AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update persist and secrets modules

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 00:41:28 +03:00
parent a4f8f9a1eb
commit 6cb0af468f
6 changed files with 136 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
modules/persist.nix
View File

@ -6,7 +6,7 @@ let
persists = with cfg; [ state derivative cache ]; persists = with cfg; [ state derivative cache ];
absoluteHomeFiles = map (x: "${cfg.homeDir}/${x}"); absoluteHomePath = map (x: "${cfg.homeDir}/${x}");
allFiles = takeAll "files" persists; allFiles = takeAll "files" persists;
@ -25,38 +25,110 @@ in {
options = let options = let
inherit (lib) mkOption mkEnableOption; inherit (lib) mkOption mkEnableOption;
inherit (lib.types) listOf path str either submodule enum; inherit (lib.types) listOf path str either submodule enum;
# defaultPerms = {
# mode = "0755";
# user = "root";
# group = "root";
# };
# dirPermsOpts = { user, group, mode }: {
# user = mkOption {
# type = str;
# default = user;
# };
# group = mkOption {
# type = str;
# default = group;
# };
# mode = mkOption {
# type = str;
# default = mode;
# };
# };
# fileOpts = perms: {
# options = {
# file = mkOption {
# type = str;
# };
# parentDirectory = dirPermsOpts perms;
# };
# };
# dirOpts = perms: {
# options = {
# directory = mkOption {
# type = str;
# };
# } // (dirPermsOpts perms);
# };
# userDefaultPerms = {
# inherit (defaultPerms) mode;
# user = config.mainuser;
# group = config.users.${userDefaultPerms.user}.group;
# };
# rootFile = submodule [
# (fileOpts defaultPerms)
# ];
# rootDir = submodule [
# (dirOpts defaultPerms)
# ];
# userFile = submodule [
# (fileOpts userDefaultPerms)
# ];
# userDir = submodule [
# (dirOpts userDefaultPerms)
# ];
common = { common = {
directories = mkOption { directories = mkOption {
type = listOf path; # type = listOf (either str (submodule {
default = [ ]; # options = {
}; # directory = mkOption {
files = mkOption { # type = str;
# default = null;
# };
# user = mkOption {
# type = str;
# default = "root";
# };
# group = mkOption {
# type = str;
# default = "root";
# };
# mode = mkOption {
# type = str;
# default = "0755";
# };
# };
# }));
# type = listOf (either str rootDir);
type = listOf str;
default = [ ];
};
files = mkOption {
# type = listOf (either str rootFile);
type = listOf str; type = listOf str;
default = [ ]; default = [ ];
}; };
# homeDirectories = mkOption {
# type = listOf str;
# default = [ ];
# };
homeFiles = mkOption { homeFiles = mkOption {
# type = listOf (either str userFile);
type = listOf str; type = listOf str;
default = [ ]; default = [ ];
}; };
homeDirectories = mkOption { homeDirectories = mkOption {
type = listOf (either str (submodule { # type = listOf (either str (submodule {
options = { # options = {
directory = mkOption { # directory = mkOption {
type = str; # type = str;
default = null; # default = null;
description = "The directory path to be linked."; # };
}; # method = mkOption {
method = mkOption { # type = enum [ "bindfs" "symlink" ];
type = enum [ "bindfs" "symlink" ]; # default = "bindfs";
default = "bindfs"; # };
description = "The linking method that should be used for this directory."; # };
}; # }));
}; # type = listOf (either str userDir);
})); type = listOf str;
default = [ ]; default = [ ];
}; };
}; };
@ -104,23 +176,14 @@ in {
imports = [ inputs.impermanence.nixosModules.impermanence ]; imports = [ inputs.impermanence.nixosModules.impermanence ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
# FIXME: use symlink instead of bind mounts?
# programs.fuse.userAllowOther = true;
environment.persistence.${cfg.persistRoot} = { environment.persistence.${cfg.persistRoot} = {
hideMounts = true;
directories = allDirectories; directories = allDirectories;
files = allFiles; files = allFiles;
}; users.${config.mainuser} = {
home = "/home/${config.mainuser}";
home-manager.users.${config.mainuser} = {
imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ];
home.persistence."${cfg.persistRoot}${homeDirectory}" = {
directories = allHomeDirectories; directories = allHomeDirectories;
files = allHomeFiles; files = allHomeFiles;
# FIXME: use symlink instead of bind mounts?
# allowOther = true;
allowOther = false;
removePrefixDirectory = false;
}; };
}; };
@ -141,25 +204,27 @@ in {
''; '';
}; };
# Euuuugh
systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable { systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable {
description = "Cleaning up cache files and directories"; description = "Cleaning up cache files and directories";
script = '' script = ''
${builtins.concatStringsSep "\n" (map (x: "rm ${lib.escapeShellArg x}") ${builtins.concatStringsSep "\n" (map (x: "rm ${lib.escapeShellArg x}")
(cfg.cache.files (cfg.cache.files
++ absoluteHomeFiles cfg.cache.homeFiles))} ++ absoluteHomePath cfg.cache.homeFiles))}
${builtins.concatStringsSep "\n" (map (x: "rm -rf ${lib.escapeShellArg x}") ${builtins.concatStringsSep "\n" (map (x: "rm -rf ${lib.escapeShellArg x}")
(cfg.cache.directories ++ cfg.cache.homeDirectories))} (cfg.cache.directories ++ absoluteHomePath cfg.cache.homeDirectories))}
''; '';
startAt = cfg.cache.clean.dates; startAt = cfg.cache.clean.dates;
}; };
# system.activationScripts = { system.activationScripts = {
# homedir.text = builtins.concatStringsSep "\n" (map (dir: '' homedir.text = builtins.concatStringsSep "\n" (map (dir: ''
# mkdir -p ${cfg.persistRoot}${dir} mkdir -p ${cfg.persistRoot}${dir}
# chown ${config.mainuser}:users ${cfg.persistRoot}${dir} chown ${config.mainuser}:users ${cfg.persistRoot}${dir}
# '') (builtins.filter (lib.hasPrefix homeDirectory) allDirectories)); '') (
# }; (builtins.filter (lib.hasPrefix cfg.homeDir) allDirectories)
++ absoluteHomePath allHomeDirectories
));
};
}; };
} }

19
modules/secrets.nix
View File

@ -65,20 +65,21 @@ let
''; '';
decrypt = name: cfg: decrypt = name: cfg:
with cfg; { with cfg; let
doas-user = "/run/wrappers/bin/doas -u ${user}";
in {
"${name}-secrets" = rec { "${name}-secrets" = rec {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "user@1000.service" ]; requires = [ "user@1000.service" ];
after = requires; after = requires;
preStart = '' preStart = ''
stat '${encrypted}' ${doas-user} stat '${encrypted}'
mkdir -p '${builtins.dirOf decrypted}' mkdir -p '${builtins.dirOf decrypted}'
''; '';
script = '' script = ''
if cat '${encrypted}' | /run/wrappers/bin/doas -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then if ${doas-user} cat '${encrypted}' | ${doas-user} ${cfg.decrypt} > '${decrypted}.tmp'; then
mv -f '${decrypted}.tmp' '${decrypted}' mv -f '${decrypted}.tmp' '${decrypted}'
chown '${owner}' '${decrypted}' chown '${owner}' '${decrypted}'
chmod '${permissions}' '${decrypted}' chmod '${permissions}' '${decrypted}'
@ -200,10 +201,12 @@ in {
}]; }];
config.persist.derivative.directories = [ "/var/secrets" ]; config.persist.derivative.directories = [ "/var/secrets" ];
config.persist.derivative.homeDirectories = [{ # config.persist.derivative.homeDirectories = [ password-store-relative ];
directory = password-store-relative; config.persist.derivative.homeDirectories = [ ".local/share/password-store" ];
method = "symlink"; # config.persist.derivative.homeDirectories = [{
}]; # directory = password-store-relative;
# method = "symlink";
# }];
config.home-manager.users.${config.mainuser} = { config.home-manager.users.${config.mainuser} = {
systemd.user.services.activate-secrets = let systemd.user.services.activate-secrets = let

18
profiles/servers/vscode-server.nix
View File

@ -3,20 +3,18 @@
inputs.vscode-server-fixup.nixosModules.home-manager.nixos-vscode-server inputs.vscode-server-fixup.nixosModules.home-manager.nixos-vscode-server
]; ];
home-manager.users.${config.mainuser} = { home-manager.users.${config.mainuser} = let
extensions = builtins.tryEval config.home-manager.users.${config.mainuser}.programs.vscode.extensions;
in {
services.vscode-server = { services.vscode-server = {
enable = true; enable = true;
extensions = extensions = if extensions.success then extensions.value
with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; else with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; [
# [ jnoortheen.nix-ide ]; bbenoist.nix
[ bbenoist.nix ]; ];
immutableExtensionsDir = true; immutableExtensionsDir = true;
# settings = {
# "nix.enableLanguageServer" = true;
# "nix.serverPath" = "${inputs.rnix-lsp.defaultPackage.${pkgs.system}}/bin/rnix-lsp";
# };
}; };
}; };
# persist.state.homeDirectories = [ ".vscode-server" ]; persist.state.homeDirectories = [ ".vscode-server" ];
} }

1
profiles/workspace/gpg.nix
View File

@ -25,6 +25,5 @@ with config.deviceSpecific; {
}; };
}; };
}; };
persist.state.homeDirectories = [ ".local/share/gnupg" ]; persist.state.homeDirectories = [ ".local/share/gnupg" ];
} }

11
profiles/workspace/misc.nix
View File

@ -52,13 +52,16 @@
"/var/lib/systemd" "/var/lib/systemd"
] ++ lib.optionals config.services.postgresql.enable [ ] ++ lib.optionals config.services.postgresql.enable [
config.services.postgresql.dataDir config.services.postgresql.dataDir
] ++ lib.optionals config.services.mysql.enable [
config.services.mysql.dataDir
]; ];
persist.state.homeDirectories = [ persist.state.homeDirectories = [
"projects" "projects"
{ "nixos-config"
directory = "nixos-config"; # {
method = "symlink"; # directory = "nixos-config";
} # method = "symlink";
# }
] ++ lib.optionals (!config.deviceSpecific.isServer) [ ] ++ lib.optionals (!config.deviceSpecific.isServer) [
"games" "games"
# "persist" # "persist"

2
profiles/workspace/zsh/default.nix
View File

@ -110,5 +110,5 @@
}; };
}; };
persist.state.homeFiles = [ ".local/share/zsh/history" ]; persist.state.homeDirectories = [ ".local/share/zsh" ];
} }