From 702651cd63b62dce07af164edb89187305d19270 Mon Sep 17 00:00:00 2001 From: Malte Brandy Date: Wed, 16 Dec 2020 19:26:20 +0100 Subject: [PATCH] Refactor secrets and add vpn --- home-manager/roles/laptop.nix | 7 +++---- lib/update-system.nix | 8 +++----- nixos/machines/apollo/configuration.nix | 4 ++-- nixos/roles/default.nix | 12 +++++------- nixos/target.nix | 15 -------------- overlays/private.nix | 26 +------------------------ overlays/writeHaskellScript.nix | 2 +- private | 2 +- private.nix | 22 +++++++++++++++++++++ 9 files changed, 38 insertions(+), 60 deletions(-) delete mode 100644 nixos/target.nix create mode 100644 private.nix diff --git a/home-manager/roles/laptop.nix b/home-manager/roles/laptop.nix index 96e6edb1..3930e607 100644 --- a/home-manager/roles/laptop.nix +++ b/home-manager/roles/laptop.nix @@ -32,14 +32,13 @@ in { bins = [ activateMode pkgs.git pkgs.nix-output-monitor ]; } '' params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"] - privatePath = "${configPath}/private" - canaryPath = privatePath <> "/submodule-is-checked-out" main = do say "Building ~/.modes for apollo" nixPath <- myNixPath "${configPath}" - bracket (rm "-f" canaryPath) (\() -> git "-C" privatePath "restore" canaryPath) $ \() -> - nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom + setEnv "WITH_SECRETS" "false" + nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom + setEnv "WITH_SECRETS" "true" nix_build nixPath params activate_mode ''; diff --git a/lib/update-system.nix b/lib/update-system.nix index 6accc27a..3a1d2b45 100644 --- a/lib/update-system.nix +++ b/lib/update-system.nix @@ -5,14 +5,12 @@ in { name = "update-system"; bins = [ nixos-rebuild pkgs.nix-output-monitor ]; } '' - privatePath = "${configPath}/private" - canaryPath = privatePath <> "/submodule-is-checked-out" - main = do paths <- myNixPath "${configPath}" args <- getArgs - bracket (rm "-f" canaryPath) (\() -> exe "/run/wrappers/bin/sudo" "-u" "maralorn" "git" "-C" privatePath "restore" canaryPath) $ \() -> do - nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom + setEnv "WITH_SECRETS" "false" + nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom + setEnv "WITH_SECRETS" "true" nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom ''; } diff --git a/nixos/machines/apollo/configuration.nix b/nixos/machines/apollo/configuration.nix index e34d1830..41f32f0f 100644 --- a/nixos/machines/apollo/configuration.nix +++ b/nixos/machines/apollo/configuration.nix @@ -1,12 +1,11 @@ { lib, config, pkgs, ... }: -# You need pw-files for every configured user in ./secret/pw-useralias for login to work. - let wireguard = import ../../../common/wireguard.nix; inherit (config.m-0) hosts prefix; nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware; inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing; + vpn = (import ../../../private.nix).privateValue ({ ... }:{}) "vpn"; in { imports = [ @@ -16,6 +15,7 @@ in { ../../roles/fonts.nix ../../roles/boot-key.nix ../../roles/standalone + vpn ]; networking = { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index ea18e21e..00ee23dc 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -4,12 +4,9 @@ i18n.defaultLocale = "en_US.UTF-8"; # For nixos-rebuild - nixpkgs.overlays = [ - (_: _: - { - withSecrets = false; - } // (import ../../channels.nix).${config.networking.hostName}) - ] ++ import ../../overlays { inherit lib; }; + nixpkgs.overlays = + [ (_: _: (import ../../channels.nix).${config.networking.hostName}) ] + ++ import ../../overlays { inherit lib; }; time.timeZone = "Europe/Berlin"; @@ -37,7 +34,8 @@ (lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // { "nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel}; "nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel}; - "nix-path/home-manager".source = pkgs.sources.${pkgs.home-manager-channel}; + "nix-path/home-manager".source = + pkgs.sources.${pkgs.home-manager-channel}; }; variables = lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ] diff --git a/nixos/target.nix b/nixos/target.nix deleted file mode 100644 index d8d1edb4..00000000 --- a/nixos/target.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ withSecrets ? false }: -let - sources = import ../nix/sources.nix; - inherit (import sources.nixpkgs { }) lib pkgs; - machines = lib.attrNames (builtins.readDir ./machines); - getConfig = hostname: - args: - import (./machines + "/${hostname}/configuration.nix") (args // { - bla = "fünf"; - }); -in lib.listToAttrs (map (hostname: { - name = hostname; - value = - (import { configuration = getConfig hostname; }).system; -}) machines) diff --git a/overlays/private.nix b/overlays/private.nix index d33a56da..e8c2730e 100644 --- a/overlays/private.nix +++ b/overlays/private.nix @@ -1,25 +1 @@ -final: prev: -let -# val = if prev.withSecrets then -# assert builtins.pathExists ../private/submodule-is-checked-out; true -# else -# false; -val = builtins.pathExists ../private/submodule-is-checked-out; -in { - withSecrets = builtins.trace - (if val then "Building _with_ secrets!" else "Building _without_ secrets!") - val; - privatePath = name: - let path = "/etc/nixos/private/${name}"; - in if final.withSecrets then - assert builtins.pathExists path; path - else - path; - privateValue = default: name: - if final.withSecrets then import (../private + "/${name}.nix") else default; - privateFile = name: - if final.withSecrets then - ../private + "/${name}" - else - builtins.toFile "missing-secret-file-${name}" ""; -} +_: _: import ../private.nix diff --git a/overlays/writeHaskellScript.nix b/overlays/writeHaskellScript.nix index 75444569..e81ef4e6 100644 --- a/overlays/writeHaskellScript.nix +++ b/overlays/writeHaskellScript.nix @@ -30,7 +30,7 @@ self: super: { import qualified Data.ByteString.Lazy as LBS import qualified Data.ByteString as BS import qualified Data.Text as Text - import System.Environment (getArgs) + import System.Environment (getArgs, setEnv) import Control.Exception (bracket, try) import Data.String.Interpolate (i) import Control.Concurrent.Async diff --git a/private b/private index 1f4c554f..13d52018 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit 1f4c554f98e245611d2136feeb7de185409238d7 +Subproject commit 13d520184d9bf013de34a6ef49d4e0bc1efc2d67 diff --git a/private.nix b/private.nix new file mode 100644 index 00000000..5c7d75d5 --- /dev/null +++ b/private.nix @@ -0,0 +1,22 @@ +let + privateExists = builtins.pathExists private/submodule-is-checked-out; + explicitUsePrivate = builtins.getEnv "WITH_SECRETS" == "true"; + explicitNotUsePrivate = builtins.getEnv "WITH_SECRETS" == "false"; + usePrivate = !explicitNotUsePrivate && (explicitUsePrivate || privateExists); + withSecrets = builtins.trace (if usePrivate then + assert privateExists; "Building _with_ secrets!" + else + "Building _without_ secrets!") usePrivate; +in { + inherit withSecrets; + privatePath = name: + let path = "/etc/nixos/private/${name}"; + in if withSecrets then assert builtins.pathExists path; path else path; + privateValue = default: name: + if withSecrets then import (./private + "/${name}.nix") else default; + privateFile = name: + if withSecrets then + ./private + "/${name}" + else + builtins.toFile "missing-secret-file-${name}" ""; +}