig: {
|
(user: homeConfig: {
|
||||||
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
|
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
|
||||||
modules = homeConfig ++ [
|
modules = homeConfig ++ [
|
||||||
(getPrivUser hostname user)
|
(getPrivUser (import nixpkgs { inherit system; }) hostname user)
|
||||||
({ pkgs, ... }: {
|
({ config, pkgs, lib, ... }: {
|
||||||
nixpkgs.overlays = [ overlay ];
|
nixpkgs.overlays = [ overlay ];
|
||||||
nix.package = pkgs.nixFlakes;
|
nix.package = lib.mkDefault pkgs.nixFlakes;
|
||||||
|
nix.extraOptions = ''
|
||||||
|
plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
|
||||||
|
'';
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
});
|
});
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
mv .git .git.bak
|
|
|
@ -1,2 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
mv .git.bak .git
|
|
1
push.sh
1
push.sh
|
@ -1,4 +1,3 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
git push
|
git push
|
||||||
git push github master
|
git push github master
|
||||||
./postpush.sh
|
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
cp ~/.config/nixpkgs/overlays.nix ./overlays.nix || (mkdir -p ~/.config/nixpkgs && cp ./overlays.nix ~/.config/nixpkgs)
|
cp ~/.config/nixpkgs/overlays.nix ./overlays.nix || (mkdir -p ~/.config/nixpkgs && cp ./overlays.nix ~/.config/nixpkgs)
|
||||||
nix flake update
|
|
||||||
nvfetcher \
|
nvfetcher \
|
||||||
-o ./pkgs/_sources \
|
-o ./pkgs/_sources \
|
||||||
-c ./pkgs/nvfetcher.toml || echo "failed to update nvfetcher sources"
|
-c ./pkgs/nvfetcher.toml || echo "failed to update nvfetcher sources"
|
||||||
mozilla-addons-to-nix \
|
mozilla-addons-to-nix \
|
||||||
./pkgs/firefox-addons/addons.json \
|
./pkgs/firefox-addons/addons.json \
|
||||||
./pkgs/firefox-addons/generated.nix || echo "failed to update firefox addons"
|
./pkgs/firefox-addons/generated.nix || echo "failed to update firefox addons"
|
||||||
|
nix flake update
|
||||||
if [ -z ${SUDO_ASKPASS+x} ]; then
|
if [ -z ${SUDO_ASKPASS+x} ]; then
|
||||||
sudo nixos-rebuild switch --flake .
|
sudo nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"
|
||||||
else
|
else
|
||||||
sudo -A nixos-rebuild switch --flake .
|
sudo -A nixos-rebuild switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"
|
||||||
fi
|
fi
|
||||||
home-manager switch --flake .
|
home-manager switch --flake . --option extra-builtins-file "$(pwd)/extra-builtins.nix"
|
||||||
|
|
Loading…
Reference in a new issue