trusted and tf-nix inputs removed

2026-02-10 04:49:19 -08:00 · 2023-04-29 13:10:07 -07:00 · 2023-04-29 13:10:07 -07:00 · dbf77891e1
commit dbf77891e1
parent f6ec9f37eb
20 changed files with 24 additions and 632 deletions
--- a/nixos/base/tf.nix
+++ b/nixos/base/tf.nix
@ -1,7 +0,0 @@
-{ config, ... }: {
-  secrets = {
-    root = "/var/lib/kat/secrets";
-    persistentRoot = "/var/lib/kat/secrets";
-    external = true;
-  };
-}
--- a/nixos/deploy.sh
+++ b/nixos/deploy.sh
@ -3,18 +3,6 @@ set -eu

 NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.}

-TRUSTED_ARGS=(
-	--override-input trusted $NF_CONFIG_ROOT/trusted
-	--no-update-lock-file
-	--no-write-lock-file
-	--quiet
-)
-if [[ -e $NF_CONFIG_ROOT/trusted/trusted/flake.nix ]]; then
-	TRUSTED_ARGS+=(
-		--override-input trusted/trusted $NF_CONFIG_ROOT/trusted/trusted
-	)
-fi
-
 NF_HOST=${NF_HOST-tewi}
 NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel

@ -22,19 +10,18 @@ if [[ $1 = build ]]; then
 	shift
 	exec nix build --no-link --print-out-paths \
 		$NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL \
-		"${TRUSTED_ARGS[@]}" \
 		"$@"
 elif [[ $1 = switch ]] || [[ $1 = test ]] || [[ $1 = dry-* ]]; then
 	METHOD=$1
 	shift
 	exec nixos-rebuild $METHOD \
-		--flake $NF_CONFIG_ROOT\#$NF_HOST "${TRUSTED_ARGS[@]}" \
+		--flake $NF_CONFIG_ROOT\#$NF_HOST \
 		--no-build-nix \
 		--target-host $NF_HOST --use-remote-sudo \
 		"$@"
 elif [[ $1 = check ]]; then
 	EXIT_CODE=0
-	DEFAULT=$(TRUSTED= nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
+	DEFAULT=$(nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
 	FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL)
 	if [[ $DEFAULT != $FLAKE ]]; then
 		echo default.nix: $DEFAULT
@ -43,16 +30,6 @@ elif [[ $1 = check ]]; then
 	else
 		echo untrusted ok: $FLAKE
 	fi
-
-	TRUSTED=$(TRUSTED=1 nix eval --raw -f $NF_CONFIG_ROOT $NIXOS_TOPLEVEL)
-	TRUSTED_FLAKE=$(nix eval --raw $NF_CONFIG_ROOT\#$NIXOS_TOPLEVEL "${TRUSTED_ARGS[@]}")
-	if [[ $TRUSTED != $TRUSTED_FLAKE ]]; then
-		echo TRUSTED=1 default.nix: $TRUSTED
-		echo trusted/flake.nix: $TRUSTED_FLAKE
-		EXIT_CODE=1
-	else
-		echo trusted ok: $TRUSTED_FLAKE
-	fi
 	exit $EXIT_CODE
 else
 	echo unknown cmd $1 >&2
--- a/nixos/kat.nix
+++ b/nixos/kat.nix
@ -11,7 +11,6 @@
    ];
    shell = pkgs.zsh;
    extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
-    hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.secrets.repo.kat-user.text);
  };

  systemd.tmpfiles.rules = [