dot013/nix
1
0
Fork 0
Code Issues Pull Requests Activity

refactor: secret handling

Browse Source
This commit is contained in:
Gustavo "Guz" L. de Mello
2024-04-10 13:02:00 -03:00
parent 5bbdfc7977
commit cde1ba412e
6 changed files with 160 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@@ -9,7 +9,7 @@ creation_rules:
key_groups:
- age:
- *primary
- path_regex: secrets/homelab-lesser-secrets.json$
- path_regex: secrets/homelab-secrets.lesser.json$
key_groups:
- age:
- *primary

175
flake.lock generated
View File

@@ -25,11 +25,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1708488241,
"narHash": "sha256-9GbpCrw5Ws4mKK2rIJrKWGuUefdG8dxfl3dP3Z8/MMI=",
"lastModified": 1712688750,
"narHash": "sha256-ig9uSnX9cEGOPgnwODnliQQ+MgFEI/904qz15Xey0TE=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "fdd5fff7c3e8289cbb811aa05c01b2f1a1831255",
"rev": "f0e5d504f917ed7dbfefc2946740ff6c7bb44e0b",
"type": "gitlab"
},
"original": {
@@ -56,11 +56,11 @@
},
"flatpaks": {
"locked": {
"lastModified": 1708268179,
"narHash": "sha256-NNVuhf84AeDTxadfSGnFqPHR0ED+QyM2gmu+Wyz6PrY=",
"lastModified": 1711997375,
"narHash": "sha256-KvU4gOtuFMS9Il67glRGtdNfguAINT9pCaXtvCL8uI8=",
"owner": "gmodena",
"repo": "nix-flatpak",
"rev": "a243cb0522f6240c194b873dde68e25370b06034",
"rev": "45bf66f7068db79b552da864c0e87452be624d6c",
"type": "github"
},
"original": {
@@ -76,11 +76,11 @@
]
},
"locked": {
"lastModified": 1708451036,
"narHash": "sha256-tgZ38NummEdnXvxj4D0StHBzXgceAw8CptytHljH790=",
"lastModified": 1712688495,
"narHash": "sha256-NrVLXkpT9ZigiI8md6NIzHS+3lE4QTj30IgXG57O9iM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "517601b37c6d495274454f63c5a483c8e3ca6be1",
"rev": "b00d0e4fe9cba0047f54e77418ddda5f17e6ef2c",
"type": "github"
},
"original": {
@@ -89,8 +89,38 @@
"type": "github"
}
},
"hyprcursor": {
"inputs": {
"hyprlang": [
"hyprland",
"hyprlang"
],
"nixpkgs": [
"hyprland",
"nixpkgs"
],
"systems": [
"hyprland",
"systems"
]
},
"locked": {
"lastModified": 1712434681,
"narHash": "sha256-qwmR2p1oc48Bj7gUDvb1oGL19Rjs2PmEmk4ChV01A5o=",
"owner": "hyprwm",
"repo": "hyprcursor",
"rev": "818d8c4b69e0997483d60b75f701fe14b561a7a3",
"type": "github"
},
"original": {
"owner": "hyprwm",
"repo": "hyprcursor",
"type": "github"
}
},
"hyprland": {
"inputs": {
"hyprcursor": "hyprcursor",
"hyprland-protocols": "hyprland-protocols",
"hyprlang": "hyprlang",
"nixpkgs": "nixpkgs",
@@ -99,11 +129,11 @@
"xdph": "xdph"
},
"locked": {
"lastModified": 1708534664,
"narHash": "sha256-ScPWUtrusSfkL4LLWQkV14q6/N4Xx26yuZ7EUsGCuvU=",
"lastModified": 1712676164,
"narHash": "sha256-CDxfxIUTu+2nkLjq46LWHa98WB85AcdglURwi5obgAM=",
"owner": "hyprwm",
"repo": "Hyprland",
"rev": "fc5ca391adeef3673e579ebf21759032c2455efc",
"rev": "1343aa865d04d80313b0e674c28ecfdbeb90e876",
"type": "github"
},
"original": {
@@ -167,14 +197,18 @@
"nixpkgs": [
"hyprland",
"nixpkgs"
],
"systems": [
"hyprland",
"systems"
]
},
"locked": {
"lastModified": 1708005943,
"narHash": "sha256-9TT3xk++LI5/SPYgjYX34xZ4ebR93c1uerIq+SE/ues=",
"lastModified": 1711671891,
"narHash": "sha256-C/Wwsy/RLxHP1axFFl+AnwJRWfd8gxDKKoa8nt8Qk3c=",
"owner": "hyprwm",
"repo": "hyprlang",
"rev": "aeb3e012adc7b3235335c540b214b82267c2b983",
"rev": "c1402612146ba06606ebf64963a02bc1efe11e74",
"type": "github"
},
"original": {
@@ -184,40 +218,19 @@
}
},
"hyprlang_2": {
"inputs": {
"nixpkgs": [
"hyprland",
"xdph",
"nixpkgs"
]
},
"locked": {
"lastModified": 1704287638,
"narHash": "sha256-TuRXJGwtK440AXQNl5eiqmQqY4LZ/9+z/R7xC0ie3iA=",
"owner": "hyprwm",
"repo": "hyprlang",
"rev": "6624f2bb66d4d27975766e81f77174adbe58ec97",
"type": "github"
},
"original": {
"owner": "hyprwm",
"repo": "hyprlang",
"type": "github"
}
},
"hyprlang_3": {
"inputs": {
"nixpkgs": [
"xdg-desktop-portal-hyprland",
"nixpkgs"
]
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1704287638,
"narHash": "sha256-TuRXJGwtK440AXQNl5eiqmQqY4LZ/9+z/R7xC0ie3iA=",
"lastModified": 1708681732,
"narHash": "sha256-ULZZLZ9C33G13IaXLuAc4oTzHUvnATI8Fj2u6gzMfT0=",
"owner": "hyprwm",
"repo": "hyprlang",
"rev": "6624f2bb66d4d27975766e81f77174adbe58ec97",
"rev": "f4466367ef0a92a6425d482050dc2b8840c0e644",
"type": "github"
},
"original": {
@@ -252,11 +265,11 @@
]
},
"locked": {
"lastModified": 1708225687,
"narHash": "sha256-NJBDfvknI26beOFmjO2coeJMTTUCCtw2Iu+rvJ1Zb9k=",
"lastModified": 1712459390,
"narHash": "sha256-e12bNDottaGoBgd0AdH/bQvk854xunlWAdZwr/oHO1c=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "17352eb241a8d158c4ac523b19d8d2a6c8efe127",
"rev": "4676d72d872459e1e3a248d049609f110c570e9a",
"type": "github"
},
"original": {
@@ -267,11 +280,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1707546158,
"narHash": "sha256-nYYJTpzfPMDxI8mzhQsYjIUX+grorqjKEU9Np6Xwy/0=",
"lastModified": 1712439257,
"narHash": "sha256-aSpiNepFOMk9932HOax0XwNxbA38GOUVOiXfUVPOrck=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d934204a0f8d9198e1e4515dd6fec76a139c87f0",
"rev": "ff0dbd94265ac470dda06a657d5fe49de93b4599",
"type": "github"
},
"original": {
@@ -298,11 +311,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1708210246,
"narHash": "sha256-Q8L9XwrBK53fbuuIFMbjKvoV7ixfLFKLw4yV+SD28Y8=",
"lastModified": 1712437997,
"narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "69405156cffbdf2be50153f13cbdf9a0bea38e49",
"rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
"type": "github"
},
"original": {
@@ -314,11 +327,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1708475490,
"narHash": "sha256-g1v0TsWBQPX97ziznfJdWhgMyMGtoBFs102xSYO4syU=",
"lastModified": 1712608508,
"narHash": "sha256-vMZ5603yU0wxgyQeHJryOI+O61yrX2AHwY6LOFyV1gM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0e74ca98a74bc7270d28838369593635a5db3260",
"rev": "4cba8b53da471aea2ab2b0c1f30a81e7c451f4b6",
"type": "github"
},
"original": {
@@ -330,11 +343,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1703961334,
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"lastModified": 1708475490,
"narHash": "sha256-g1v0TsWBQPX97ziznfJdWhgMyMGtoBFs102xSYO4syU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"rev": "0e74ca98a74bc7270d28838369593635a5db3260",
"type": "github"
},
"original": {
@@ -366,11 +379,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1708500294,
"narHash": "sha256-mvJIecY3tDKZh7297mqOtOuAvP7U1rqjfLNfmfkjFpU=",
"lastModified": 1712617241,
"narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "f6b80ab6cd25e57f297fe466ad689d8a77057c11",
"rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
"type": "github"
},
"original": {
@@ -409,6 +422,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"tmux-plugin-manager": {
"flake": false,
"locked": {
@@ -429,34 +457,34 @@
"flake": false,
"locked": {
"host": "gitlab.freedesktop.org",
"lastModified": 1706359063,
"narHash": "sha256-5HUTG0p+nCJv3cn73AmFHRZdfRV5AD5N43g8xAePSKM=",
"lastModified": 1709983277,
"narHash": "sha256-wXWIJLd4F2JZeMaihWVDW/yYXCLEC8OpeNJZg9a9ly8=",
"owner": "wlroots",
"repo": "wlroots",
"rev": "00b869c1a96f300a8f25da95d624524895e0ddf2",
"rev": "50eae512d9cecbf0b3b1898bb1f0b40fa05fe19b",
"type": "gitlab"
},
"original": {
"host": "gitlab.freedesktop.org",
"owner": "wlroots",
"repo": "wlroots",
"rev": "00b869c1a96f300a8f25da95d624524895e0ddf2",
"rev": "50eae512d9cecbf0b3b1898bb1f0b40fa05fe19b",
"type": "gitlab"
}
},
"xdg-desktop-portal-hyprland": {
"inputs": {
"hyprland-protocols": "hyprland-protocols_2",
"hyprlang": "hyprlang_3",
"hyprlang": "hyprlang_2",
"nixpkgs": "nixpkgs_3",
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1708532964,
"narHash": "sha256-Hlor9vCcGVhoF5A3VTC640MDvScYQLmjXHOkb1IuqwU=",
"lastModified": 1709299639,
"narHash": "sha256-jYqJM5khksLIbqSxCLUUcqEgI+O2LdlSlcMEBs39CAU=",
"owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland",
"rev": "65fb44ae496051c8377c6225f7187ca123bb68a5",
"rev": "2d2fb547178ec025da643db57d40a971507b82fe",
"type": "github"
},
"original": {
@@ -471,7 +499,10 @@
"hyprland",
"hyprland-protocols"
],
"hyprlang": "hyprlang_2",
"hyprlang": [
"hyprland",
"hyprlang"
],
"nixpkgs": [
"hyprland",
"nixpkgs"
@@ -482,11 +513,11 @@
]
},
"locked": {
"lastModified": 1706521509,
"narHash": "sha256-AInZ50acOJ3wzUwGzNr1TmxGTMx+8j6oSTzz4E7Vbp8=",
"lastModified": 1709299639,
"narHash": "sha256-jYqJM5khksLIbqSxCLUUcqEgI+O2LdlSlcMEBs39CAU=",
"owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland",
"rev": "c06fd88b3da492b8f9067be021b9184f7012b5a8",
"rev": "2d2fb547178ec025da643db57d40a971507b82fe",
"type": "github"
},
"original": {

3
flake.nix
View File

@@ -73,8 +73,7 @@
configs);
in {
nixosConfigurations = create-host [
"desktop@default"
"desktop@work"
"battleship"
"homelab"
];
};

83
modules/nixos/programs/nih/cli.sh
View File

@@ -10,6 +10,51 @@ function util-show-diff() {
rm $temp_file
}
function util-build() {
local prefix="$1";
local flake_dir="$2";
local host="$3";
set -e
pushd $flake_dir
for f in ./secrets/*.lesser.*; do
local filename="$(basename -- "$f")"
local extension="${filename##*.}"
local filename="${filename%.*}"
local subextenstion="${filename##*.}"
if [[ "$subextenstion" == "decrypted" ]]; then
gum log --structured --prefix "$prefix" --level warn 'File already decrypted!' file "$f"
else
gum log --structured --prefix "$prefix" --level debug 'Decrypting lesser secret file' file "$f"
sops --output "./secrets/$filename.decrypted.$extension" -d $f
fi
done
# Add secret files
gum log --structured --prefix "$prefix" --level debug 'Adding decrypted secret files'
git add ./secrets/*.decrypted.*
# Build NixOS
gum log --structured --prefix "$prefix" --level debug 'Building NixOS'
sudo nixos-rebuild switch --flake "$flake_dir#$host" \
|| (gum log --structured --prefix "$prefix" --level debug 'Removing decrypted secret files' \
&& git reset ./secrets/*.decrypted.* \
&& for f in ./secrets/*.decrypted.*; do rm $f; done \
&& gum log --structured --prefix "$prefix" --level error 'Error building new config' \
&& exit 1)
git reset ./secrets/*.decrypted.*
for f in ./secrets/*.decrypted.*; do
gum log --structured --prefix "$prefix" --level debug 'Removing decrypted secret file' file "$f"
rm $f
done
popd
}
function nih-edit() {
local flake_dir="$1"
local host="$2"
@@ -21,7 +66,7 @@ function nih-edit() {
pushd $flake_dir
# Edit file
$EDITOR "$(gum file "$flakedir")"
$EDITOR "$(gum file "$flake_dir")"
# Skip if there's no changes
if git diff --quiet "*.*"; then
@@ -45,20 +90,8 @@ function nih-edit() {
# Show modifications
util-show-diff 'nih edit'
# Add secret files
gum log --structured --prefix 'nih edit' --level debug 'Adding decrypted secret files'
git add ./secrets/*
# Build NixOS
gum log --structured --prefix 'nih edit' --level debug 'Building NixOS'
sudo nixos-rebuild switch --flake "$flake_dir#$host" \
|| (gum log --structured --prefix 'nih edit' --level debug 'Removing decrypted secret files' \
&& git reset ./secrets/*.decrypted.* \
&& gum log --structured --prefix 'nih edit' --level error 'Error building new config' \
&& exit 1)
gum log --structured --prefix 'nih edit' --level debug 'Removing decrypted secret files'
git reset ./secrets/*
# Build nixos
util-build 'nih edit' $flake_dir $host
gum log --structured \
--prefix 'nih edit' \
@@ -109,9 +142,6 @@ function nih-switch () {
gum log --structured --prefix 'nih switch' --level info 'Switching NixOS config'
gum log --structured --prefix 'nih switch' --level debug 'Adding decrypted secret files'
git add ./secrets/*.decrypted.*
gum log --structured --prefix 'nih switch' --level debug 'Formatting files'
alejandra . &>/dev/null \
|| (alejandra . ; \
@@ -120,21 +150,14 @@ function nih-switch () {
--level error 'Failed to format files' \
&& exit 1)
gum log --structured --prefix 'nih switch' --level debug 'Building NixOS'
sudo nixos-rebuild switch --flake "$flake_dir#$host" \
|| (gum log --structured --prefix 'nih edit' --level debug 'Removing decrypted secret files' \
&& git reset ./secrets/*.decrypted.* \
&& gum log --structured --prefix 'nih edit' --level error 'Error building new config' \
&& exit 1)
# Build nixos
util-build 'nih switch' $flake_dir $host
gum log --structured --prefix 'nih switch' --level info 'NixOS rebuilt!'
notify-send -e "NixOS Rebuilt!" \
--icon=software-update-available \
--urgency=low
gum log --structured --prefix 'nih switch' --level debug 'Removing decrypted secret files'
git reset ./secrets/*.decrypted.*
gum log --structured --prefix 'nih edit' --level info 'NixOS rebuilt!'
notify-send -e "NixOS Rebuilt!" \
--icon=software-update-available \
@@ -188,9 +211,11 @@ function nih-sync() {
--level error 'Failed to format files' \
&& exit 1)
gum log --structured --prefix 'nih sync' --level debug 'Removing decrypted secret files'
git reset ./secrets/*.decrypted.*
for f in ./secrets/*.decrypted.*; do
gum log --structured --prefix "$prefix" --level debug 'Removing decrypted secret file' file "$f"
rm $f
done
# Skip if there's no changes
if git diff --quiet "*.*"; then

1
modules/nixos/programs/nih/default.nix
View File

@@ -15,6 +15,7 @@
(${pkgs.libnotify}/bin/notify-send "$@" &>/dev/null || echo "")
}
function mktemp() { ${pkgs.mktemp}/bin/mktemp "$@"; }
function sops() { ${pkgs.sops}/bin/sops "$@"; }
flake_dir="${toString cfg.flakeDir}";
host="${toString cfg.host}";

0
secrets/homelab-lesser-secrets.json → secrets/homelab-secrets.lesser.json
View File