From e33476a7f502044ab0618d56b09af62751d8e747 Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 2 Oct 2023 20:07:27 +0200 Subject: [PATCH] chore: only add agenix-rekey and nix-import-encrypted persistent folders to dev machines --- modules/config/impermanence.nix | 7 +------ modules/optional/dev/default.nix | 8 ++++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/modules/config/impermanence.nix b/modules/config/impermanence.nix index 11aa8cf..0a427cf 100644 --- a/modules/config/impermanence.nix +++ b/modules/config/impermanence.nix @@ -90,16 +90,11 @@ in { hideMounts = true; directories = [ - { - directory = "/var/tmp/agenix-rekey"; - mode = "1777"; - } - "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept "/var/lib/systemd" "/var/log" + "/var/spool" #{ directory = "/tmp"; mode = "1777"; } #{ directory = "/var/tmp"; mode = "1777"; } - "/var/spool" ] ++ optionals config.networking.wireless.iwd.enable [ { diff --git a/modules/optional/dev/default.nix b/modules/optional/dev/default.nix index 4c29439..3723176 100644 --- a/modules/optional/dev/default.nix +++ b/modules/optional/dev/default.nix @@ -18,6 +18,14 @@ lib.optionalAttrs (!minimal) { # Add the agenix-rekey sandbox path permanently to avoid adding myself to trusted-users nix.settings.extra-sandbox-paths = ["/var/tmp/agenix-rekey"]; + environment.persistence."/state".directories = [ + { + directory = "/var/tmp/agenix-rekey"; + mode = "1777"; + } + "/var/tmp/nix-import-encrypted" # Decrypted repo-secrets can be kept + ]; + services.nixseparatedebuginfod = { enable = true; # We need a system-level user to be able to use nix.settings.allowed-users with it.