Refactor secrets and add vpn
This commit is contained in:
parent
0f94b25ab8
commit
702651cd63
|
@ -32,14 +32,13 @@ in {
|
|||
bins = [ activateMode pkgs.git pkgs.nix-output-monitor ];
|
||||
} ''
|
||||
params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"]
|
||||
privatePath = "${configPath}/private"
|
||||
canaryPath = privatePath <> "/submodule-is-checked-out"
|
||||
|
||||
main = do
|
||||
say "Building ~/.modes for apollo"
|
||||
nixPath <- myNixPath "${configPath}"
|
||||
bracket (rm "-f" canaryPath) (\() -> git "-C" privatePath "restore" canaryPath) $ \() ->
|
||||
nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom
|
||||
setEnv "WITH_SECRETS" "false"
|
||||
nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom
|
||||
setEnv "WITH_SECRETS" "true"
|
||||
nix_build nixPath params
|
||||
activate_mode
|
||||
'';
|
||||
|
|
|
@ -5,14 +5,12 @@ in {
|
|||
name = "update-system";
|
||||
bins = [ nixos-rebuild pkgs.nix-output-monitor ];
|
||||
} ''
|
||||
privatePath = "${configPath}/private"
|
||||
canaryPath = privatePath <> "/submodule-is-checked-out"
|
||||
|
||||
main = do
|
||||
paths <- myNixPath "${configPath}"
|
||||
args <- getArgs
|
||||
bracket (rm "-f" canaryPath) (\() -> exe "/run/wrappers/bin/sudo" "-u" "maralorn" "git" "-C" privatePath "restore" canaryPath) $ \() -> do
|
||||
nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom
|
||||
setEnv "WITH_SECRETS" "false"
|
||||
nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom
|
||||
setEnv "WITH_SECRETS" "true"
|
||||
nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -1,12 +1,11 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
|
||||
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
||||
|
||||
let
|
||||
wireguard = import ../../../common/wireguard.nix;
|
||||
inherit (config.m-0) hosts prefix;
|
||||
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
||||
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
||||
vpn = (import ../../../private.nix).privateValue ({ ... }:{}) "vpn";
|
||||
in {
|
||||
|
||||
imports = [
|
||||
|
@ -16,6 +15,7 @@ in {
|
|||
../../roles/fonts.nix
|
||||
../../roles/boot-key.nix
|
||||
../../roles/standalone
|
||||
vpn
|
||||
];
|
||||
|
||||
networking = {
|
||||
|
|
|
@ -4,12 +4,9 @@
|
|||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
# For nixos-rebuild
|
||||
nixpkgs.overlays = [
|
||||
(_: _:
|
||||
{
|
||||
withSecrets = false;
|
||||
} // (import ../../channels.nix).${config.networking.hostName})
|
||||
] ++ import ../../overlays { inherit lib; };
|
||||
nixpkgs.overlays =
|
||||
[ (_: _: (import ../../channels.nix).${config.networking.hostName}) ]
|
||||
++ import ../../overlays { inherit lib; };
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
|
@ -37,7 +34,8 @@
|
|||
(lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // {
|
||||
"nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
||||
"nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
||||
"nix-path/home-manager".source = pkgs.sources.${pkgs.home-manager-channel};
|
||||
"nix-path/home-manager".source =
|
||||
pkgs.sources.${pkgs.home-manager-channel};
|
||||
};
|
||||
variables =
|
||||
lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ]
|
||||
|
|
|
@ -1,15 +0,0 @@
|
|||
{ withSecrets ? false }:
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
inherit (import sources.nixpkgs { }) lib pkgs;
|
||||
machines = lib.attrNames (builtins.readDir ./machines);
|
||||
getConfig = hostname:
|
||||
args:
|
||||
import (./machines + "/${hostname}/configuration.nix") (args // {
|
||||
bla = "fünf";
|
||||
});
|
||||
in lib.listToAttrs (map (hostname: {
|
||||
name = hostname;
|
||||
value =
|
||||
(import <nixpkgs/nixos> { configuration = getConfig hostname; }).system;
|
||||
}) machines)
|
|
@ -1,25 +1 @@
|
|||
final: prev:
|
||||
let
|
||||
# val = if prev.withSecrets then
|
||||
# assert builtins.pathExists ../private/submodule-is-checked-out; true
|
||||
# else
|
||||
# false;
|
||||
val = builtins.pathExists ../private/submodule-is-checked-out;
|
||||
in {
|
||||
withSecrets = builtins.trace
|
||||
(if val then "Building _with_ secrets!" else "Building _without_ secrets!")
|
||||
val;
|
||||
privatePath = name:
|
||||
let path = "/etc/nixos/private/${name}";
|
||||
in if final.withSecrets then
|
||||
assert builtins.pathExists path; path
|
||||
else
|
||||
path;
|
||||
privateValue = default: name:
|
||||
if final.withSecrets then import (../private + "/${name}.nix") else default;
|
||||
privateFile = name:
|
||||
if final.withSecrets then
|
||||
../private + "/${name}"
|
||||
else
|
||||
builtins.toFile "missing-secret-file-${name}" "";
|
||||
}
|
||||
_: _: import ../private.nix
|
||||
|
|
|
@ -30,7 +30,7 @@ self: super: {
|
|||
import qualified Data.ByteString.Lazy as LBS
|
||||
import qualified Data.ByteString as BS
|
||||
import qualified Data.Text as Text
|
||||
import System.Environment (getArgs)
|
||||
import System.Environment (getArgs, setEnv)
|
||||
import Control.Exception (bracket, try)
|
||||
import Data.String.Interpolate (i)
|
||||
import Control.Concurrent.Async
|
||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
|||
Subproject commit 1f4c554f98e245611d2136feeb7de185409238d7
|
||||
Subproject commit 13d520184d9bf013de34a6ef49d4e0bc1efc2d67
|
22
private.nix
Normal file
22
private.nix
Normal file
|
@ -0,0 +1,22 @@
|
|||
let
|
||||
privateExists = builtins.pathExists private/submodule-is-checked-out;
|
||||
explicitUsePrivate = builtins.getEnv "WITH_SECRETS" == "true";
|
||||
explicitNotUsePrivate = builtins.getEnv "WITH_SECRETS" == "false";
|
||||
usePrivate = !explicitNotUsePrivate && (explicitUsePrivate || privateExists);
|
||||
withSecrets = builtins.trace (if usePrivate then
|
||||
assert privateExists; "Building _with_ secrets!"
|
||||
else
|
||||
"Building _without_ secrets!") usePrivate;
|
||||
in {
|
||||
inherit withSecrets;
|
||||
privatePath = name:
|
||||
let path = "/etc/nixos/private/${name}";
|
||||
in if withSecrets then assert builtins.pathExists path; path else path;
|
||||
privateValue = default: name:
|
||||
if withSecrets then import (./private + "/${name}.nix") else default;
|
||||
privateFile = name:
|
||||
if withSecrets then
|
||||
./private + "/${name}"
|
||||
else
|
||||
builtins.toFile "missing-secret-file-${name}" "";
|
||||
}
|
Loading…
Reference in a new issue