maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

Refactor secrets and add vpn

Browse source
This commit is contained in:
Malte Brandy 2020-12-16 19:26:20 +01:00
parent 0f94b25ab8
commit 702651cd63
No known key found for this signature in database
GPG key ID: 226A2D41EF5378C9
9 changed files with 38 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
home-manager/roles/laptop.nix
View file

@ -32,14 +32,13 @@ in {
bins = [ activateMode pkgs.git pkgs.nix-output-monitor ]; bins = [ activateMode pkgs.git pkgs.nix-output-monitor ];
} '' } ''
params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"] params = ["${configPath}/home-manager/target.nix", "-A", "apollo", "-o", "/home/maralorn/.modes"]
privatePath = "${configPath}/private"
canaryPath = privatePath <> "/submodule-is-checked-out"
main = do main = do
say "Building ~/.modes for apollo" say "Building ~/.modes for apollo"
nixPath <- myNixPath "${configPath}" nixPath <- myNixPath "${configPath}"
bracket (rm "-f" canaryPath) (\() -> git "-C" privatePath "restore" canaryPath) $ \() -> setEnv "WITH_SECRETS" "false"
nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom nix_build nixPath (params ++ remoteBuildParams) &!> StdOut |> nom
setEnv "WITH_SECRETS" "true"
nix_build nixPath params nix_build nixPath params
activate_mode activate_mode
''; '';

8
lib/update-system.nix
View file

@ -5,14 +5,12 @@ in {
name = "update-system"; name = "update-system";
bins = [ nixos-rebuild pkgs.nix-output-monitor ]; bins = [ nixos-rebuild pkgs.nix-output-monitor ];
} '' } ''
privatePath = "${configPath}/private"
canaryPath = privatePath <> "/submodule-is-checked-out"
main = do main = do
paths <- myNixPath "${configPath}" paths <- myNixPath "${configPath}"
args <- getArgs args <- getArgs
bracket (rm "-f" canaryPath) (\() -> exe "/run/wrappers/bin/sudo" "-u" "maralorn" "git" "-C" privatePath "restore" canaryPath) $ \() -> do setEnv "WITH_SECRETS" "false"
nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom nix_build (paths ++ buildSystemParams ++ ["--no-out-link"] ++ remoteBuildParams ++ fmap toString args) &!> StdOut |> nom
setEnv "WITH_SECRETS" "true"
nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom nixos_rebuild (paths ++ ["switch"] ++ fmap toString args) &!> StdOut |> nom
''; '';
} }

4
nixos/machines/apollo/configuration.nix
View file

@ -1,12 +1,11 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
let let
wireguard = import ../../../common/wireguard.nix; wireguard = import ../../../common/wireguard.nix;
inherit (config.m-0) hosts prefix; inherit (config.m-0) hosts prefix;
nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware; nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing; inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
vpn = (import ../../../private.nix).privateValue ({ ... }:{}) "vpn";
in { in {
imports = [ imports = [
@ -16,6 +15,7 @@ in {
../../roles/fonts.nix ../../roles/fonts.nix
../../roles/boot-key.nix ../../roles/boot-key.nix
../../roles/standalone ../../roles/standalone
vpn
]; ];
networking = { networking = {

12
nixos/roles/default.nix
View file

@ -4,12 +4,9 @@
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
# For nixos-rebuild # For nixos-rebuild
nixpkgs.overlays = [ nixpkgs.overlays =
(_: _: [ (_: _: (import ../../channels.nix).${config.networking.hostName}) ]
{ ++ import ../../overlays { inherit lib; };
withSecrets = false;
} // (import ../../channels.nix).${config.networking.hostName})
] ++ import ../../overlays { inherit lib; };
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
@ -37,7 +34,8 @@
(lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // { (lib.filterAttrs (name: value: name != "__functor") pkgs.sources) // {
"nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel}; "nix-path/nixos".source = pkgs.sources.${pkgs.nixpkgs-channel};
"nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel}; "nix-path/nixpkgs".source = pkgs.sources.${pkgs.nixpkgs-channel};
"nix-path/home-manager".source = pkgs.sources.${pkgs.home-manager-channel}; "nix-path/home-manager".source =
pkgs.sources.${pkgs.home-manager-channel};
}; };
variables = variables =
lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ] lib.genAttrs [ "CURL_CA_BUNDLE" "GIT_SSL_CAINFO" "SSL_CERT_FILE" ]

15
nixos/target.nix
View file

@ -1,15 +0,0 @@
{ withSecrets ? false }:
let
sources = import ../nix/sources.nix;
inherit (import sources.nixpkgs { }) lib pkgs;
machines = lib.attrNames (builtins.readDir ./machines);
getConfig = hostname:
args:
import (./machines + "/${hostname}/configuration.nix") (args // {
bla = "fünf";
});
in lib.listToAttrs (map (hostname: {
name = hostname;
value =
(import <nixpkgs/nixos> { configuration = getConfig hostname; }).system;
}) machines)

26
overlays/private.nix
View file

@ -1,25 +1 @@
final: prev: _: _: import ../private.nix
let
# val = if prev.withSecrets then
# assert builtins.pathExists ../private/submodule-is-checked-out; true
# else
# false;
val = builtins.pathExists ../private/submodule-is-checked-out;
in {
withSecrets = builtins.trace
(if val then "Building _with_ secrets!" else "Building _without_ secrets!")
val;
privatePath = name:
let path = "/etc/nixos/private/${name}";
in if final.withSecrets then
assert builtins.pathExists path; path
else
path;
privateValue = default: name:
if final.withSecrets then import (../private + "/${name}.nix") else default;
privateFile = name:
if final.withSecrets then
../private + "/${name}"
else
builtins.toFile "missing-secret-file-${name}" "";
}

2
overlays/writeHaskellScript.nix
View file

@ -30,7 +30,7 @@ self: super: {
import qualified Data.ByteString.Lazy as LBS import qualified Data.ByteString.Lazy as LBS
import qualified Data.ByteString as BS import qualified Data.ByteString as BS
import qualified Data.Text as Text import qualified Data.Text as Text
import System.Environment (getArgs) import System.Environment (getArgs, setEnv)
import Control.Exception (bracket, try) import Control.Exception (bracket, try)
import Data.String.Interpolate (i) import Data.String.Interpolate (i)
import Control.Concurrent.Async import Control.Concurrent.Async

2
private

@ -1 +1 @@
Subproject commit 1f4c554f98e245611d2136feeb7de185409238d7 Subproject commit 13d520184d9bf013de34a6ef49d4e0bc1efc2d67

22
private.nix Normal file
View file

@ -0,0 +1,22 @@
let
privateExists = builtins.pathExists private/submodule-is-checked-out;
explicitUsePrivate = builtins.getEnv "WITH_SECRETS" == "true";
explicitNotUsePrivate = builtins.getEnv "WITH_SECRETS" == "false";
usePrivate = !explicitNotUsePrivate && (explicitUsePrivate || privateExists);
withSecrets = builtins.trace (if usePrivate then
assert privateExists; "Building _with_ secrets!"
else
"Building _without_ secrets!") usePrivate;
in {
inherit withSecrets;
privatePath = name:
let path = "/etc/nixos/private/${name}";
in if withSecrets then assert builtins.pathExists path; path else path;
privateValue = default: name:
if withSecrets then import (./private + "/${name}.nix") else default;
privateFile = name:
if withSecrets then
./private + "/${name}"
else
builtins.toFile "missing-secret-file-${name}" "";
}