flake/secrets: move from /etc/nixos/private to /secrets/nixos

This commit is contained in:
chayleaf 2023-12-25 04:13:25 +07:00
parent fc1c829d3a
commit e3ce6a92b1
Signed by: chayleaf
GPG key ID: 78171AD46227E68E
4 changed files with 3 additions and 7 deletions

View file

@ -81,7 +81,7 @@
# workaround for git flakes not having access to non-checked out files # workaround for git flakes not having access to non-checked out files
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
# yes, this is impure, this is a last ditch effort at getting access to secrets # yes, this is impure, this is a last ditch effort at getting access to secrets
else import /etc/nixos/private { }; else import /secrets/nixos { };
devPath = priv.devPath or ../.; devPath = priv.devPath or ../.;
inputs = builtins.mapAttrs inputs = builtins.mapAttrs
(name: input: (name: input:

View file

@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log"
# secrets, we don't want to pass them via the store # secrets, we don't want to pass them via the store
run mkdir -p "$tmp/out/@/secrets" run mkdir -p "$tmp/out/@/secrets"
run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/" run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/"
run chmod -R 000 "$tmp/out/@/secrets" run chmod -R 000 "$tmp/out/@/secrets"
cpr "$rootfs/nix" "$tmp/out/@nix" cpr "$rootfs/nix" "$tmp/out/@nix"

View file

@ -181,6 +181,5 @@
impermanence.directories = [ impermanence.directories = [
/secrets /secrets
/etc/nixos
]; ];
} }

View file

@ -106,10 +106,7 @@ in {
nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ]; nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
# make sure only hydra has access to this file # make sure only hydra has access to this file
# so normal nix evals don't have access to builtins # so normal nix evals don't have access to builtins
nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix"; nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
impermanence.directories = lib.mkIf config.services.hydra.enable [
{ directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
];
nix.settings.allowed-uris = [ nix.settings.allowed-uris = [
# required for home-manager # required for home-manager
"https://git.sr.ht/~rycee/nmd/" "https://git.sr.ht/~rycee/nmd/"