Refactor secrets and add vpn
This commit is contained in:
parent
0f94b25ab8
commit
702651cd63
|
@ -32,14 +32,13 @@ in {
|
||||||
bins = [ activateMode pkgs.git pkgs.nix-output-monitor ];
|
bins = [ activateMode pkgs.git pkgs.nix-output-monitor ];
|
||||||
} ''
|
} ''
|
||||||
params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"]
|
params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"]
|
||||||
privatePath = "${configPath}/private"
|
|
||||||
canaryPath = privatePath <> "/submodule-is-checked-out"
|
|
||||||
|
|
||||||
main = do
|
main = do
|
||||||
say "Building ~/.modes for apollo"
|
say "Building ~/.modes for apollo"
|
||||||
nixPath <- myNixPath "${configPath}"
|
nixPath <- myNixPath "${configPath}"
|
||||||
bracket (rm "-f" canaryPath) (\() -> git "-C" privatePath "restore" canaryPath) $ \() ->
|
setEnv "WITH_SECRETS" "false"
|
||||||
nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom
|
nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom
|
||||||
|
setEnv "WITH_SECRETS" "true"
|
||||||
nix_build nixPath params
|
nix_build nixPath params
|
||||||
activate_mode
|
activate_mode
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -5,14 +5,12 @@ in {
|
||||||
name = "update-system";
|
name = "update-system";
|
||||||
bins = [ nixos-rebuild pkgs.nix-output-monitor ];
|
bins = [ nixos-rebuild pkgs.nix-output-monitor ];
|
||||||
} ''
|
} ''
|
||||||
privatePath = "${configPath}/private"
|
|
||||||
canaryPath = privatePath <> "/submodule-is-checked-out"
|
|
||||||
|
|
||||||
main = do
|
main = do
|
||||||
paths <- myNixPath "${configPath}"
|
paths <- myNixPath "${configPath}"
|
||||||
args <- getArgs
|
args <- getArgs
|
||||||
bracket (rm "-f" canaryPath) (\() -> exe "/run/wrappers/bin/sudo" "-u" "maralorn" "git" "-C" privatePath "restore" canaryPath) $ \() -> do
|
setEnv "WITH_SECRETS" "false"
|
||||||
nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom
|
nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom
|
||||||
|
setEnv "WITH_SECRETS" "true"
|
||||||
nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom
|
nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,12 +1,11 @@
|
||||||
{ lib, config, pkgs, ... }:
|
{ lib, config, pkgs, ... }:
|
||||||
|
|
||||||
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
|
||||||
|
|
||||||
let
|
let
|
||||||
wireguard = import ../../../common/wireguard.nix;
|
wireguard = import ../../../common/wireguard.nix;
|
||||||
inherit (config.m-0) hosts prefix;
|
inherit (config.m-0) hosts prefix;
|
||||||
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
|
||||||
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
|
||||||
|
vpn = (import ../../../private.nix).privateValue ({ ... }:{}) "vpn";
|
||||||
in {
|
in {
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -16,6 +15,7 @@ in {
|
||||||
../../roles/fonts.nix
|
../../roles/fonts.nix
|
||||||
../../roles/boot-key.nix
|
../../roles/boot-key.nix
|
||||||
../../roles/standalone
|
../../roles/standalone
|
||||||
|
vpn
|
||||||
];
|
];
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
|
|
@ -4,12 +4,9 @@
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
# For nixos-rebuild
|
# For nixos-rebuild
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays =
|
||||||
(_: _:
|
[ (_: _: (import ../../channels.nix).${config.networking.hostName}) ]
|
||||||
{
|
++ import ../../overlays { inherit lib; };
|
||||||
withSecrets = false;
|
|
||||||
} // (import ../../channels.nix).${config.networking.hostName})
|
|
||||||
] ++ import ../../overlays { inherit lib; };
|
|
||||||
|
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
@ -37,7 +34,8 @@
|
||||||
(lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // {
|
(lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // {
|
||||||
"nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
"nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
||||||
"nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
"nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel};
|
||||||
"nix-path/home-manager".source = pkgs.sources.${pkgs.home-manager-channel};
|
"nix-path/home-manager".source =
|
||||||
|
pkgs.sources.${pkgs.home-manager-channel};
|
||||||
};
|
};
|
||||||
variables =
|
variables =
|
||||||
lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ]
|
lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ]
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
{ withSecrets ? false }:
|
|
||||||
let
|
|
||||||
sources = import ../nix/sources.nix;
|
|
||||||
inherit (import sources.nixpkgs { }) lib pkgs;
|
|
||||||
machines = lib.attrNames (builtins.readDir ./machines);
|
|
||||||
getConfig = hostname:
|
|
||||||
args:
|
|
||||||
import (./machines + "/${hostname}/configuration.nix") (args // {
|
|
||||||
bla = "fünf";
|
|
||||||
});
|
|
||||||
in lib.listToAttrs (map (hostname: {
|
|
||||||
name = hostname;
|
|
||||||
value =
|
|
||||||
(import <nixpkgs/nixos> { configuration = getConfig hostname; }).system;
|
|
||||||
}) machines)
|
|
|
@ -1,25 +1 @@
|
||||||
final: prev:
|
_: _: import ../private.nix
|
||||||
let
|
|
||||||
# val = if prev.withSecrets then
|
|
||||||
# assert builtins.pathExists ../private/submodule-is-checked-out; true
|
|
||||||
# else
|
|
||||||
# false;
|
|
||||||
val = builtins.pathExists ../private/submodule-is-checked-out;
|
|
||||||
in {
|
|
||||||
withSecrets = builtins.trace
|
|
||||||
(if val then "Building _with_ secrets!" else "Building _without_ secrets!")
|
|
||||||
val;
|
|
||||||
privatePath = name:
|
|
||||||
let path = "/etc/nixos/private/${name}";
|
|
||||||
in if final.withSecrets then
|
|
||||||
assert builtins.pathExists path; path
|
|
||||||
else
|
|
||||||
path;
|
|
||||||
privateValue = default: name:
|
|
||||||
if final.withSecrets then import (../private + "/${name}.nix") else default;
|
|
||||||
privateFile = name:
|
|
||||||
if final.withSecrets then
|
|
||||||
../private + "/${name}"
|
|
||||||
else
|
|
||||||
builtins.toFile "missing-secret-file-${name}" "";
|
|
||||||
}
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ self: super: {
|
||||||
import qualified Data.ByteString.Lazy as LBS
|
import qualified Data.ByteString.Lazy as LBS
|
||||||
import qualified Data.ByteString as BS
|
import qualified Data.ByteString as BS
|
||||||
import qualified Data.Text as Text
|
import qualified Data.Text as Text
|
||||||
import System.Environment (getArgs)
|
import System.Environment (getArgs, setEnv)
|
||||||
import Control.Exception (bracket, try)
|
import Control.Exception (bracket, try)
|
||||||
import Data.String.Interpolate (i)
|
import Data.String.Interpolate (i)
|
||||||
import Control.Concurrent.Async
|
import Control.Concurrent.Async
|
||||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
||||||
Subproject commit 1f4c554f98e245611d2136feeb7de185409238d7
|
Subproject commit 13d520184d9bf013de34a6ef49d4e0bc1efc2d67
|
22
private.nix
Normal file
22
private.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
let
|
||||||
|
privateExists = builtins.pathExists private/submodule-is-checked-out;
|
||||||
|
explicitUsePrivate = builtins.getEnv "WITH_SECRETS" == "true";
|
||||||
|
explicitNotUsePrivate = builtins.getEnv "WITH_SECRETS" == "false";
|
||||||
|
usePrivate = !explicitNotUsePrivate && (explicitUsePrivate || privateExists);
|
||||||
|
withSecrets = builtins.trace (if usePrivate then
|
||||||
|
assert privateExists; "Building _with_ secrets!"
|
||||||
|
else
|
||||||
|
"Building _without_ secrets!") usePrivate;
|
||||||
|
in {
|
||||||
|
inherit withSecrets;
|
||||||
|
privatePath = name:
|
||||||
|
let path = "/etc/nixos/private/${name}";
|
||||||
|
in if withSecrets then assert builtins.pathExists path; path else path;
|
||||||
|
privateValue = default: name:
|
||||||
|
if withSecrets then import (./private + "/${name}.nix") else default;
|
||||||
|
privateFile = name:
|
||||||
|
if withSecrets then
|
||||||
|
./private + "/${name}"
|
||||||
|
else
|
||||||
|
builtins.toFile "missing-secret-file-${name}" "";
|
||||||
|
}
|
Loading…
Reference in a new issue