From dbf77891e1ed5f0a6d1513016c0bf568ea1aec8f Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sat, 29 Apr 2023 13:10:07 -0700 Subject: [PATCH] trusted and tf-nix inputs removed --- .envrc | 3 - .gitmodules | 4 - .sops.yaml | 2 +- ci/flake-cron.nix | 2 +- ci/nodes.nix | 2 +- devShell.nix | 3 - flake.lock | 501 +-------------------------------------------- flake.nix | 3 - inputs.nix | 9 +- nixos/base/tf.nix | 7 - nixos/deploy.sh | 27 +-- nixos/kat.nix | 1 - system/root.nix | 2 - system/secrets.nix | 5 - tewi/nixos.nix | 14 +- tewi/secrets.yaml | 5 +- tree.nix | 28 +-- trusted/flake.lock | 27 --- trusted/flake.nix | 10 - trusted/trusted | 1 - 20 files changed, 24 insertions(+), 632 deletions(-) delete mode 100644 .gitmodules delete mode 100644 nixos/base/tf.nix delete mode 100644 system/secrets.nix delete mode 100644 trusted/flake.lock delete mode 100644 trusted/flake.nix delete mode 160000 trusted/trusted diff --git a/.envrc b/.envrc index 2e542208..e32646d4 100644 --- a/.envrc +++ b/.envrc @@ -5,9 +5,6 @@ FLAKE_ARGS=() if [[ $(id -un) = kat ]]; then git pull fi -if [[ -e trusted/trusted/flake.nix ]]; then - export TRUSTED=1 -fi source_env_if_exists .envrc.conf diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 263318f3..00000000 --- a/.gitmodules +++ /dev/null @@ -1,4 +0,0 @@ -[submodule "trusted/trusted"] - path = trusted/trusted - branch = shim - url = gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git diff --git a/.sops.yaml b/.sops.yaml index 208400d8..237f0c62 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt creation_rules: -- path_regex: nixos/systems/[^/]+/secrets\.yaml$ +- path_regex: '[^/]+/secrets\.yaml$' shamir_threshold: 1 key_groups: - pgp: diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index a68177da..cf85204a 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -96,7 +96,7 @@ in { environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"]; command = let filteredHosts = ["tewi"]; - nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.deploy.system -o result-${node} && nix-collect-garbage -d") filteredHosts; + nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.system.build.toplevel -o result-${node} && nix-collect-garbage -d") filteredHosts; in '' # ${toString builtins.currentTime} nix flake update diff --git a/ci/nodes.nix b/ci/nodes.nix index b2edf4dd..14de46cc 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -63,7 +63,7 @@ with lib; { enabledHosts = ["tewi"]; in mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: { - tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.deploy.system; + tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.system.build.toplevel; })); ci.gh-actions.checkoutOptions.submodules = false; diff --git a/devShell.nix b/devShell.nix index b130acb0..f5bda409 100644 --- a/devShell.nix +++ b/devShell.nix @@ -18,9 +18,6 @@ let ''; nf-update = pkgs.writeShellScriptBin "nf-update" '' nix flake update - if [[ -n $TRUSTED ]]; then - nix flake lock ./trusted --update-input trusted - fi ''; nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' exec /usr/bin/env bash ${./nixos/deploy.sh} "$@" diff --git a/flake.lock b/flake.lock index acdd48d8..7d71a475 100644 --- a/flake.lock +++ b/flake.lock @@ -34,173 +34,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682773107, - "narHash": "sha256-+h94XeJnG3uk5imJlBi/1lVmcfCbxHpwZp5u7n3Krwg=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "379d42fad6bc5c28f79d5f7ff2fa5f1c90cb7bf8", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, - "doom-emacs": { - "flake": false, - "locked": { - "lastModified": 1662497747, - "narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=", - "owner": "doomemacs", - "repo": "doomemacs", - "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac", - "type": "github" - }, - "original": { - "owner": "doomemacs", - "repo": "doomemacs", - "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac", - "type": "github" - } - }, - "doom-snippets": { - "flake": false, - "locked": { - "lastModified": 1676839496, - "narHash": "sha256-1Ay9zi0u1lycmEeFqIxr0RWH+JvH9BnzgRzkPeWEAYY=", - "owner": "doomemacs", - "repo": "snippets", - "rev": "fe4003014ae00b866f117cb193f711fd9d72fd11", - "type": "github" - }, - "original": { - "owner": "doomemacs", - "repo": "snippets", - "type": "github" - } - }, - "emacs-overlay": { - "flake": false, - "locked": { - "lastModified": 1676366521, - "narHash": "sha256-i4UAY8t9Au9SJtsgYppa3NHSVf1YkV6yqnNIQd+Km4g=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "c16be6de78ea878aedd0292aa5d4a1ee0a5da501", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "c16be6de78ea878aedd0292aa5d4a1ee0a5da501", - "type": "github" - } - }, - "emacs-so-long": { - "flake": false, - "locked": { - "lastModified": 1575031854, - "narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=", - "owner": "hlissner", - "repo": "emacs-so-long", - "rev": "ed666b0716f60e8988c455804de24b55919e71ca", - "type": "github" - }, - "original": { - "owner": "hlissner", - "repo": "emacs-so-long", - "type": "github" - } - }, - "evil-escape": { - "flake": false, - "locked": { - "lastModified": 1588439096, - "narHash": "sha256-aB2Ge5o/93B18tPf4fN1c+O46CNh/nOqwLJbox4c8Gw=", - "owner": "hlissner", - "repo": "evil-escape", - "rev": "819f1ee1cf3f69a1ae920e6004f2c0baeebbe077", - "type": "github" - }, - "original": { - "owner": "hlissner", - "repo": "evil-escape", - "type": "github" - } - }, - "evil-markdown": { - "flake": false, - "locked": { - "lastModified": 1626852210, - "narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=", - "owner": "Somelauw", - "repo": "evil-markdown", - "rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477", - "type": "github" - }, - "original": { - "owner": "Somelauw", - "repo": "evil-markdown", - "type": "github" - } - }, - "evil-org-mode": { - "flake": false, - "locked": { - "lastModified": 1607203864, - "narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=", - "owner": "hlissner", - "repo": "evil-org-mode", - "rev": "a9706da260c45b98601bcd72b1d2c0a24a017700", - "type": "github" - }, - "original": { - "owner": "hlissner", - "repo": "evil-org-mode", - "type": "github" - } - }, - "evil-quick-diff": { - "flake": false, - "locked": { - "lastModified": 1575189609, - "narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=", - "owner": "rgrinberg", - "repo": "evil-quick-diff", - "rev": "69c883720b30a892c63bc89f49d4f0e8b8028908", - "type": "github" - }, - "original": { - "owner": "rgrinberg", - "repo": "evil-quick-diff", - "type": "github" - } - }, - "explain-pause-mode": { - "flake": false, - "locked": { - "lastModified": 1595842060, - "narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=", - "owner": "lastquestion", - "repo": "explain-pause-mode", - "rev": "2356c8c3639cbeeb9751744dbe737267849b4b51", - "type": "github" - }, - "original": { - "owner": "lastquestion", - "repo": "explain-pause-mode", - "type": "github" - } - }, "fl-config": { "locked": { "lastModified": 1653159448, @@ -233,22 +66,6 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" @@ -286,23 +103,6 @@ "type": "github" } }, - "format-all": { - "flake": false, - "locked": { - "lastModified": 1581716637, - "narHash": "sha256-ul7LCe60W8TIvUmUtZtZRo8489TK9iTPDsLHmzxY57M=", - "owner": "lassik", - "repo": "emacs-format-all-the-code", - "rev": "47d862d40a088ca089c92cd393c6dca4628f87d3", - "type": "github" - }, - "original": { - "owner": "lassik", - "repo": "emacs-format-all-the-code", - "rev": "47d862d40a088ca089c92cd393c6dca4628f87d3", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -324,76 +124,6 @@ "type": "github" } }, - "nix-dns": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1635273082, - "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=", - "owner": "kirelagin", - "repo": "nix-dns", - "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", - "type": "github" - }, - "original": { - "owner": "kirelagin", - "ref": "master", - "repo": "nix-dns", - "type": "github" - } - }, - "nix-doom-emacs": { - "inputs": { - "doom-emacs": "doom-emacs", - "doom-snippets": "doom-snippets", - "emacs-overlay": "emacs-overlay", - "emacs-so-long": "emacs-so-long", - "evil-escape": "evil-escape", - "evil-markdown": "evil-markdown", - "evil-org-mode": "evil-org-mode", - "evil-quick-diff": "evil-quick-diff", - "explain-pause-mode": "explain-pause-mode", - "flake-compat": "flake-compat_2", - "flake-utils": [ - "flake-utils" - ], - "format-all": "format-all", - "nix-straight": "nix-straight", - "nixpkgs": [ - "nixpkgs" - ], - "nose": "nose", - "ob-racket": "ob-racket", - "org": "org", - "org-contrib": "org-contrib", - "org-yt": "org-yt", - "php-extras": "php-extras", - "revealjs": "revealjs", - "rotate-text": "rotate-text", - "sln-mode": "sln-mode", - "ts-fold": "ts-fold", - "ws-butler": "ws-butler" - }, - "locked": { - "lastModified": 1682645493, - "narHash": "sha256-U3TqEcBM7QSqX0B9vQYIdB/9Ls7SE6BzM4XNDpM0Lpg=", - "owner": "nix-community", - "repo": "nix-doom-emacs", - "rev": "33db1786e0352cad4227fb931ac96c4e2e89de29", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-doom-emacs", - "type": "github" - } - }, "nix-std": { "locked": { "lastModified": 1652644856, @@ -410,22 +140,6 @@ "type": "github" } }, - "nix-straight": { - "flake": false, - "locked": { - "lastModified": 1666982610, - "narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=", - "owner": "nix-community", - "repo": "nix-straight.el", - "rev": "ad10364d64f472c904115fd38d194efe1c3f1226", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-straight.el", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1682692304, @@ -458,22 +172,6 @@ "type": "github" } }, - "nose": { - "flake": false, - "locked": { - "lastModified": 1400604510, - "narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=", - "owner": "emacsattic", - "repo": "nose", - "rev": "f8528297519eba911696c4e68fa88892de9a7b72", - "type": "github" - }, - "original": { - "owner": "emacsattic", - "repo": "nose", - "type": "github" - } - }, "nur": { "locked": { "lastModified": 1682751794, @@ -490,134 +188,17 @@ "type": "github" } }, - "ob-racket": { - "flake": false, - "locked": { - "lastModified": 1584656173, - "narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=", - "owner": "xchrishawk", - "repo": "ob-racket", - "rev": "83457ec9e1e96a29fd2086ed19432b9d75787673", - "type": "github" - }, - "original": { - "owner": "xchrishawk", - "repo": "ob-racket", - "type": "github" - } - }, - "org": { - "flake": false, - "locked": { - "lastModified": 1682449610, - "narHash": "sha256-1I9Rpnyp9rZTYG48oxxN+scKoKTJxh/ya787zI0xIpI=", - "owner": "emacs-straight", - "repo": "org-mode", - "rev": "eaf274909f595ba29b853031e1c5bcdac255fbeb", - "type": "github" - }, - "original": { - "owner": "emacs-straight", - "repo": "org-mode", - "type": "github" - } - }, - "org-contrib": { - "flake": false, - "locked": { - "lastModified": 1675694242, - "narHash": "sha256-4Fn33CTVTCqh5TyVAggSr8Fm8/hB8Xgl+hkxh3WCrI8=", - "owner": "emacsmirror", - "repo": "org-contrib", - "rev": "fff6c888065588527b1c1d7dd7e41c29ef767e17", - "type": "github" - }, - "original": { - "owner": "emacsmirror", - "repo": "org-contrib", - "type": "github" - } - }, - "org-yt": { - "flake": false, - "locked": { - "lastModified": 1527381913, - "narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=", - "owner": "TobiasZawada", - "repo": "org-yt", - "rev": "40cc1ac76d741055cbefa13860d9f070a7ade001", - "type": "github" - }, - "original": { - "owner": "TobiasZawada", - "repo": "org-yt", - "type": "github" - } - }, - "php-extras": { - "flake": false, - "locked": { - "lastModified": 1573312690, - "narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=", - "owner": "arnested", - "repo": "php-extras", - "rev": "d410c5af663c30c01d461ac476d1cbfbacb49367", - "type": "github" - }, - "original": { - "owner": "arnested", - "repo": "php-extras", - "type": "github" - } - }, - "revealjs": { - "flake": false, - "locked": { - "lastModified": 1681386605, - "narHash": "sha256-9Q7aWgjAV37iJp6oYDz45e8J+RKwKY1Uvgg/BXwf5nQ=", - "owner": "hakimel", - "repo": "reveal.js", - "rev": "0301ce58ab185f7191696e16b1b6389f58df2892", - "type": "github" - }, - "original": { - "owner": "hakimel", - "repo": "reveal.js", - "type": "github" - } - }, "root": { "inputs": { "arcexprs": "arcexprs", "ci": "ci", - "darwin": "darwin", "flake-compat": "flake-compat", "flake-utils": "flake-utils", "home-manager": "home-manager", - "nix-dns": "nix-dns", - "nix-doom-emacs": "nix-doom-emacs", "nixpkgs": "nixpkgs", "nur": "nur", "sops-nix": "sops-nix", - "systemd2mqtt": "systemd2mqtt", - "tf-nix": "tf-nix", - "trusted": "trusted" - } - }, - "rotate-text": { - "flake": false, - "locked": { - "lastModified": 1322962747, - "narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=", - "owner": "debug-ito", - "repo": "rotate-text.el", - "rev": "48f193697db996855aee1ad2bc99b38c6646fe76", - "type": "github" - }, - "original": { - "owner": "debug-ito", - "repo": "rotate-text.el", - "type": "github" + "systemd2mqtt": "systemd2mqtt" } }, "rust": { @@ -641,22 +222,6 @@ "type": "github" } }, - "sln-mode": { - "flake": false, - "locked": { - "lastModified": 1423727528, - "narHash": "sha256-XqkqPyEJuTtFslOz1fpTf/Klbd/zA7IGpzpmum/MGao=", - "owner": "sensorflo", - "repo": "sln-mode", - "rev": "0f91d1b957c7d2a7bab9278ec57b54d57f1dbd9c", - "type": "github" - }, - "original": { - "owner": "sensorflo", - "repo": "sln-mode", - "type": "github" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -732,70 +297,6 @@ "repo": "default", "type": "github" } - }, - "tf-nix": { - "flake": false, - "locked": { - "lastModified": 1681057871, - "narHash": "sha256-LQF4/PP4BMMO5XIwO2pSvgFbPIPLas1g7sbNrtrYsX8=", - "owner": "arcnmx", - "repo": "tf-nix", - "rev": "ddac94765835f5c19f4ea5c8cf92b526352bdad0", - "type": "github" - }, - "original": { - "owner": "arcnmx", - "ref": "master", - "repo": "tf-nix", - "type": "github" - } - }, - "trusted": { - "locked": { - "lastModified": 1630400035, - "narHash": "sha256-MWaVOCzuFwp09wZIW9iHq5wWen5C69I940N1swZLEQ0=", - "owner": "input-output-hk", - "repo": "empty-flake", - "rev": "2040a05b67bf9a669ce17eca56beb14b4206a99a", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "repo": "empty-flake", - "type": "github" - } - }, - "ts-fold": { - "flake": false, - "locked": { - "lastModified": 1681029086, - "narHash": "sha256-z3eVkAPFI6JYZZ+2XM496zBxwnujTp4Y4KNNfqgUC/E=", - "owner": "jcs-elpa", - "repo": "ts-fold", - "rev": "5fd2a5afe2112ac23b58ee1b12730fcf16068df3", - "type": "github" - }, - "original": { - "owner": "jcs-elpa", - "repo": "ts-fold", - "type": "github" - } - }, - "ws-butler": { - "flake": false, - "locked": { - "lastModified": 1634511126, - "narHash": "sha256-c0y0ZPtxxICPk+eaNbbQf6t+FRCliNY54CCz9QHQ8ZI=", - "owner": "hlissner", - "repo": "ws-butler", - "rev": "572a10c11b6cb88293de48acbb59a059d36f9ba5", - "type": "github" - }, - "original": { - "owner": "hlissner", - "repo": "ws-butler", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 08dc6cc3..57b9c648 100644 --- a/flake.nix +++ b/flake.nix @@ -14,9 +14,6 @@ url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; - trusted = { - url = "github:input-output-hk/empty-flake"; - }; flake-compat = { url = "github:edolstra/flake-compat"; flake = false; diff --git a/inputs.nix b/inputs.nix index d5fec697..6ec446dc 100644 --- a/inputs.nix +++ b/inputs.nix @@ -7,11 +7,4 @@ let nixfiles = import flakeCompat { src = ./.; }; - trusted = import flakeCompat { - src = if builtins.pathExists ./trusted/trusted/flake.nix - then ./trusted/trusted - else ./trusted; - }; -in nixfiles.defaultNix.inputs // (if builtins.getEnv "TRUSTED" != "" then { - trusted = trusted.defaultNix; -} else {}) +in nixfiles.defaultNix.inputs diff --git a/nixos/base/tf.nix b/nixos/base/tf.nix deleted file mode 100644 index aff75d63..00000000 --- a/nixos/base/tf.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: { - secrets = { - root = "/var/lib/kat/secrets"; - persistentRoot = "/var/lib/kat/secrets"; - external = true; - }; -} diff --git a/nixos/deploy.sh b/nixos/deploy.sh index fdd03483..59657a66 100755 --- a/nixos/deploy.sh +++ b/nixos/deploy.sh @@ -3,18 +3,6 @@ set -eu NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.} -TRUSTED_ARGS=( - --override-input trusted $NF_CONFIG_ROOT/trusted - --no-update-lock-file - --no-write-lock-file - --quiet -) -if [[ -e $NF_CONFIG_ROOT/trusted/trusted/flake.nix ]]; then - TRUSTED_ARGS+=( - --override-input trusted/trusted $NF_CONFIG_ROOT/trusted/trusted - ) -fi - NF_HOST=${NF_HOST-tewi} NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel @@ -22,19 +10,18 @@ if [[ $1 = build ]]; then shift exec nix build --no-link --print-out-paths \ $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \ - "${TRUSTED_ARGS[@]}" \ "$@" elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then METHOD=$1 shift exec nixos-rebuild $METHOD \ - --flake $NF_CONFIG_ROOT\#$NF_HOST "${TRUSTED_ARGS[@]}" \ + --flake $NF_CONFIG_ROOT\#$NF_HOST \ --no-build-nix \ --target-host $NF_HOST --use-remote-sudo \ "$@" elif [[ $1 = check ]]; then EXIT_CODE=0 - DEFAULT=$(TRUSTED= nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL) + DEFAULT=$(nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL) FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL) if [[ $DEFAULT != $FLAKE ]]; then echo default.nix: $DEFAULT @@ -43,16 +30,6 @@ elif [[ $1 = check ]]; then else echo untrusted ok: $FLAKE fi - - TRUSTED=$(TRUSTED=1 nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL) - TRUSTED_FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}") - if [[ $TRUSTED != $TRUSTED_FLAKE ]]; then - echo TRUSTED=1 default.nix: $TRUSTED - echo trusted/flake.nix: $TRUSTED_FLAKE - EXIT_CODE=1 - else - echo trusted ok: $TRUSTED_FLAKE - fi exit $EXIT_CODE else echo unknown cmd $1 >&2 diff --git a/nixos/kat.nix b/nixos/kat.nix index 6fadcbea..caee7782 100644 --- a/nixos/kat.nix +++ b/nixos/kat.nix @@ -11,7 +11,6 @@ ]; shell = pkgs.zsh; extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ]; - hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.secrets.repo.kat-user.text); }; systemd.tmpfiles.rules = [ diff --git a/system/root.nix b/system/root.nix index 9692522a..1dd28655 100644 --- a/system/root.nix +++ b/system/root.nix @@ -1,5 +1,3 @@ { config, meta, lib, ... }: { - imports = lib.optional (meta.trusted ? modules.nixos) meta.trusted.modules.nixos.deploy; - home-manager.users.root.home.stateVersion = "20.09"; } diff --git a/system/secrets.nix b/system/secrets.nix deleted file mode 100644 index 1cbcd1d2..00000000 --- a/system/secrets.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, meta, inputs, lib, pkgs, ... }: - -{ - imports = lib.optional (meta.trusted ? secrets) meta.trusted.secrets; -} diff --git a/tewi/nixos.nix b/tewi/nixos.nix index 9e93449e..0baaff5d 100644 --- a/tewi/nixos.nix +++ b/tewi/nixos.nix @@ -51,8 +51,7 @@ in { ./mediatomb.nix ./deluge.nix ./cloudflared.nix - ] - ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default; + ]; boot.supportedFilesystems = ["nfs"]; @@ -132,6 +131,7 @@ in { sops.secrets = { openscsi-config = {}; + openscsi-env = lib.mkIf config.services.openiscsi.enableAutoLoginOut { }; systemd2mqtt-env = {}; }; @@ -188,6 +188,16 @@ in { wantedBy = cryptServices; before = wantedBy; }; + iscsi = let + cfg = config.services.openiscsi; + in lib.mkIf cfg.enableAutoLoginOut { + serviceConfig = { + EnvironmentFile = [ config.sops.secrets.openscsi-env.path ]; + ExecStartPre = [ + "${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover" + ]; + }; + }; systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec { requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"]; after = requires; diff --git a/tewi/secrets.yaml b/tewi/secrets.yaml index 35454cc4..093e70cd 100644 --- a/tewi/secrets.yaml +++ b/tewi/secrets.yaml @@ -6,6 +6,7 @@ tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/ vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str] vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str] openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str] +openscsi-env: ENC[AES256_GCM,data:QYf6GNIEYmUHIwTtmK9b/C+EVb+pt0jKYVTv3kT+Vgb82JFMyVtD,iv:MEKyzwbxvfmNyZfsVhWaa2zVbxRHS89joupnJQuiCmE=,tag:UftcgxyzK3FX/pUDDFC+xQ==,type:str] systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str] deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str] @@ -38,8 +39,8 @@ sops: VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-10T16:20:24Z" - mac: ENC[AES256_GCM,data:FgF+SPVTRFeYmxehsBGDdCtcPjVpUyZETv4FVBBE6qbrxRt9LNtkLEZdZl8bXjcH0qAcAu5OACXLuU5hnsIlbvpE9WUzJTs/WnPKYSPttVdqjH7GbsxBVI16I9JQDIzaKYARw4QoD1kVaROQd/0XJgfM0GAqN1xUV2tgfo3voAU=,iv:NVtLoj1YThBB5AWQHSTKkMJoy1yr4zpdbeeKvDIY2x8=,tag:S/OPVRMExteyKaY4Rye7iA==,type:str] + lastmodified: "2023-04-29T20:40:18Z" + mac: ENC[AES256_GCM,data:EaiDaQkBDBT6h6Vj7TGkw50QJNA3TSltgZF0ES2JJzSkimzcheNDql93nIpylyuJUqxXWJ2NxoUfgfORKOyf2qnTimggmIvDMavppLckNdHVY2ZyPZ22RJGD9ho24elzVb9fYKpayYmbpY4lSXw/8MTWDikXnNJehJnNbOxXKE4=,iv:5xlMOe4B4Vs0Lc7La2ptN1gL3TxM8Iuep3G1vLdVuH8=,tag:NDm9F6LHWQVZim4dq5ZzqQ==,type:str] pgp: - created_at: "2023-03-10T17:06:53Z" enc: | diff --git a/tree.nix b/tree.nix index 96ee42f4..c08a8877 100644 --- a/tree.nix +++ b/tree.nix @@ -4,7 +4,7 @@ ... }: let mkTree = import ./mkTree.nix {inherit lib;}; - localTree = mkTree { + tree = mkTree { inherit inputs; folder = ./.; config = { @@ -20,17 +20,12 @@ "flake" "meta" "inputs" - "trusted" ]; }; "modules/nixos" = { functor = { external = - [ - (inputs.tf-nix + "/modules/nixos/secrets.nix") - (inputs.tf-nix + "/modules/nixos/secrets-users.nix") - ] - ++ (with (import (inputs.arcexprs + "/modules")).nixos; [ + (with (import (inputs.arcexprs + "/modules")).nixos; [ nix systemd dht22-exporter @@ -59,7 +54,6 @@ functor = { external = [ (import (inputs.arcexprs + "/modules")).home-manager - (inputs.tf-nix + "/modules/home/secrets.nix") ]; }; }; @@ -80,23 +74,5 @@ "home/*".functor.enable = true; }; }; - trustedTree = lib.optionalAttrs (inputs.trusted ? lib.treeSetup) (mkTree { - inherit inputs; - inherit (inputs.trusted.lib.treeSetup) folder config; - }); - tree = - localTree - // { - pure = - localTree.pure - // { - trusted = trustedTree.pure or {}; - }; - impure = - localTree.impure - // { - trusted = trustedTree.impure or {}; - }; - }; in tree diff --git a/trusted/flake.lock b/trusted/flake.lock deleted file mode 100644 index d12c9345..00000000 --- a/trusted/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "root": { - "inputs": { - "trusted": "trusted" - } - }, - "trusted": { - "locked": { - "lastModified": 1678569470, - "narHash": "sha256-wMOp8sBd4Wgh1ITgMRPkUdGvf0B1G9LlKuhN+bcnbxg=", - "ref": "shim", - "rev": "b9c0310cab3d85a477e886201e09b6e565d944e6", - "revCount": 3, - "type": "git", - "url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git" - }, - "original": { - "ref": "shim", - "type": "git", - "url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/trusted/flake.nix b/trusted/flake.nix deleted file mode 100644 index 61d86a0b..00000000 --- a/trusted/flake.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - inputs = { - trusted = { - type = "git"; - url = "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git"; - ref = "shim"; - }; - }; - outputs = { self, trusted, ... }: trusted; -} diff --git a/trusted/trusted b/trusted/trusted deleted file mode 160000 index b9c0310c..00000000 --- a/trusted/trusted +++ /dev/null @@ -1 +0,0 @@ -Subproject commit b9c0310cab3d85a477e886201e09b6e565d944e6