From 6cb0af468ff49919c2c99a2342faf9578053f078 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Thu, 26 Jan 2023 00:41:28 +0300 Subject: [PATCH] update persist and secrets modules --- modules/persist.nix | 153 ++++++++++++++++++++--------- modules/secrets.nix | 19 ++-- profiles/servers/vscode-server.nix | 18 ++-- profiles/workspace/gpg.nix | 1 - profiles/workspace/misc.nix | 11 ++- profiles/workspace/zsh/default.nix | 2 +- 6 files changed, 136 insertions(+), 68 deletions(-) diff --git a/modules/persist.nix b/modules/persist.nix index fd35caf..cb1bddf 100644 --- a/modules/persist.nix +++ b/modules/persist.nix @@ -6,7 +6,7 @@ let persists = with cfg; [ state derivative cache ]; - absoluteHomeFiles = map (x: "${cfg.homeDir}/${x}"); + absoluteHomePath = map (x: "${cfg.homeDir}/${x}"); allFiles = takeAll "files" persists; @@ -25,38 +25,110 @@ in { options = let inherit (lib) mkOption mkEnableOption; inherit (lib.types) listOf path str either submodule enum; + + # defaultPerms = { + # mode = "0755"; + # user = "root"; + # group = "root"; + # }; + # dirPermsOpts = { user, group, mode }: { + # user = mkOption { + # type = str; + # default = user; + # }; + # group = mkOption { + # type = str; + # default = group; + # }; + # mode = mkOption { + # type = str; + # default = mode; + # }; + # }; + # fileOpts = perms: { + # options = { + # file = mkOption { + # type = str; + # }; + # parentDirectory = dirPermsOpts perms; + # }; + # }; + # dirOpts = perms: { + # options = { + # directory = mkOption { + # type = str; + # }; + # } // (dirPermsOpts perms); + # }; + # userDefaultPerms = { + # inherit (defaultPerms) mode; + # user = config.mainuser; + # group = config.users.${userDefaultPerms.user}.group; + # }; + # rootFile = submodule [ + # (fileOpts defaultPerms) + # ]; + # rootDir = submodule [ + # (dirOpts defaultPerms) + # ]; + # userFile = submodule [ + # (fileOpts userDefaultPerms) + # ]; + # userDir = submodule [ + # (dirOpts userDefaultPerms) + # ]; + common = { directories = mkOption { - type = listOf path; - default = [ ]; - }; - files = mkOption { + # type = listOf (either str (submodule { + # options = { + # directory = mkOption { + # type = str; + # default = null; + # }; + # user = mkOption { + # type = str; + # default = "root"; + # }; + # group = mkOption { + # type = str; + # default = "root"; + # }; + # mode = mkOption { + # type = str; + # default = "0755"; + # }; + # }; + # })); + # type = listOf (either str rootDir); + type = listOf str; + default = [ ]; + }; + files = mkOption { + # type = listOf (either str rootFile); type = listOf str; default = [ ]; }; - # homeDirectories = mkOption { - # type = listOf str; - # default = [ ]; - # }; homeFiles = mkOption { + # type = listOf (either str userFile); type = listOf str; default = [ ]; }; homeDirectories = mkOption { - type = listOf (either str (submodule { - options = { - directory = mkOption { - type = str; - default = null; - description = "The directory path to be linked."; - }; - method = mkOption { - type = enum [ "bindfs" "symlink" ]; - default = "bindfs"; - description = "The linking method that should be used for this directory."; - }; - }; - })); + # type = listOf (either str (submodule { + # options = { + # directory = mkOption { + # type = str; + # default = null; + # }; + # method = mkOption { + # type = enum [ "bindfs" "symlink" ]; + # default = "bindfs"; + # }; + # }; + # })); + # type = listOf (either str userDir); + type = listOf str; default = [ ]; }; }; @@ -104,23 +176,14 @@ in { imports = [ inputs.impermanence.nixosModules.impermanence ]; config = mkIf cfg.enable { - # FIXME: use symlink instead of bind mounts? - # programs.fuse.userAllowOther = true; - environment.persistence.${cfg.persistRoot} = { + hideMounts = true; directories = allDirectories; files = allFiles; - }; - - home-manager.users.${config.mainuser} = { - imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ]; - home.persistence."${cfg.persistRoot}${homeDirectory}" = { + users.${config.mainuser} = { + home = "/home/${config.mainuser}"; directories = allHomeDirectories; files = allHomeFiles; - # FIXME: use symlink instead of bind mounts? - # allowOther = true; - allowOther = false; - removePrefixDirectory = false; }; }; @@ -141,25 +204,27 @@ in { ''; }; - # Euuuugh systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable { description = "Cleaning up cache files and directories"; script = '' ${builtins.concatStringsSep "\n" (map (x: "rm ${lib.escapeShellArg x}") (cfg.cache.files - ++ absoluteHomeFiles cfg.cache.homeFiles))} + ++ absoluteHomePath cfg.cache.homeFiles))} ${builtins.concatStringsSep "\n" (map (x: "rm -rf ${lib.escapeShellArg x}") - (cfg.cache.directories ++ cfg.cache.homeDirectories))} + (cfg.cache.directories ++ absoluteHomePath cfg.cache.homeDirectories))} ''; startAt = cfg.cache.clean.dates; }; - # system.activationScripts = { - # homedir.text = builtins.concatStringsSep "\n" (map (dir: '' - # mkdir -p ${cfg.persistRoot}${dir} - # chown ${config.mainuser}:users ${cfg.persistRoot}${dir} - # '') (builtins.filter (lib.hasPrefix homeDirectory) allDirectories)); - # }; + system.activationScripts = { + homedir.text = builtins.concatStringsSep "\n" (map (dir: '' + mkdir -p ${cfg.persistRoot}${dir} + chown ${config.mainuser}:users ${cfg.persistRoot}${dir} + '') ( + (builtins.filter (lib.hasPrefix cfg.homeDir) allDirectories) + ++ absoluteHomePath allHomeDirectories + )); + }; }; } diff --git a/modules/secrets.nix b/modules/secrets.nix index 3a895fa..65c9344 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -65,20 +65,21 @@ let ''; decrypt = name: cfg: - with cfg; { + with cfg; let + doas-user = "/run/wrappers/bin/doas -u ${user}"; + in { "${name}-secrets" = rec { - wantedBy = [ "multi-user.target" ]; requires = [ "user@1000.service" ]; after = requires; preStart = '' - stat '${encrypted}' + ${doas-user} stat '${encrypted}' mkdir -p '${builtins.dirOf decrypted}' ''; script = '' - if cat '${encrypted}' | /run/wrappers/bin/doas -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then + if ${doas-user} cat '${encrypted}' | ${doas-user} ${cfg.decrypt} > '${decrypted}.tmp'; then mv -f '${decrypted}.tmp' '${decrypted}' chown '${owner}' '${decrypted}' chmod '${permissions}' '${decrypted}' @@ -200,10 +201,12 @@ in { }]; config.persist.derivative.directories = [ "/var/secrets" ]; - config.persist.derivative.homeDirectories = [{ - directory = password-store-relative; - method = "symlink"; - }]; + # config.persist.derivative.homeDirectories = [ password-store-relative ]; + config.persist.derivative.homeDirectories = [ ".local/share/password-store" ]; + # config.persist.derivative.homeDirectories = [{ + # directory = password-store-relative; + # method = "symlink"; + # }]; config.home-manager.users.${config.mainuser} = { systemd.user.services.activate-secrets = let diff --git a/profiles/servers/vscode-server.nix b/profiles/servers/vscode-server.nix index 4affd06..665a33b 100644 --- a/profiles/servers/vscode-server.nix +++ b/profiles/servers/vscode-server.nix @@ -3,20 +3,18 @@ inputs.vscode-server-fixup.nixosModules.home-manager.nixos-vscode-server ]; - home-manager.users.${config.mainuser} = { + home-manager.users.${config.mainuser} = let + extensions = builtins.tryEval config.home-manager.users.${config.mainuser}.programs.vscode.extensions; + in { services.vscode-server = { enable = true; - extensions = - with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; - # [ jnoortheen.nix-ide ]; - [ bbenoist.nix ]; + extensions = if extensions.success then extensions.value + else with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; [ + bbenoist.nix + ]; immutableExtensionsDir = true; - # settings = { - # "nix.enableLanguageServer" = true; - # "nix.serverPath" = "${inputs.rnix-lsp.defaultPackage.${pkgs.system}}/bin/rnix-lsp"; - # }; }; }; - # persist.state.homeDirectories = [ ".vscode-server" ]; + persist.state.homeDirectories = [ ".vscode-server" ]; } diff --git a/profiles/workspace/gpg.nix b/profiles/workspace/gpg.nix index 9a1a05a..ed2cccc 100644 --- a/profiles/workspace/gpg.nix +++ b/profiles/workspace/gpg.nix @@ -25,6 +25,5 @@ with config.deviceSpecific; { }; }; }; - persist.state.homeDirectories = [ ".local/share/gnupg" ]; } \ No newline at end of file diff --git a/profiles/workspace/misc.nix b/profiles/workspace/misc.nix index da68b81..575c4ac 100644 --- a/profiles/workspace/misc.nix +++ b/profiles/workspace/misc.nix @@ -52,13 +52,16 @@ "/var/lib/systemd" ] ++ lib.optionals config.services.postgresql.enable [ config.services.postgresql.dataDir + ] ++ lib.optionals config.services.mysql.enable [ + config.services.mysql.dataDir ]; persist.state.homeDirectories = [ "projects" - { - directory = "nixos-config"; - method = "symlink"; - } + "nixos-config" + # { + # directory = "nixos-config"; + # method = "symlink"; + # } ] ++ lib.optionals (!config.deviceSpecific.isServer) [ "games" # "persist" diff --git a/profiles/workspace/zsh/default.nix b/profiles/workspace/zsh/default.nix index 0d5d4ad..dc45259 100644 --- a/profiles/workspace/zsh/default.nix +++ b/profiles/workspace/zsh/default.nix @@ -110,5 +110,5 @@ }; }; - persist.state.homeFiles = [ ".local/share/zsh/history" ]; + persist.state.homeDirectories = [ ".local/share/zsh" ]; }