gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

trusted and tf-nix inputs removed

Browse source
This commit is contained in:
arcnmx 2023-04-29 13:10:07 -07:00
parent f6ec9f37eb
commit dbf77891e1
20 changed files with 24 additions and 632 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.envrc
View file

@ -5,9 +5,6 @@ FLAKE_ARGS=()
if [[ $(id -un) = kat ]]; then if [[ $(id -un) = kat ]]; then
git pull git pull
fi fi
if [[ -e trusted/trusted/flake.nix ]]; then
export TRUSTED=1
fi
source_env_if_exists .envrc.conf source_env_if_exists .envrc.conf

4
.gitmodules vendored
View file

@ -1,4 +0,0 @@
[submodule "trusted/trusted"]
path = trusted/trusted
branch = shim
url = gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git

2
.sops.yaml
View file

@ -4,7 +4,7 @@ keys:
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf - &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt - &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
creation_rules: creation_rules:
- path_regex: nixos/systems/[^/]+/secrets\.yaml$ - path_regex: '[^/]+/secrets\.yaml$'
shamir_threshold: 1 shamir_threshold: 1
key_groups: key_groups:
- pgp: - pgp:

2
ci/flake-cron.nix
View file

@ -96,7 +96,7 @@ in {
environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"]; environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"];
command = let command = let
filteredHosts = ["tewi"]; filteredHosts = ["tewi"];
nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.deploy.system -o result-${node} && nix-collect-garbage -d") filteredHosts; nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.system.build.toplevel -o result-${node} && nix-collect-garbage -d") filteredHosts;
in '' in ''
# ${toString builtins.currentTime} # ${toString builtins.currentTime}
nix flake update nix flake update

2
ci/nodes.nix
View file

@ -63,7 +63,7 @@ with lib; {
enabledHosts = ["tewi"]; enabledHosts = ["tewi"];
in in
mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: { mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: {
tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.deploy.system; tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.system.build.toplevel;
})); }));
ci.gh-actions.checkoutOptions.submodules = false; ci.gh-actions.checkoutOptions.submodules = false;

3
devShell.nix
View file

@ -18,9 +18,6 @@ let
''; '';
nf-update = pkgs.writeShellScriptBin "nf-update" '' nf-update = pkgs.writeShellScriptBin "nf-update" ''
nix flake update nix flake update
if [[ -n $TRUSTED ]]; then
nix flake lock ./trusted --update-input trusted
fi
''; '';
nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
exec /usr/bin/env bash ${./nixos/deploy.sh} "$@" exec /usr/bin/env bash ${./nixos/deploy.sh} "$@"

501
flake.lock generated
View file

@ -34,173 +34,6 @@
"type": "github" "type": "github"
} }
}, },
"darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682773107,
"narHash": "sha256-+h94XeJnG3uk5imJlBi/1lVmcfCbxHpwZp5u7n3Krwg=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "379d42fad6bc5c28f79d5f7ff2fa5f1c90cb7bf8",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"doom-emacs": {
"flake": false,
"locked": {
"lastModified": 1662497747,
"narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=",
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
},
"original": {
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
}
},
"doom-snippets": {
"flake": false,
"locked": {
"lastModified": 1676839496,
"narHash": "sha256-1Ay9zi0u1lycmEeFqIxr0RWH+JvH9BnzgRzkPeWEAYY=",
"owner": "doomemacs",
"repo": "snippets",
"rev": "fe4003014ae00b866f117cb193f711fd9d72fd11",
"type": "github"
},
"original": {
"owner": "doomemacs",
"repo": "snippets",
"type": "github"
}
},
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1676366521,
"narHash": "sha256-i4UAY8t9Au9SJtsgYppa3NHSVf1YkV6yqnNIQd+Km4g=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "c16be6de78ea878aedd0292aa5d4a1ee0a5da501",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "c16be6de78ea878aedd0292aa5d4a1ee0a5da501",
"type": "github"
}
},
"emacs-so-long": {
"flake": false,
"locked": {
"lastModified": 1575031854,
"narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=",
"owner": "hlissner",
"repo": "emacs-so-long",
"rev": "ed666b0716f60e8988c455804de24b55919e71ca",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "emacs-so-long",
"type": "github"
}
},
"evil-escape": {
"flake": false,
"locked": {
"lastModified": 1588439096,
"narHash": "sha256-aB2Ge5o/93B18tPf4fN1c+O46CNh/nOqwLJbox4c8Gw=",
"owner": "hlissner",
"repo": "evil-escape",
"rev": "819f1ee1cf3f69a1ae920e6004f2c0baeebbe077",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "evil-escape",
"type": "github"
}
},
"evil-markdown": {
"flake": false,
"locked": {
"lastModified": 1626852210,
"narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=",
"owner": "Somelauw",
"repo": "evil-markdown",
"rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477",
"type": "github"
},
"original": {
"owner": "Somelauw",
"repo": "evil-markdown",
"type": "github"
}
},
"evil-org-mode": {
"flake": false,
"locked": {
"lastModified": 1607203864,
"narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=",
"owner": "hlissner",
"repo": "evil-org-mode",
"rev": "a9706da260c45b98601bcd72b1d2c0a24a017700",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "evil-org-mode",
"type": "github"
}
},
"evil-quick-diff": {
"flake": false,
"locked": {
"lastModified": 1575189609,
"narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=",
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"rev": "69c883720b30a892c63bc89f49d4f0e8b8028908",
"type": "github"
},
"original": {
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"type": "github"
}
},
"explain-pause-mode": {
"flake": false,
"locked": {
"lastModified": 1595842060,
"narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=",
"owner": "lastquestion",
"repo": "explain-pause-mode",
"rev": "2356c8c3639cbeeb9751744dbe737267849b4b51",
"type": "github"
},
"original": {
"owner": "lastquestion",
"repo": "explain-pause-mode",
"type": "github"
}
},
"fl-config": { "fl-config": {
"locked": { "locked": {
"lastModified": 1653159448, "lastModified": 1653159448,
@ -233,22 +66,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
@ -286,23 +103,6 @@
"type": "github" "type": "github"
} }
}, },
"format-all": {
"flake": false,
"locked": {
"lastModified": 1581716637,
"narHash": "sha256-ul7LCe60W8TIvUmUtZtZRo8489TK9iTPDsLHmzxY57M=",
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
},
"original": {
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -324,76 +124,6 @@
"type": "github" "type": "github"
} }
}, },
"nix-dns": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1635273082,
"narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=",
"owner": "kirelagin",
"repo": "nix-dns",
"rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a",
"type": "github"
},
"original": {
"owner": "kirelagin",
"ref": "master",
"repo": "nix-dns",
"type": "github"
}
},
"nix-doom-emacs": {
"inputs": {
"doom-emacs": "doom-emacs",
"doom-snippets": "doom-snippets",
"emacs-overlay": "emacs-overlay",
"emacs-so-long": "emacs-so-long",
"evil-escape": "evil-escape",
"evil-markdown": "evil-markdown",
"evil-org-mode": "evil-org-mode",
"evil-quick-diff": "evil-quick-diff",
"explain-pause-mode": "explain-pause-mode",
"flake-compat": "flake-compat_2",
"flake-utils": [
"flake-utils"
],
"format-all": "format-all",
"nix-straight": "nix-straight",
"nixpkgs": [
"nixpkgs"
],
"nose": "nose",
"ob-racket": "ob-racket",
"org": "org",
"org-contrib": "org-contrib",
"org-yt": "org-yt",
"php-extras": "php-extras",
"revealjs": "revealjs",
"rotate-text": "rotate-text",
"sln-mode": "sln-mode",
"ts-fold": "ts-fold",
"ws-butler": "ws-butler"
},
"locked": {
"lastModified": 1682645493,
"narHash": "sha256-U3TqEcBM7QSqX0B9vQYIdB/9Ls7SE6BzM4XNDpM0Lpg=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "33db1786e0352cad4227fb931ac96c4e2e89de29",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-doom-emacs",
"type": "github"
}
},
"nix-std": { "nix-std": {
"locked": { "locked": {
"lastModified": 1652644856, "lastModified": 1652644856,
@ -410,22 +140,6 @@
"type": "github" "type": "github"
} }
}, },
"nix-straight": {
"flake": false,
"locked": {
"lastModified": 1666982610,
"narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=",
"owner": "nix-community",
"repo": "nix-straight.el",
"rev": "ad10364d64f472c904115fd38d194efe1c3f1226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-straight.el",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1682692304, "lastModified": 1682692304,
@ -458,22 +172,6 @@
"type": "github" "type": "github"
} }
}, },
"nose": {
"flake": false,
"locked": {
"lastModified": 1400604510,
"narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=",
"owner": "emacsattic",
"repo": "nose",
"rev": "f8528297519eba911696c4e68fa88892de9a7b72",
"type": "github"
},
"original": {
"owner": "emacsattic",
"repo": "nose",
"type": "github"
}
},
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1682751794, "lastModified": 1682751794,
@ -490,134 +188,17 @@
"type": "github" "type": "github"
} }
}, },
"ob-racket": {
"flake": false,
"locked": {
"lastModified": 1584656173,
"narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=",
"owner": "xchrishawk",
"repo": "ob-racket",
"rev": "83457ec9e1e96a29fd2086ed19432b9d75787673",
"type": "github"
},
"original": {
"owner": "xchrishawk",
"repo": "ob-racket",
"type": "github"
}
},
"org": {
"flake": false,
"locked": {
"lastModified": 1682449610,
"narHash": "sha256-1I9Rpnyp9rZTYG48oxxN+scKoKTJxh/ya787zI0xIpI=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "eaf274909f595ba29b853031e1c5bcdac255fbeb",
"type": "github"
},
"original": {
"owner": "emacs-straight",
"repo": "org-mode",
"type": "github"
}
},
"org-contrib": {
"flake": false,
"locked": {
"lastModified": 1675694242,
"narHash": "sha256-4Fn33CTVTCqh5TyVAggSr8Fm8/hB8Xgl+hkxh3WCrI8=",
"owner": "emacsmirror",
"repo": "org-contrib",
"rev": "fff6c888065588527b1c1d7dd7e41c29ef767e17",
"type": "github"
},
"original": {
"owner": "emacsmirror",
"repo": "org-contrib",
"type": "github"
}
},
"org-yt": {
"flake": false,
"locked": {
"lastModified": 1527381913,
"narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=",
"owner": "TobiasZawada",
"repo": "org-yt",
"rev": "40cc1ac76d741055cbefa13860d9f070a7ade001",
"type": "github"
},
"original": {
"owner": "TobiasZawada",
"repo": "org-yt",
"type": "github"
}
},
"php-extras": {
"flake": false,
"locked": {
"lastModified": 1573312690,
"narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=",
"owner": "arnested",
"repo": "php-extras",
"rev": "d410c5af663c30c01d461ac476d1cbfbacb49367",
"type": "github"
},
"original": {
"owner": "arnested",
"repo": "php-extras",
"type": "github"
}
},
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1681386605,
"narHash": "sha256-9Q7aWgjAV37iJp6oYDz45e8J+RKwKY1Uvgg/BXwf5nQ=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "0301ce58ab185f7191696e16b1b6389f58df2892",
"type": "github"
},
"original": {
"owner": "hakimel",
"repo": "reveal.js",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"arcexprs": "arcexprs", "arcexprs": "arcexprs",
"ci": "ci", "ci": "ci",
"darwin": "darwin",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-dns": "nix-dns",
"nix-doom-emacs": "nix-doom-emacs",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"systemd2mqtt": "systemd2mqtt", "systemd2mqtt": "systemd2mqtt"
"tf-nix": "tf-nix",
"trusted": "trusted"
}
},
"rotate-text": {
"flake": false,
"locked": {
"lastModified": 1322962747,
"narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=",
"owner": "debug-ito",
"repo": "rotate-text.el",
"rev": "48f193697db996855aee1ad2bc99b38c6646fe76",
"type": "github"
},
"original": {
"owner": "debug-ito",
"repo": "rotate-text.el",
"type": "github"
} }
}, },
"rust": { "rust": {
@ -641,22 +222,6 @@
"type": "github" "type": "github"
} }
}, },
"sln-mode": {
"flake": false,
"locked": {
"lastModified": 1423727528,
"narHash": "sha256-XqkqPyEJuTtFslOz1fpTf/Klbd/zA7IGpzpmum/MGao=",
"owner": "sensorflo",
"repo": "sln-mode",
"rev": "0f91d1b957c7d2a7bab9278ec57b54d57f1dbd9c",
"type": "github"
},
"original": {
"owner": "sensorflo",
"repo": "sln-mode",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -732,70 +297,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"tf-nix": {
"flake": false,
"locked": {
"lastModified": 1681057871,
"narHash": "sha256-LQF4/PP4BMMO5XIwO2pSvgFbPIPLas1g7sbNrtrYsX8=",
"owner": "arcnmx",
"repo": "tf-nix",
"rev": "ddac94765835f5c19f4ea5c8cf92b526352bdad0",
"type": "github"
},
"original": {
"owner": "arcnmx",
"ref": "master",
"repo": "tf-nix",
"type": "github"
}
},
"trusted": {
"locked": {
"lastModified": 1630400035,
"narHash": "sha256-MWaVOCzuFwp09wZIW9iHq5wWen5C69I940N1swZLEQ0=",
"owner": "input-output-hk",
"repo": "empty-flake",
"rev": "2040a05b67bf9a669ce17eca56beb14b4206a99a",
"type": "github"
},
"original": {
"owner": "input-output-hk",
"repo": "empty-flake",
"type": "github"
}
},
"ts-fold": {
"flake": false,
"locked": {
"lastModified": 1681029086,
"narHash": "sha256-z3eVkAPFI6JYZZ+2XM496zBxwnujTp4Y4KNNfqgUC/E=",
"owner": "jcs-elpa",
"repo": "ts-fold",
"rev": "5fd2a5afe2112ac23b58ee1b12730fcf16068df3",
"type": "github"
},
"original": {
"owner": "jcs-elpa",
"repo": "ts-fold",
"type": "github"
}
},
"ws-butler": {
"flake": false,
"locked": {
"lastModified": 1634511126,
"narHash": "sha256-c0y0ZPtxxICPk+eaNbbQf6t+FRCliNY54CCz9QHQ8ZI=",
"owner": "hlissner",
"repo": "ws-butler",
"rev": "572a10c11b6cb88293de48acbb59a059d36f9ba5",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "ws-butler",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

3
flake.nix
View file

@ -14,9 +14,6 @@
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
trusted = {
url = "github:input-output-hk/empty-flake";
};
flake-compat = { flake-compat = {
url = "github:edolstra/flake-compat"; url = "github:edolstra/flake-compat";
flake = false; flake = false;

9
inputs.nix
View file

@ -7,11 +7,4 @@ let
nixfiles = import flakeCompat { nixfiles = import flakeCompat {
src = ./.; src = ./.;
}; };
trusted = import flakeCompat { in nixfiles.defaultNix.inputs
src = if builtins.pathExists ./trusted/trusted/flake.nix
then ./trusted/trusted
else ./trusted;
};
in nixfiles.defaultNix.inputs // (if builtins.getEnv "TRUSTED" != "" then {
trusted = trusted.defaultNix;
} else {})

7
nixos/base/tf.nix
View file

@ -1,7 +0,0 @@
{ config, ... }: {
secrets = {
root = "/var/lib/kat/secrets";
persistentRoot = "/var/lib/kat/secrets";
external = true;
};
}

27
nixos/deploy.sh
View file

@ -3,18 +3,6 @@ set -eu
NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.} NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.}
TRUSTED_ARGS=(
--override-input trusted $NF_CONFIG_ROOT/trusted
--no-update-lock-file
--no-write-lock-file
--quiet
)
if [[ -e $NF_CONFIG_ROOT/trusted/trusted/flake.nix ]]; then
TRUSTED_ARGS+=(
--override-input trusted/trusted $NF_CONFIG_ROOT/trusted/trusted
)
fi
NF_HOST=${NF_HOST-tewi} NF_HOST=${NF_HOST-tewi}
NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel
@ -22,19 +10,18 @@ if [[ $1 = build ]]; then
shift shift
exec nix build --no-link --print-out-paths \ exec nix build --no-link --print-out-paths \
$NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \ $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \
"${TRUSTED_ARGS[@]}" \
"$@" "$@"
elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
METHOD=$1 METHOD=$1
shift shift
exec nixos-rebuild $METHOD \ exec nixos-rebuild $METHOD \
--flake $NF_CONFIG_ROOT\#$NF_HOST "${TRUSTED_ARGS[@]}" \ --flake $NF_CONFIG_ROOT\#$NF_HOST \
--no-build-nix \ --no-build-nix \
--target-host $NF_HOST --use-remote-sudo \ --target-host $NF_HOST --use-remote-sudo \
"$@" "$@"
elif [[ $1 = check ]]; then elif [[ $1 = check ]]; then
EXIT_CODE=0 EXIT_CODE=0
DEFAULT=$(TRUSTED= nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL) DEFAULT=$(nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL) FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL)
if [[ $DEFAULT != $FLAKE ]]; then if [[ $DEFAULT != $FLAKE ]]; then
echo default.nix: $DEFAULT echo default.nix: $DEFAULT
@ -43,16 +30,6 @@ elif [[ $1 = check ]]; then
else else
echo untrusted ok: $FLAKE echo untrusted ok: $FLAKE
fi fi
TRUSTED=$(TRUSTED=1 nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
TRUSTED_FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}")
if [[ $TRUSTED != $TRUSTED_FLAKE ]]; then
echo TRUSTED=1 default.nix: $TRUSTED
echo trusted/flake.nix: $TRUSTED_FLAKE
EXIT_CODE=1
else
echo trusted ok: $TRUSTED_FLAKE
fi
exit $EXIT_CODE exit $EXIT_CODE
else else
echo unknown cmd $1 >&2 echo unknown cmd $1 >&2

1
nixos/kat.nix
View file

@ -11,7 +11,6 @@
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ]; extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.secrets.repo.kat-user.text);
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [

2
system/root.nix
View file

@ -1,5 +1,3 @@
{ config, meta, lib, ... }: { { config, meta, lib, ... }: {
imports = lib.optional (meta.trusted ? modules.nixos) meta.trusted.modules.nixos.deploy;
home-manager.users.root.home.stateVersion = "20.09"; home-manager.users.root.home.stateVersion = "20.09";
} }

5
system/secrets.nix
View file

@ -1,5 +0,0 @@
{ config, meta, inputs, lib, pkgs, ... }:
{
imports = lib.optional (meta.trusted ? secrets) meta.trusted.secrets;
}

14
tewi/nixos.nix
View file

@ -51,8 +51,7 @@ in {
./mediatomb.nix ./mediatomb.nix
./deluge.nix ./deluge.nix
./cloudflared.nix ./cloudflared.nix
] ];
++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default;
boot.supportedFilesystems = ["nfs"]; boot.supportedFilesystems = ["nfs"];
@ -132,6 +131,7 @@ in {
sops.secrets = { sops.secrets = {
openscsi-config = {}; openscsi-config = {};
openscsi-env = lib.mkIf config.services.openiscsi.enableAutoLoginOut { };
systemd2mqtt-env = {}; systemd2mqtt-env = {};
}; };
@ -188,6 +188,16 @@ in {
wantedBy = cryptServices; wantedBy = cryptServices;
before = wantedBy; before = wantedBy;
}; };
iscsi = let
cfg = config.services.openiscsi;
in lib.mkIf cfg.enableAutoLoginOut {
serviceConfig = {
EnvironmentFile = [ config.sops.secrets.openscsi-env.path ];
ExecStartPre = [
"${cfg.package}/bin/iscsiadm --mode discoverydb --type sendtargets --portal $DISCOVER_PORTAL --discover"
];
};
};
systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec { systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec {
requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"]; requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"];
after = requires; after = requires;

5
tewi/secrets.yaml
View file

@ -6,6 +6,7 @@ tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/
vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str] vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str] vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str] openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
openscsi-env: ENC[AES256_GCM,data:QYf6GNIEYmUHIwTtmK9b/C+EVb+pt0jKYVTv3kT+Vgb82JFMyVtD,iv:MEKyzwbxvfmNyZfsVhWaa2zVbxRHS89joupnJQuiCmE=,tag:UftcgxyzK3FX/pUDDFC+xQ==,type:str]
systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str] z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str] deluge-auth: ENC[AES256_GCM,data:qJP/CztnN7RV4Z3pP+jbH1B0zzBm8oa3n3X0pecEVe7UI3+NOSwFaQCBD7Q7JDxzh+qTNdQ/wWi7w0XJDG+aRIikgDG28S9RjdPL/w==,iv:GUEwmuk3JWMgsXsDgDrObW657WcN6wcYAsgXhK4Dvx0=,tag:vZMQ67j5kWBWOa6ZqCaQHw==,type:str]
@ -38,8 +39,8 @@ sops:
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-10T16:20:24Z" lastmodified: "2023-04-29T20:40:18Z"
mac: ENC[AES256_GCM,data:FgF+SPVTRFeYmxehsBGDdCtcPjVpUyZETv4FVBBE6qbrxRt9LNtkLEZdZl8bXjcH0qAcAu5OACXLuU5hnsIlbvpE9WUzJTs/WnPKYSPttVdqjH7GbsxBVI16I9JQDIzaKYARw4QoD1kVaROQd/0XJgfM0GAqN1xUV2tgfo3voAU=,iv:NVtLoj1YThBB5AWQHSTKkMJoy1yr4zpdbeeKvDIY2x8=,tag:S/OPVRMExteyKaY4Rye7iA==,type:str] mac: ENC[AES256_GCM,data:EaiDaQkBDBT6h6Vj7TGkw50QJNA3TSltgZF0ES2JJzSkimzcheNDql93nIpylyuJUqxXWJ2NxoUfgfORKOyf2qnTimggmIvDMavppLckNdHVY2ZyPZ22RJGD9ho24elzVb9fYKpayYmbpY4lSXw/8MTWDikXnNJehJnNbOxXKE4=,iv:5xlMOe4B4Vs0Lc7La2ptN1gL3TxM8Iuep3G1vLdVuH8=,tag:NDm9F6LHWQVZim4dq5ZzqQ==,type:str]
pgp: pgp:
- created_at: "2023-03-10T17:06:53Z" - created_at: "2023-03-10T17:06:53Z"
enc: | enc: |

28
tree.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
mkTree = import ./mkTree.nix {inherit lib;}; mkTree = import ./mkTree.nix {inherit lib;};
localTree = mkTree { tree = mkTree {
inherit inputs; inherit inputs;
folder = ./.; folder = ./.;
config = { config = {
@ -20,17 +20,12 @@
"flake" "flake"
"meta" "meta"
"inputs" "inputs"
"trusted"
]; ];
}; };
"modules/nixos" = { "modules/nixos" = {
functor = { functor = {
external = external =
[ (with (import (inputs.arcexprs + "/modules")).nixos; [
(inputs.tf-nix + "/modules/nixos/secrets.nix")
(inputs.tf-nix + "/modules/nixos/secrets-users.nix")
]
++ (with (import (inputs.arcexprs + "/modules")).nixos; [
nix nix
systemd systemd
dht22-exporter dht22-exporter
@ -59,7 +54,6 @@
functor = { functor = {
external = [ external = [
(import (inputs.arcexprs + "/modules")).home-manager (import (inputs.arcexprs + "/modules")).home-manager
(inputs.tf-nix + "/modules/home/secrets.nix")
]; ];
}; };
}; };
@ -80,23 +74,5 @@
"home/*".functor.enable = true; "home/*".functor.enable = true;
}; };
}; };
trustedTree = lib.optionalAttrs (inputs.trusted ? lib.treeSetup) (mkTree {
inherit inputs;
inherit (inputs.trusted.lib.treeSetup) folder config;
});
tree =
localTree
// {
pure =
localTree.pure
// {
trusted = trustedTree.pure or {};
};
impure =
localTree.impure
// {
trusted = trustedTree.impure or {};
};
};
in in
tree tree

27
trusted/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"root": {
"inputs": {
"trusted": "trusted"
}
},
"trusted": {
"locked": {
"lastModified": 1678569470,
"narHash": "sha256-wMOp8sBd4Wgh1ITgMRPkUdGvf0B1G9LlKuhN+bcnbxg=",
"ref": "shim",
"rev": "b9c0310cab3d85a477e886201e09b6e565d944e6",
"revCount": 3,
"type": "git",
"url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git"
},
"original": {
"ref": "shim",
"type": "git",
"url": "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git"
}
}
},
"root": "root",
"version": 7
}

10
trusted/flake.nix
View file

@ -1,10 +0,0 @@
{
inputs = {
trusted = {
type = "git";
url = "gcrypt::ssh://git@github.com/arcnmx/kat-nixfiles-trusted.git";
ref = "shim";
};
};
outputs = { self, trusted, ... }: trusted;
}

1
trusted/trusted

@ -1 +0,0 @@
Subproject commit b9c0310cab3d85a477e886201e09b6e565d944e6