From 3111408f7d4ffeb96f586e7bd4316639b82411fb Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 15 Mar 2023 02:29:14 +0100 Subject: [PATCH] feat: allow .nix.age files to contain functions or bare attrs --- README.md | 2 +- hosts/zackbiene/secrets/secrets.nix.age | 19 +++++++++---------- nix/colmena.nix | 4 ++-- nix/extra-builtins.nix | 2 +- nix/secrets.nix | 23 ++++++++++++++++------- secrets/secrets.nix.age | 17 ++++++++--------- 6 files changed, 37 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 86e220e..69e1e44 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ all commands using these extra parameters, or permanently add the following the 2. Run all commands with `--option plugin-files "$NIX_PLUGINS"/lib/nix/plugins --option extra-builtins-file ./nix/extra-builtins.nix` or permantently - ```nix + ```toml plugin-files = /lib/nix/plugins extra-builtins-file = /path/to/nix-config/nix/extra-builtins.nix ``` diff --git a/hosts/zackbiene/secrets/secrets.nix.age b/hosts/zackbiene/secrets/secrets.nix.age index 41194ba..080e166 100644 --- a/hosts/zackbiene/secrets/secrets.nix.age +++ b/hosts/zackbiene/secrets/secrets.nix.age @@ -1,11 +1,10 @@ age-encryption.org/v1 --> X25519 i6aU9NyNgN17pez4P33oV7d/HNDirMTDIDvZQiWyD0U -3TgVPXyYypC+b7c17ZoV1ZbASpqzgskJ0OUVtBgxhFk --> piv-p256 xqSe8Q A3kpyhwhqEsSqoVD7SB8VK5dU0ZiOrsOdloF+iviN/mq -W315d5mn13I4JWpsut801LKgGieKF8NIuJ6TeF4wCtI --> Vzkv-grease u -ScmUF1PthzjmA8USzPlx5s5zcTDMGb2zcniHiOHz/ax4cTDKtnDgr8hI6r/6cKXs -5EkFcJHCI4nNFSCK8WHIIaGDpWWB6YrkkicVQU9K7QRa57xhVniotpH1rOnbEcFN -j5M ---- 4rSnr2uChIZoKOe3DDWFK/3JUUPAst1LDOulv1WN1Ek -ԴWb^zrF X25519 EudkRJVFdtI3TB5ASrLMijjwz5MDotPpKYivGW0Fflc +d2kCskNAE6wQTnJHWgerEoX6qzk6CIZiq31bPJc2L28 +-> piv-p256 xqSe8Q AhO0b/wnxSUyd1F6RRXjwYfO9vgPOn9cpIvANnyYlGVl +awJWopmJA/rFzZaudoo1AOA9mq3izm2jbfpFrJA/7u0 +-> thOR[X=-grease yu6vjtq +VinuD5DiV4P9H7Kzmp2gCMfsTZ4t3Ws7L+psnfvo+jWx50YK3ZbLxl47LtJqqLkx +o6W28SqfwSlDdFL/hNYP+FnpuW4UrtJPxmdv6SVncOlHUTvN +--- cAglqtAsQAmUyt3E9LtYB0/YXyd+Z78R1SRc3YuMQWc +-ލzNMwb썾|{|6| #b^wBbjlUdx _?ŕN{[ŖK\ \ No newline at end of file diff --git a/nix/colmena.nix b/nix/colmena.nix index 95d1e89..3469996 100644 --- a/nix/colmena.nix +++ b/nix/colmena.nix @@ -14,7 +14,7 @@ with nixpkgs.lib; let nixosHosts = filterAttrs (_: x: x.type == "nixos") self.hosts; generateColmenaNode = hostName: _: { imports = [ - { + ({ config, ... }: { # By default, set networking.hostName to the hostName networking.hostName = mkDefault hostName; # Define global flakes for this system @@ -29,7 +29,7 @@ with nixpkgs.lib; let rekey.hostPubkey = ../secrets/pubkeys + "/${config.networking.hostName}.pub"; rekey.masterIdentities = [../secrets/yk1-nix-rage.pub]; rekey.extraEncryptionPubkeys = [../secrets/backup.pub]; - } + }) (../hosts + "/${hostName}") home-manager.nixosModules.default #impermanence.nixosModules.default diff --git a/nix/extra-builtins.nix b/nix/extra-builtins.nix index 2f3ffb0..c95b450 100644 --- a/nix/extra-builtins.nix +++ b/nix/extra-builtins.nix @@ -22,7 +22,7 @@ in lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix; in { - rageImportDecrypt = identities: nixFile: + rageImportEncrypted = identities: nixFile: assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity."; assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age"; exec (["rage" "-d"] ++ (builtins.concatMap (x: ["-i" x]) identities) ++ [nixFile]); diff --git a/nix/secrets.nix b/nix/secrets.nix index cb9c63e..be57fd6 100644 --- a/nix/secrets.nix +++ b/nix/secrets.nix @@ -17,15 +17,24 @@ ... } @ inputs: with nixpkgs.lib; let - mergeArray = f: unique (concatLists (mapAttrsToList (_: f) self.nodes)); - mergedMasterIdentities = mergeArray (x: x.config.rekey.masterIdentities or []); - # "Imports" an encrypted .nix.age file + # The identities that are used to decrypt any repository-wide secrets. + masterIdentities = [../secrets/yk1-nix-rage.pub]; + # If the given expression is a bare set, it will be wrapped in a function, + # so that the imported file can always be applied to the inputs, similar to + # how modules can be functions or sets. + constSet = x: + if builtins.isAttrs x + then (_: x) + else x; + # This "imports" an encrypted .nix.age file importEncrypted = path: - if builtins.pathExists path - then builtins.extraBuiltins.rageImportDecrypt mergedMasterIdentities path - else _: {}; + constSet ( + if builtins.pathExists path + then builtins.extraBuiltins.rageImportEncrypted masterIdentities path + else {} + ); in (importEncrypted ../secrets/secrets.nix.age inputs) // { - nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.nodes; + nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts; } diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index 6b9f3c0..624516c 100644 --- a/secrets/secrets.nix.age +++ b/secrets/secrets.nix.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> X25519 G4gcvnrT5F96VKuJKWCZnu3FaQl8Mw53cTfAw75HvDo -aW5tQryfBWLjGAhxzds0tNgD2Q7+GbC19ev0LTmnAag --> piv-p256 xqSe8Q Ak7W7nWemREYSyuxsCGZq3anjmSBjZXxInYRjyxhlULw -a4D3LWlMB8mROXAtHeVtt8WckgBdrRwD0y2hJt9qLKg --> \aR-grease 2J>j% 4M/Y^- x1`AZ_,W )YZ/;NT -pWcsdkCVXg9tB54p3/YcZt8VGpH+5FdZCZM6xFDvXai0AED9V9AKMWK9jOfqCQYN -RvhfpOVyL0r8 ---- GYfc2AZAGyiEdSaSfw/BdsMFVQrVCYLM0rDAUtk3k9E -[S^}*Tϳ.S"H_ zi蔐`},)x/;twV \ No newline at end of file +-> X25519 vyK4cXkYqS/xic3L1hVfZOm9F2dy41g0k8NtY0S7o0g +pdm+YdbPD+jg9oRGD1m/bSFwmcI6slqCg8bSSHUgyTg +-> piv-p256 xqSe8Q A7Z8dLqDdsXdeMFUI0yZy7IOH+VovH4bzc2dRkCKQYoE +fa0294BZfM4wYXdF1j5BogNpVdgfhnITHIFubQq8G6M +-> X-grease YRM7Gw8# 0\&Rw +SXlWKCRgatc1AAoprriaOmKPrw +--- ybnfcV0t6H0UUl6Oc5z6EYOuLxpeVqh+TcywwgevaFw +aC kz DMYw8ߛچ.O