add sops; bao: builtins.readFile requries git-controlled file
parent
1bee9c3368
commit
1121af6759
|
|
@ -15,9 +15,47 @@
|
|||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1671459584,
|
||||
"narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "87b58217c9a05edcf7630b9be32570f889217aef",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1671472949,
|
||||
"narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1,15 +1,24 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "nixpkgs/nixos-unstable";
|
||||
# TODO: when sops-nix is supported in home-manager, switch to home-manager instead
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }:
|
||||
let lib = nixpkgs.lib; in
|
||||
{
|
||||
outputs = { self, nixpkgs, sops-nix, ... }:
|
||||
let
|
||||
lib = nixpkgs.lib;
|
||||
proj_root = builtins.toString ./../..;
|
||||
# TODO: when sops-nix is supported in home-manager, switch to home-manager instead
|
||||
base_modules = [sops-nix.nixosModules.sops];
|
||||
in {
|
||||
# Windows with NixOS WSL
|
||||
nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./wsl-configuration.nix
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
@ -26,7 +35,7 @@
|
|||
};
|
||||
nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./configuration.nix
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
@ -85,7 +94,7 @@
|
|||
# Generic machine
|
||||
nixosConfigurations.pixi = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./configuration.nix
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
@ -141,7 +150,7 @@
|
|||
};
|
||||
nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./configuration.nix
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
@ -169,7 +178,7 @@
|
|||
};
|
||||
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./configuration.nix
|
||||
{
|
||||
system.stateVersion = "22.05";
|
||||
|
|
@ -182,17 +191,49 @@
|
|||
nixosConfigurations.bao = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs.hostname = "bao";
|
||||
modules = [
|
||||
modules = base_modules ++ [
|
||||
./configuration.nix
|
||||
# automount using s3fs
|
||||
({config, pkgs, lib, ...}: {
|
||||
environment.systemPackages = [pkgs.s3fs]; # s3fs-fuse
|
||||
# Sadly, this uses systemd, so we can't put it in home-manager yet
|
||||
# Sadly, autofs uses systemd, so we can't put it in home-manager
|
||||
# HACK: need to store secret somewhere so that root can access this
|
||||
# because autofs runs as root
|
||||
# because autofs may run as root for now, we enforce putting the secret in this monorepo
|
||||
services.autofs = let
|
||||
# mount_dest: path ("wow")
|
||||
# backend_args: nix attrs representing the arguments to be passed to s3fs
|
||||
# ({"-fstype" = "fuse"; "use_cache" = "/tmp";})
|
||||
# bucket: bucket name (hungtr-hot)
|
||||
# NOTE: s3 custom provider will be provided inside
|
||||
# backend_args, so just put the bucket name here
|
||||
#
|
||||
#-> "${mount_dest} ${formatted_args} ${s3fs-bin}#${bucket}"
|
||||
autofs-s3fs_entry = {
|
||||
mount_dest,
|
||||
backend_args? {"-fstype" = "fuse";},
|
||||
bucket
|
||||
}@inputs: let
|
||||
s3fs-exec = "${pkgs.s3fs}/bin/s3fs";
|
||||
# confToBackendArg {lol="what"; empty=""; name_only=null;} -> "lol=what,empty=,name_only"
|
||||
confToBackendArg = conf: (lib.concatStringsSep ","
|
||||
(lib.mapAttrsToList (name: value: "${name}${lib.optionalString (value != null) "=${value}"}") conf));
|
||||
in "${mount_dest} ${confToBackendArg backend_args} ${s3fs-exec}#${bucket}";
|
||||
personalStorage = [
|
||||
"hot -fstype=fuse,use_cache=/tmp,del_cache,allow_other,url=f5i0.ph.idrivee2-32.com :s3fs#hungtr-hot"
|
||||
# (autofs-s3fs_entry {
|
||||
# mount_dest = "hot";
|
||||
# backend_args = {
|
||||
# "-fstype" = "fuse";
|
||||
# use_cache = "/tmp";
|
||||
# del_cache = null;
|
||||
# allow_other = null;
|
||||
# url = "https://f5i0.ph.idrivee2-32.com";
|
||||
# # TODO: builtins.readFile requires a Git-controlled file
|
||||
# passwd_file = (pkgs.writeText "env.s3fs.idrive" (builtins.readFile
|
||||
# "${proj_root}//secrets/env.s3fs"
|
||||
# ));
|
||||
# };
|
||||
# bucket = "hungtr-hot";
|
||||
# })
|
||||
];
|
||||
persoConf = pkgs.writeText "personal" (builtins.concatStringsSep "\n" personalStorage);
|
||||
in {
|
||||
|
|
|
|||
Loading…
Reference in New Issue