flake/secrets: move from /etc/nixos/private to /secrets/nixos
This commit is contained in:
parent
fc1c829d3a
commit
e3ce6a92b1
|
@ -81,7 +81,7 @@
|
||||||
# workaround for git flakes not having access to non-checked out files
|
# workaround for git flakes not having access to non-checked out files
|
||||||
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
|
else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
|
||||||
# yes, this is impure, this is a last ditch effort at getting access to secrets
|
# yes, this is impure, this is a last ditch effort at getting access to secrets
|
||||||
else import /etc/nixos/private { };
|
else import /secrets/nixos { };
|
||||||
devPath = priv.devPath or ../.;
|
devPath = priv.devPath or ../.;
|
||||||
inputs = builtins.mapAttrs
|
inputs = builtins.mapAttrs
|
||||||
(name: input:
|
(name: input:
|
||||||
|
|
|
@ -86,7 +86,7 @@ run mkdir -p "$tmp/out/@/var/log"
|
||||||
|
|
||||||
# secrets, we don't want to pass them via the store
|
# secrets, we don't want to pass them via the store
|
||||||
run mkdir -p "$tmp/out/@/secrets"
|
run mkdir -p "$tmp/out/@/secrets"
|
||||||
run cp -v /etc/nixos/private/wireguard-key "$tmp/out/@/secrets/"
|
run cp -v /secrets/nixos/wireguard-key "$tmp/out/@/secrets/"
|
||||||
run chmod -R 000 "$tmp/out/@/secrets"
|
run chmod -R 000 "$tmp/out/@/secrets"
|
||||||
|
|
||||||
cpr "$rootfs/nix" "$tmp/out/@nix"
|
cpr "$rootfs/nix" "$tmp/out/@nix"
|
||||||
|
|
|
@ -181,6 +181,5 @@
|
||||||
|
|
||||||
impermanence.directories = [
|
impermanence.directories = [
|
||||||
/secrets
|
/secrets
|
||||||
/etc/nixos
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,10 +106,7 @@ in {
|
||||||
nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
|
nix.settings.allowed-users = [ "nix-serve" "harmonia" ] ++ lib.optionals config.services.hydra.enable [ "hydra" "hydra-www" ];
|
||||||
# make sure only hydra has access to this file
|
# make sure only hydra has access to this file
|
||||||
# so normal nix evals don't have access to builtins
|
# so normal nix evals don't have access to builtins
|
||||||
nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix";
|
nix.settings.extra-builtins-file = "/secrets/nixos/extra-builtins.nix";
|
||||||
impermanence.directories = lib.mkIf config.services.hydra.enable [
|
|
||||||
{ directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; }
|
|
||||||
];
|
|
||||||
nix.settings.allowed-uris = [
|
nix.settings.allowed-uris = [
|
||||||
# required for home-manager
|
# required for home-manager
|
||||||
"https://git.sr.ht/~rycee/nmd/"
|
"https://git.sr.ht/~rycee/nmd/"
|
||||||
|
|
Loading…
Reference in a new issue