sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: split "real" modules and "config" modules

Browse source
This commit is contained in:
oddlama 2024-05-25 17:56:30 +02:00
parent 045f15239a
commit cceae6c63c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
60 changed files with 126 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

59
config/secrets.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
inputs,
lib,
...
}: {
# Define local repo secrets
repo.secretFiles = let
local = config.node.secretsDir + "/local.nix.age";
in
{
global = ../secrets/global.nix.age;
}
// lib.optionalAttrs (lib.pathExists local) {inherit local;};
# Setup secret rekeying parameters
age.rekey = {
inherit
(inputs.self.secretsConfig)
masterIdentities
extraEncryptionPubkeys
;
hostPubkey = config.node.secretsDir + "/host.pub";
storageMode = "local";
generatedSecretsDir = inputs.self.outPath + "/secrets/generated/${config.node.name}";
localStorageDir = inputs.self.outPath + "/secrets/rekeyed/${config.node.name}";
};
age.generators.basic-auth = {
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps ({
name,
host,
file,
}: ''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.apacheHttpd}/bin/htpasswd -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
|| die "Failure while aggregating basic auth hashes"
'');
# Just before switching, remove the agenix directory if it exists.
# This can happen when a secret is used in the initrd because it will
# then be copied to the initramfs under the same path. This materializes
# /run/agenix as a directory which will cause issues when the actual system tries
# to create a link called /run/agenix. Agenix should probably fail in this case,
# but doesn't and instead puts the generation link into the existing directory.
# TODO See https://github.com/ryantm/agenix/pull/187.
system.activationScripts = lib.mkIf (config.age.secrets != {}) {
removeAgenixLink.text = "[[ ! -L /run/agenix ]] && [[ -d /run/agenix ]] && rm -rf /run/agenix";
agenixNewGeneration.deps = ["removeAgenixLink"];
};
}