add sops; bao: builtins.readFile requries git-controlled file

top-level-nix
Pegasust 2022-12-22 18:57:21 -07:00
parent 1bee9c3368
commit 1121af6759
2 changed files with 92 additions and 13 deletions

View File

@ -15,9 +15,47 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1671459584,
"narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "87b58217c9a05edcf7630b9be32570f889217aef",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1671472949,
"narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

View File

@ -1,15 +1,24 @@
{ {
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable"; nixpkgs.url = "nixpkgs/nixos-unstable";
# TODO: when sops-nix is supported in home-manager, switch to home-manager instead
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, ... }: outputs = { self, nixpkgs, sops-nix, ... }:
let lib = nixpkgs.lib; in let
{ lib = nixpkgs.lib;
proj_root = builtins.toString ./../..;
# TODO: when sops-nix is supported in home-manager, switch to home-manager instead
base_modules = [sops-nix.nixosModules.sops];
in {
# Windows with NixOS WSL # Windows with NixOS WSL
nixosConfigurations.Felia = nixpkgs.lib.nixosSystem { nixosConfigurations.Felia = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = base_modules ++ [
./wsl-configuration.nix ./wsl-configuration.nix
{ {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
@ -26,7 +35,7 @@
}; };
nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem { nixosConfigurations.lizzi = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = base_modules ++ [
./configuration.nix ./configuration.nix
{ {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
@ -85,7 +94,7 @@
# Generic machine # Generic machine
nixosConfigurations.pixi = nixpkgs.lib.nixosSystem { nixosConfigurations.pixi = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = base_modules ++ [
./configuration.nix ./configuration.nix
{ {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
@ -141,7 +150,7 @@
}; };
nixosConfigurations.nyx = nixpkgs.lib.nixosSystem { nixosConfigurations.nyx = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = base_modules ++ [
./configuration.nix ./configuration.nix
{ {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
@ -169,7 +178,7 @@
}; };
nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = base_modules ++ [
./configuration.nix ./configuration.nix
{ {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
@ -182,17 +191,49 @@
nixosConfigurations.bao = nixpkgs.lib.nixosSystem { nixosConfigurations.bao = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs.hostname = "bao"; specialArgs.hostname = "bao";
modules = [ modules = base_modules ++ [
./configuration.nix ./configuration.nix
# automount using s3fs # automount using s3fs
({config, pkgs, lib, ...}: { ({config, pkgs, lib, ...}: {
environment.systemPackages = [pkgs.s3fs]; # s3fs-fuse environment.systemPackages = [pkgs.s3fs]; # s3fs-fuse
# Sadly, this uses systemd, so we can't put it in home-manager yet # Sadly, autofs uses systemd, so we can't put it in home-manager
# HACK: need to store secret somewhere so that root can access this # HACK: need to store secret somewhere so that root can access this
# because autofs runs as root # because autofs may run as root for now, we enforce putting the secret in this monorepo
services.autofs = let services.autofs = let
# mount_dest: path ("wow")
# backend_args: nix attrs representing the arguments to be passed to s3fs
# ({"-fstype" = "fuse"; "use_cache" = "/tmp";})
# bucket: bucket name (hungtr-hot)
# NOTE: s3 custom provider will be provided inside
# backend_args, so just put the bucket name here
#
#-> "${mount_dest} ${formatted_args} ${s3fs-bin}#${bucket}"
autofs-s3fs_entry = {
mount_dest,
backend_args? {"-fstype" = "fuse";},
bucket
}@inputs: let
s3fs-exec = "${pkgs.s3fs}/bin/s3fs";
# confToBackendArg {lol="what"; empty=""; name_only=null;} -> "lol=what,empty=,name_only"
confToBackendArg = conf: (lib.concatStringsSep ","
(lib.mapAttrsToList (name: value: "${name}${lib.optionalString (value != null) "=${value}"}") conf));
in "${mount_dest} ${confToBackendArg backend_args} ${s3fs-exec}#${bucket}";
personalStorage = [ personalStorage = [
"hot -fstype=fuse,use_cache=/tmp,del_cache,allow_other,url=f5i0.ph.idrivee2-32.com :s3fs#hungtr-hot" # (autofs-s3fs_entry {
# mount_dest = "hot";
# backend_args = {
# "-fstype" = "fuse";
# use_cache = "/tmp";
# del_cache = null;
# allow_other = null;
# url = "https://f5i0.ph.idrivee2-32.com";
# # TODO: builtins.readFile requires a Git-controlled file
# passwd_file = (pkgs.writeText "env.s3fs.idrive" (builtins.readFile
# "${proj_root}//secrets/env.s3fs"
# ));
# };
# bucket = "hungtr-hot";
# })
]; ];
persoConf = pkgs.writeText "personal" (builtins.concatStringsSep "\n" personalStorage); persoConf = pkgs.writeText "personal" (builtins.concatStringsSep "\n" personalStorage);
in { in {