flake/secrets: move from /etc/nixos/private to /secrets/nixos

2023-12-25 04:13:25 +07:00 · 2023-12-25 04:13:25 +07:00 · 862d3cd691
parent fc1c829d3a
commit 862d3cd691
5 changed files with 5 additions and 9 deletions
--- a/extra-builtins.nix
+++ b/extra-builtins.nix
@ -1,11 +1,11 @@
 { exec, ... }: {
-  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
+  secrets = exec [ "cat" "/secrets/nixos/default.nix" ] {
    # compress and base64 the file to make it representable in nix,
    # then decompress it back in a derivation (shouldn't there be a better way...)
    copyToStore = pkgs: name: path:
      let
        archive = exec [ "${pkgs.bash}/bin/bash" "-c" ''
-          cd /etc/nixos/private
+          cd /secrets/nixos
          echo '"'"$(
            ${pkgs.gnutar}/bin/tar -I ${pkgs.zstd}/bin/zstd --exclude-vcs \
              --transform='s#'${pkgs.lib.escapeShellArg path}'#!#' \
--- a/flake.nix
+++ b/flake.nix
@ -81,7 +81,7 @@
      # workaround for git flakes not having access to non-checked out files
      else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
      # yes, this is impure, this is a last ditch effort at getting access to secrets
-      else import /etc/nixos/private { };
+      else import /secrets/nixos { };
    devPath = priv.devPath or ../.;
    inputs = builtins.mapAttrs
      (name: input:
--- a/system/hardware/bpi-r3/image.sh
+++ b/system/hardware/bpi-r3/image.sh
@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log"

 # secrets, we don't want to pass them via the store
 run mkdir -p "$tmp/out/@/secrets"
-run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/"
+run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/"
 run chmod -R 000 "$tmp/out/@/secrets"

 cpr "$rootfs/nix" "$tmp/out/@nix"
--- a/system/hosts/nixmsi.nix
+++ b/system/hosts/nixmsi.nix
@ -181,6 +181,5 @@

  impermanence.directories = [
    /secrets
-    /etc/nixos
  ];
 }
--- a/system/hosts/server/home.nix
+++ b/system/hosts/server/home.nix
@ -106,10 +106,7 @@ in {
  nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
  # make sure only hydra has access to this file
  # so normal nix evals don't have access to builtins
-  nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix";
-  impermanence.directories = lib.mkIf config.services.hydra.enable [
-    { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
-  ];
+  nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
  nix.settings.allowed-uris = [
    # required for home-manager
    "https://git.sr.ht/~rycee/nmd/"