update persist and secrets modules

2023-01-26 00:41:28 +03:00 · 2023-01-26 00:41:28 +03:00 · 6cb0af468f
commit 6cb0af468f
parent a4f8f9a1eb
6 changed files with 136 additions and 68 deletions
--- a/modules/persist.nix
+++ b/modules/persist.nix
@ -6,7 +6,7 @@ let

  persists = with cfg; [ state derivative cache ];

-  absoluteHomeFiles = map (x: "${cfg.homeDir}/${x}");
+  absoluteHomePath = map (x: "${cfg.homeDir}/${x}");

  allFiles = takeAll "files" persists;

@ -25,38 +25,110 @@ in {
  options = let
    inherit (lib) mkOption mkEnableOption;
    inherit (lib.types) listOf path str either submodule enum;
+
+    # defaultPerms = {
+    #   mode = "0755";
+    #   user = "root";
+    #   group = "root";
+    # };
+    # dirPermsOpts = { user, group, mode }: {
+    #   user = mkOption {
+    #     type = str;
+    #     default = user;
+    #   };
+    #   group = mkOption {
+    #     type = str;
+    #     default = group;
+    #   };
+    #   mode = mkOption {
+    #     type = str;
+    #     default = mode;
+    #   };
+    # };
+    # fileOpts = perms: {
+    #   options = {
+    #     file = mkOption {
+    #       type = str;
+    #     };
+    #     parentDirectory = dirPermsOpts perms;
+    #   };
+    # };
+    # dirOpts = perms: {
+    #   options = {
+    #     directory = mkOption {
+    #       type = str;
+    #     };
+    #   } // (dirPermsOpts perms);
+    # };
+    # userDefaultPerms = {
+    #   inherit (defaultPerms) mode;
+    #   user = config.mainuser;
+    #   group = config.users.${userDefaultPerms.user}.group;
+    # };
+    # rootFile = submodule [
+    #   (fileOpts defaultPerms)
+    # ];
+    # rootDir = submodule [
+    #   (dirOpts defaultPerms)
+    # ];
+    # userFile = submodule [
+    #   (fileOpts userDefaultPerms)
+    # ];
+    # userDir = submodule [
+    #   (dirOpts userDefaultPerms)
+    # ];
+
    common = {
      directories = mkOption {
-        type = listOf path;
-        default = [ ];
-      };
-      files = mkOption {
+        # type = listOf (either str (submodule {
+        #   options = {
+        #     directory = mkOption {
+        #       type = str;
+        #       default = null;
+        #     };
+        #     user = mkOption {
+        #       type = str;
+        #       default = "root";
+        #     };
+        #     group = mkOption {
+        #       type = str;
+        #       default = "root";
+        #     };
+        #     mode = mkOption {
+        #       type = str;
+        #       default = "0755";
+        #     };
+        #   };
+        # }));
+        # type = listOf (either str rootDir);
+        type = listOf str;
+        default = [ ];
+      };
+      files = mkOption {
+        # type = listOf (either str rootFile);
        type = listOf str;
        default = [ ];
      };
-      # homeDirectories = mkOption {
-      #   type = listOf str;
-      #   default = [ ];
-      # };
      homeFiles = mkOption {
+        # type = listOf (either str userFile);
        type = listOf str;
        default = [ ];
      };
      homeDirectories = mkOption {
-        type = listOf (either str (submodule {
-          options = {
-            directory = mkOption {
-              type = str;
-              default = null;
-              description = "The directory path to be linked.";
-            };
-            method = mkOption {
-              type = enum [ "bindfs" "symlink" ];
-              default = "bindfs";
-              description = "The linking method that should be used for this directory.";
-            };
-          };
-        }));
+        # type = listOf (either str (submodule {
+        #   options = {
+        #     directory = mkOption {
+        #       type = str;
+        #       default = null;
+        #     };
+        #     method = mkOption {
+        #       type = enum [ "bindfs" "symlink" ];
+        #       default = "bindfs";
+        #     };
+        #   };
+        # }));
+        # type = listOf (either str userDir);
+        type = listOf str;
        default = [ ];
      };
    };
@ -104,23 +176,14 @@ in {
  imports = [ inputs.impermanence.nixosModules.impermanence ];

  config = mkIf cfg.enable {
-    # FIXME: use symlink instead of bind mounts?
-    # programs.fuse.userAllowOther = true;
-
    environment.persistence.${cfg.persistRoot} = {
+      hideMounts = true;
      directories = allDirectories;
      files = allFiles;
-    };
-
-    home-manager.users.${config.mainuser} = {
-      imports = [ inputs.impermanence.nixosModules.home-manager.impermanence ];
-      home.persistence."${cfg.persistRoot}${homeDirectory}" = {
+      users.${config.mainuser} = {
+        home = "/home/${config.mainuser}";
        directories = allHomeDirectories;
        files = allHomeFiles;
-        # FIXME: use symlink instead of bind mounts?
-        # allowOther = true;
-        allowOther = false;
-        removePrefixDirectory = false;
      };
    };

@ -141,25 +204,27 @@ in {
        '';
    };

-    # Euuuugh
    systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable {
      description = "Cleaning up cache files and directories";
      script = ''
        ${builtins.concatStringsSep "\n" (map (x: "rm ${lib.escapeShellArg x}")
          (cfg.cache.files
-            ++ absoluteHomeFiles cfg.cache.homeFiles))}
+            ++ absoluteHomePath cfg.cache.homeFiles))}

        ${builtins.concatStringsSep "\n" (map (x: "rm -rf ${lib.escapeShellArg x}")
-          (cfg.cache.directories ++ cfg.cache.homeDirectories))}
+          (cfg.cache.directories ++ absoluteHomePath cfg.cache.homeDirectories))}
      '';
      startAt = cfg.cache.clean.dates;
    };

-    # system.activationScripts = {
-    #   homedir.text = builtins.concatStringsSep "\n" (map (dir: ''
-    #     mkdir -p ${cfg.persistRoot}${dir}
-    #     chown ${config.mainuser}:users ${cfg.persistRoot}${dir}
-    #   '') (builtins.filter (lib.hasPrefix homeDirectory) allDirectories));
-    # };
+    system.activationScripts = {
+      homedir.text = builtins.concatStringsSep "\n" (map (dir: ''
+        mkdir -p ${cfg.persistRoot}${dir}
+        chown ${config.mainuser}:users ${cfg.persistRoot}${dir}
+      '') (
+        (builtins.filter (lib.hasPrefix cfg.homeDir) allDirectories)
+          ++ absoluteHomePath allHomeDirectories
+      ));
+    };
  };
 }
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@ -65,20 +65,21 @@ let
  '';

  decrypt = name: cfg:
-    with cfg; {
+    with cfg; let
+      doas-user = "/run/wrappers/bin/doas -u ${user}";
+    in {
      "${name}-secrets" = rec {
-
        wantedBy = [ "multi-user.target" ];
        requires = [ "user@1000.service" ];
        after = requires;

        preStart = ''
-          stat '${encrypted}'
+          ${doas-user} stat '${encrypted}'
          mkdir -p '${builtins.dirOf decrypted}'
        '';

        script = ''
-          if cat '${encrypted}' | /run/wrappers/bin/doas -u ${user} ${cfg.decrypt} > '${decrypted}.tmp'; then
+          if ${doas-user} cat '${encrypted}' | ${doas-user} ${cfg.decrypt} > '${decrypted}.tmp'; then
            mv -f '${decrypted}.tmp' '${decrypted}'
            chown '${owner}' '${decrypted}'
            chmod '${permissions}' '${decrypted}'
@ -200,10 +201,12 @@ in {
  }];

  config.persist.derivative.directories = [ "/var/secrets" ];
-  config.persist.derivative.homeDirectories = [{
-    directory = password-store-relative;
-    method = "symlink";
-  }];
+  # config.persist.derivative.homeDirectories = [ password-store-relative ];
+  config.persist.derivative.homeDirectories = [ ".local/share/password-store" ];
+  # config.persist.derivative.homeDirectories = [{
+  #   directory = password-store-relative;
+  #   method = "symlink";
+  # }];

  config.home-manager.users.${config.mainuser} = {
    systemd.user.services.activate-secrets = let
--- a/profiles/servers/vscode-server.nix
+++ b/profiles/servers/vscode-server.nix
@ -3,20 +3,18 @@
    inputs.vscode-server-fixup.nixosModules.home-manager.nixos-vscode-server
  ];

-  home-manager.users.${config.mainuser} = {
+  home-manager.users.${config.mainuser} = let
+    extensions = builtins.tryEval config.home-manager.users.${config.mainuser}.programs.vscode.extensions;
+  in {
    services.vscode-server = {
      enable = true;
-      extensions =
-        with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
-        # [ jnoortheen.nix-ide ];
-        [ bbenoist.nix ];
+      extensions = if extensions.success then extensions.value
+      else with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; [
+        bbenoist.nix
+      ];
      immutableExtensionsDir = true;
-      # settings = {
-      #  "nix.enableLanguageServer" = true;
-      #  "nix.serverPath" = "${inputs.rnix-lsp.defaultPackage.${pkgs.system}}/bin/rnix-lsp";
-      # };
    };
  };

-  # persist.state.homeDirectories = [ ".vscode-server" ];
+  persist.state.homeDirectories = [ ".vscode-server" ];
 }
--- a/profiles/workspace/gpg.nix
+++ b/profiles/workspace/gpg.nix
@ -25,6 +25,5 @@ with config.deviceSpecific; {
      };
    };
  };
-
  persist.state.homeDirectories = [ ".local/share/gnupg" ];
 }
--- a/profiles/workspace/misc.nix
+++ b/profiles/workspace/misc.nix
@ -52,13 +52,16 @@
    "/var/lib/systemd"
  ] ++ lib.optionals config.services.postgresql.enable [
    config.services.postgresql.dataDir
+  ] ++ lib.optionals config.services.mysql.enable [
+    config.services.mysql.dataDir
  ];
  persist.state.homeDirectories = [
    "projects"
-    {
-      directory = "nixos-config";
-      method = "symlink";
-    }
+    "nixos-config"
+    # {
+    #   directory = "nixos-config";
+    #   method = "symlink";
+    # }
  ] ++ lib.optionals (!config.deviceSpecific.isServer) [
    "games"
    # "persist"
--- a/profiles/workspace/zsh/default.nix
+++ b/profiles/workspace/zsh/default.nix
@ -110,5 +110,5 @@
    };
  };

-  persist.state.homeFiles = [ ".local/share/zsh/history" ];
+  persist.state.homeDirectories = [ ".local/share/zsh" ];
 }