feat: reenable immich with native module, prepare nixos-extra-modules update

2025-10-11 07:10:39 +02:00 · 2025-09-13 20:18:54 +02:00 · 2025-09-13 20:18:54 +02:00 · 157c303f38
commit 157c303f38
parent ef2f2a9b77
25 changed files with 1521 additions and 184 deletions
--- a/flake/extra-builtins.nix
+++ b/flake/extra-builtins.nix
@ -0,0 +1,45 @@
+# This file is intended to be used together with pkgs.nix-plugins,
+# to provide rage decryption as an additional safe builtin.
+#
+# Make sure that nix-plugins is installed by adding the following
+# statement to your configuration.nix:
+#
+# ```nix
+# {
+#   nix.extraOptions = ''
+#     plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
+#     # Please adjust path accordingly, or leave this out and alternativaly
+#     # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
+#     extra-builtins-file = ${./extra-builtins.nix}
+#   '';
+# }
+# ```
+{ exec, ... }:
+let
+  assertMsg = pred: msg: pred || builtins.throw msg;
+  hasSuffix =
+    suffix: content:
+    let
+      lenContent = builtins.stringLength content;
+      lenSuffix = builtins.stringLength suffix;
+    in
+    lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
+in
+{
+  # Instead of calling rage directly here, we call a wrapper script that will cache the output
+  # in a predictable path in /tmp, which allows us to only require the password for each encrypted
+  # file once.
+  rageImportEncrypted =
+    identities: nixFile:
+    assert assertMsg (builtins.isPath nixFile)
+      "The file to decrypt must be given as a path to prevent impurity.";
+    assert assertMsg (hasSuffix ".nix.age" nixFile)
+      "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
+    exec (
+      [
+        ./rage-decrypt-and-cache.sh
+        nixFile
+      ]
+      ++ identities
+    );
+}