From e3ce6a92b18b88ee730bebfa703ba7717e42c3ba Mon Sep 17 00:00:00 2001 From: chayleaf Date: Mon, 25 Dec 2023 04:13:25 +0700 Subject: [PATCH] flake/secrets: move from /etc/nixos/private to /secrets/nixos --- flake.nix | 2 +- system/hardware/bpi-r3/image.sh | 2 +- system/hosts/nixmsi.nix | 1 - system/hosts/server/home.nix | 5 +---- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index 538ae4f..5878f84 100644 --- a/flake.nix +++ b/flake.nix @@ -81,7 +81,7 @@ # workaround for git flakes not having access to non-checked out files else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets # yes, this is impure, this is a last ditch effort at getting access to secrets - else import /etc/nixos/private { }; + else import /secrets/nixos { }; devPath = priv.devPath or ../.; inputs = builtins.mapAttrs (name: input: diff --git a/system/hardware/bpi-r3/image.sh b/system/hardware/bpi-r3/image.sh index 8850127..1183e8b 100755 --- a/system/hardware/bpi-r3/image.sh +++ b/system/hardware/bpi-r3/image.sh @@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log" # secrets, we don't want to pass them via the store run mkdir -p "$tmp/out/@/secrets" -run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/" +run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/" run chmod -R 000 "$tmp/out/@/secrets" cpr "$rootfs/nix" "$tmp/out/@nix" diff --git a/system/hosts/nixmsi.nix b/system/hosts/nixmsi.nix index 5475742..b524d43 100644 --- a/system/hosts/nixmsi.nix +++ b/system/hosts/nixmsi.nix @@ -181,6 +181,5 @@ impermanence.directories = [ /secrets - /etc/nixos ]; } diff --git a/system/hosts/server/home.nix b/system/hosts/server/home.nix index 4bc4c97..eea1204 100644 --- a/system/hosts/server/home.nix +++ b/system/hosts/server/home.nix @@ -106,10 +106,7 @@ in { nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ]; # make sure only hydra has access to this file # so normal nix evals don't have access to builtins - nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix"; - impermanence.directories = lib.mkIf config.services.hydra.enable [ - { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; } - ]; + nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix"; nix.settings.allowed-uris = [ # required for home-manager "https://git.sr.ht/~rycee/nmd/"