chayleaf/dotfiles
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

flake/secrets: move from /etc/nixos/private to /secrets/nixos

Browse source
This commit is contained in:
chayleaf 2023-12-25 04:13:25 +07:00
parent fc1c829d3a
commit 862d3cd691
Signed by: chayleaf
GPG key ID: 78171AD46227E68E
5 changed files with 5 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
extra-builtins.nix
View file

@ -1,11 +1,11 @@
{ exec, ... }: { { exec, ... }: {
secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] { secrets = exec [ "cat" "/secrets/nixos/default.nix" ] {
# compress and base64 the file to make it representable in nix, # compress and base64 the file to make it representable in nix,
# then decompress it back in a derivation (shouldn't there be a better way...) # then decompress it back in a derivation (shouldn't there be a better way...)
copyToStore = pkgs: name: path: copyToStore = pkgs: name: path:
let let
archive = exec [ "${pkgs.bash}/bin/bash" "-c" '' archive = exec [ "${pkgs.bash}/bin/bash" "-c" ''
cd /etc/nixos/private cd /secrets/nixos
echo '"'"$( echo '"'"$(
${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \ ${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \
--transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \ --transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \

2
flake.nix
View file

@ -81,7 +81,7 @@
# workaround for git flakes not having access to non-checked out files # workaround for git flakes not having access to non-checked out files
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
# yes, this is impure, this is a last ditch effort at getting access to secrets # yes, this is impure, this is a last ditch effort at getting access to secrets
else import /etc/nixos/private { }; else import /secrets/nixos { };
devPath = priv.devPath or ../.; devPath = priv.devPath or ../.;
inputs = builtins.mapAttrs inputs = builtins.mapAttrs
(name: input: (name: input:

2
system/hardware/bpi-r3/image.sh
View file

@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log"
# secrets, we don't want to pass them via the store # secrets, we don't want to pass them via the store
run mkdir -p "$tmp/out/@/secrets" run mkdir -p "$tmp/out/@/secrets"
run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/" run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/"
run chmod -R 000 "$tmp/out/@/secrets" run chmod -R 000 "$tmp/out/@/secrets"
cpr "$rootfs/nix" "$tmp/out/@nix" cpr "$rootfs/nix" "$tmp/out/@nix"

1
system/hosts/nixmsi.nix
View file

@ -181,6 +181,5 @@
impermanence.directories = [ impermanence.directories = [
/secrets /secrets
/etc/nixos
]; ];
} }

5
system/hosts/server/home.nix
View file

@ -106,10 +106,7 @@ in {
nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ]; nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
# make sure only hydra has access to this file # make sure only hydra has access to this file
# so normal nix evals don't have access to builtins # so normal nix evals don't have access to builtins
nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix"; nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
impermanence.directories = lib.mkIf config.services.hydra.enable [
{ directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
];
nix.settings.allowed-uris = [ nix.settings.allowed-uris = [
# required for home-manager # required for home-manager
"https://git.sr.ht/~rycee/nmd/" "https://git.sr.ht/~rycee/nmd/"