teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: avoid importing libs

Browse source
This commit is contained in:
alina 🌸 2024-11-23 16:37:34 +03:00
parent 5f83ddd6df
commit 5fe8c75a26
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
30 changed files with 200 additions and 336 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/arumi/configuration.nix
View file

@ -4,6 +4,7 @@
imports = [
(modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix")
(abs "lib/desu")
./disk-config.nix
./services/sing-box.nix

13
hosts/arumi/services/mumble.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1101;
in {
imports = [
(secrets.declare [{
name = "arumi-mumble-env";
owner = "mumble";
}])
];
desu.secrets.arumi-mumble-env.owner = "mumble";
users.users.mumble = {
isNormalUser = true;
@ -33,7 +26,7 @@ in {
"64738:64738/udp"
];
environmentFiles = [
(secrets.file config "arumi-mumble-env")
config.desu.secrets.arumi-mumble-env.path
];
user = builtins.toString UID;
};

22
hosts/arumi/services/sing-box.nix
View file

@ -1,15 +1,9 @@
{ config, abs, pkgs, ... }:
{ config, pkgs, ... }:
let
secrets = import (abs "lib/secrets.nix");
in {
imports = [
(secrets.declare [
"arumi-singbox-pk"
"arumi-singbox-sid"
"arumi-singbox-users"
])
];
{
desu.secrets.arumi-singbox-pk = {};
desu.secrets.arumi-singbox-sid = {};
desu.secrets.arumi-singbox-users = {};
services.sing-box = {
enable = true;
@ -31,9 +25,9 @@ in {
reality = {
enabled = true;
handshake = { inherit server; server_port = 443; };
private_key._secret = secrets.file config "arumi-singbox-pk";
private_key._secret = config.desu.secrets.arumi-singbox-pk.path;
short_id = [
{ _secret = secrets.file config "arumi-singbox-sid"; }
{ _secret = config.desu.secrets.arumi-singbox-sid.path; }
];
};
};
@ -49,7 +43,7 @@ in {
systemd.services.sing-box.preStart = let
file = "/etc/sing-box/config.json";
in ''
users=$(${pkgs.yaml2json}/bin/yaml2json < ${secrets.file config "arumi-singbox-users"})
users=$(${pkgs.yaml2json}/bin/yaml2json < ${config.desu.secrets.arumi-singbox-users.path})
${pkgs.jq}/bin/jq --arg users "$users" \
'.inbounds[0].users = ($users | fromjson | map({ "uuid": ., "flow": "xtls-rprx-vision" }))' \
${file} > ${file}.tmp

15
hosts/arumi/services/uptime-kuma.nix
View file

@ -1,19 +1,12 @@
{ abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1100;
in {
# we use cf tunnels because 443 port is used by the proxy,
# and it's also generally easierbrew install cloudflared &&
# and it's also generally easier
imports = [
(secrets.declare [{
name = "arumi-cf-token";
owner = "uptime-kuma";
}])
];
desu.secrets.arumi-cf-token.owner = "uptime-kuma";
users.users.uptime-kuma = {
isNormalUser = true;
@ -31,7 +24,7 @@ in {
PGID = builtins.toString UID;
};
environmentFiles = [
(secrets.file config "arumi-cf-token")
config.desu.secrets.arumi-cf-token.path
];
};

1
hosts/koi/configuration.nix
View file

@ -8,6 +8,7 @@
imports = [
(abs "hosts/nixos-common.nix")
(abs "users/teidesu/server.nix")
(abs "lib/desu")
./hardware-configuration.nix
./partials/fde.nix

13
hosts/koi/containers/bots/channel-logger-bot.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1105;
in {
imports = [
(secrets.declare [{
name = "channel-logger-bot-env";
owner = "channel-logger-bot";
}])
];
desu.secrets.channel-logger-bot-env.owner = "channel-logger-bot";
users.groups.channel-logger-bot = {};
users.users.channel-logger-bot = {
@ -25,7 +18,7 @@ in {
"/srv/channel-logger-bot:/app/bot-data"
];
environmentFiles = [
(secrets.file config "channel-logger-bot-env")
config.desu.secrets.channel-logger-bot-env.path
];
environment.MTCUTE_LOG_LEVEL = "5";
user = builtins.toString UID;

13
hosts/koi/containers/bots/pcre-sub-bot.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1101;
in {
imports = [
(secrets.declare [{
name = "pcresub-bot-env";
owner = "pcre-sub-bot";
}])
];
desu.secrets.pcresub-bot-env.owner = "pcre-sub-bot";
users.groups.pcre-sub-bot = {};
users.users.pcre-sub-bot = {
@ -25,7 +18,7 @@ in {
"/srv/pcre-sub-bot:/app/bot-data"
];
environmentFiles = [
(secrets.file config "pcresub-bot-env")
config.desu.secrets.pcresub-bot-env.path
];
user = builtins.toString UID;
};

11
hosts/koi/containers/conduwuit/bridges/telegram/default.nix
View file

@ -1,20 +1,13 @@
{ pkgs, abs, config, ... } @ inputs:
let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
env = import (abs "lib/env.nix") inputs;
UID = 1108;
bridgeConfig = pkgs.writeText "config.yaml" (builtins.toJSON (import ./config.nix));
in {
imports = [
(secrets.declare [{
name = "mautrix-tg-env";
owner = "mautrix";
}])
];
desu.secrets.mautrix-tg-env.owner = "mautrix";
users.groups.mautrix = {};
users.users.mautrix = {
@ -41,7 +34,7 @@ in {
};
entrypoint = "/entrypoint.sh";
environmentFiles = [
(secrets.file config "mautrix-tg-env")
config.desu.secrets.mautrix-tg-env.path
];
user = builtins.toString UID;
};

12
hosts/koi/containers/conduwuit/default.nix
View file

@ -1,18 +1,14 @@
{ abs, config, ... } @ inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1107;
in {
imports = [
(secrets.declare [{
name = "conduwuit-env";
owner = "conduwuit";
}])
./bridges/telegram
];
desu.secrets.conduwuit-env.owner = "conduwuit";
users.groups.conduwuit = {};
users.users.conduwuit = {
isNormalUser = true;
@ -29,7 +25,7 @@ in {
CONDUWUIT_CONFIG = "/conduwuit.toml";
};
environmentFiles = [
(secrets.file config "conduwuit-env")
config.desu.secrets.conduwuit-env.path
];
user = builtins.toString UID;
};

22
hosts/koi/containers/kanidm/default.nix
View file

@ -1,23 +1,15 @@
{ abs, pkgs, config, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1111;
in {
imports = [
(secrets.declare [
{
name = "kanidm-tls-key";
owner = "kanidm";
}
{
name = "kanidm-tls-cert";
owner = "kanidm";
}
])
./proxy.nix
];
desu.secrets.kanidm-tls-key.owner = "kanidm";
desu.secrets.kanidm-tls-cert.owner = "kanidm";
users.users.kanidm = {
isNormalUser = true;
uid = UID;
@ -30,8 +22,8 @@ in {
"${./server.toml}:/data/server.toml"
"${./style.css}:/hpkg/style.css"
"${./fish.png}:/hpkg/img/fish.png"
"${(secrets.file config "kanidm-tls-key")}:/data/key.pem"
"${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem"
"${config.desu.secrets.kanidm-tls-key.path}:/data/key.pem"
"${config.desu.secrets.kanidm-tls-cert.path}:/data/chain.pem"
];
user = "${builtins.toString UID}";

13
hosts/koi/containers/navidrome/default.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... } @ inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1102;
in {
imports = [
(secrets.declare [{
name = "navidrome-env";
owner = "navidrome";
}])
];
desu.secrets.navidrome-env.owner = "navidrome";
users.groups.navidrome = {};
users.users.navidrome = {
@ -29,7 +22,7 @@ in {
ND_CONFIGFILE = "/navidrome.toml";
};
environmentFiles = [
(secrets.file config "navidrome-env")
config.desu.secrets.navidrome-env.path
];
user = builtins.toString UID;
};

13
hosts/koi/containers/pds/default.nix
View file

@ -1,17 +1,10 @@
{ abs, config, pkgs, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1106;
in {
imports = [
(secrets.declare [{
name = "bluesky-pds-secrets";
owner = "bluesky-pds";
}])
];
desu.secrets.bluesky-pds-secrets.owner = "bluesky-pds";
users.groups.bluesky-pds = {};
users.users.bluesky-pds = {
@ -40,7 +33,7 @@ in {
};
environmentFiles = [
# PDS_JWT_SECRET, PDS_ADMIN_PASSWORD, PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX
(secrets.file config "bluesky-pds-secrets")
config.desu.secrets.bluesky-pds-secrets.path
];
user = builtins.toString UID;
};

12
hosts/koi/containers/sftpgo/default.nix
View file

@ -1,19 +1,15 @@
{ pkgs, abs, config, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1112;
WEBDAV_PORT = 16821;
in {
imports = [
(secrets.declare [{
name = "sftpgo-env";
owner = "sftpgo";
}])
./samba.nix
];
desu.secrets.sftpgo-env.owner = "sftpgo";
users.users.sftpgo = {
isNormalUser = true;
uid = UID;
@ -44,7 +40,7 @@ in {
SFTPGO_HTTPD__BINDINGS__0__OIDC__IMPLICIT_ROLES = "true";
};
environmentFiles = [
(secrets.file config "sftpgo-env")
config.desu.secrets.sftpgo-env.path
];
ports = [
"${builtins.toString WEBDAV_PORT}:80"

6
hosts/koi/containers/sharkey/default.nix
View file

@ -1,10 +1,8 @@
{ abs, pkgs, ... }@inputs:
{ pkgs, ... }:
let
UID = 1104;
trivial = import (abs "lib/trivial.nix") inputs;
context = trivial.storeDirectory ./.;
context = pkgs.copyPathToStore ./.;
in {
users.users.misskey = {
isNormalUser = true;

14
hosts/koi/containers/siyuan/default.nix
View file

@ -1,18 +1,9 @@
{ abs, pkgs, config, ... }@inputs:
{ pkgs, ... }:
let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
UID = 1113;
context = trivial.storeDirectory ./image;
context = pkgs.copyPathToStore ./image;
in {
imports = [
(secrets.declare [{
name = "siyuan-teidesu-proxy-env";
owner = "siyuan-teidesu";
}])
];
users.users.siyuan-teidesu = {
isNormalUser = true;
uid = UID;
@ -40,6 +31,7 @@ in {
"d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
desu.secrets.siyuan-teidesu-proxy-env.owner = "siyuan-teidesu";
desu.openid-proxy.services.siyuan-teidesu = {
clientId = "teidesu-siyuan";
domain = "siyuan.tei.su";

13
hosts/koi/containers/teisu.nix
View file

@ -1,16 +1,9 @@
{ abs, config, ... } @ inputs:
{ config, ... } @ inputs:
let
secrets = import (abs "lib/secrets.nix");
UID = 1103;
in {
imports = [
(secrets.declare [{
name = "teisu-env";
owner = "teisu";
}])
];
desu.secrets.teisu-env.owner = "teisu";
users.users.teisu = {
isNormalUser = true;
@ -23,7 +16,7 @@ in {
"/srv/teisu:/app/.runtime"
];
environmentFiles = [
(secrets.file config "teisu-env")
config.desu.secrets.teisu-env.path
];
user = builtins.toString UID;
};

20
hosts/koi/containers/torrent.nix
View file

@ -1,16 +1,12 @@
{ abs, lib, pkgs, config, ... }@inputs:
{ abs, pkgs, config, ... }@inputs:
let
containers = (import (abs "lib/containers.nix") inputs);
secrets = import (abs "lib/secrets.nix");
dlWebhook = secrets.mount config "qbt-dl-webhook";
in
{
desu.secrets.qbt-dl-webhook.mode = "777";
desu.secrets.torrent-proxy-env.mode = "777";
imports = [
(secrets.declare [
{ name = "qbt-dl-webhook"; mode = "777"; }
{ name = "torrent-proxy-env"; mode = "777"; }
])
(containers.mkNixosContainer {
name = "torrent";
ephemeral = false;
@ -26,7 +22,7 @@ in
};
setup = { config, ... }: ''
mkdir -p /var/lib/qbittorrent/temp
dl_webhook=`cat ${dlWebhook.path}`
dl_webhook=`cat /mnt/secrets/qbt-dl-webhook`
sed -i "s|%DL_WEBHOOK%|$dl_webhook|g" ${config}
'';
config = {
@ -71,7 +67,11 @@ in
hostPath = "/mnt/puffer/Downloads";
isReadOnly = false;
};
} // (dlWebhook.mounts);
"/mnt/secrets/qbt-dl-webhook" = {
hostPath = config.desu.secrets.qbt-dl-webhook.path;
isReadOnly = true;
};
};
})
];

13
hosts/koi/containers/vaultwarden.nix
View file

@ -1,16 +1,9 @@
{ abs, pkgs, config, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1109;
in {
imports = [
(secrets.declare [{
name = "vaultwarden-env";
owner = "vaultwarden";
}])
];
desu.secrets.vaultwarden-env.owner = "vaultwarden";
virtualisation.oci-containers.containers.vaultwarden = {
image = "vaultwarden/server:1.32.5-alpine";
@ -26,7 +19,7 @@ in {
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "ssh-key-vault-item,ssh-agent,extension-refresh";
};
environmentFiles = [
(secrets.file config "vaultwarden-env")
config.desu.secrets.vaultwarden-env.path
];
user = builtins.toString UID;
};

2
hosts/koi/containers/verdaccio/config/config.yaml → hosts/koi/containers/verdaccio/config.yaml
View file

@ -3,7 +3,7 @@ storage: /verdaccio/storage
web:
enable: true
title: alina's personal registry
title: alina's personal registry meow
primary_color: "#be15dc"
uplinks:

18
hosts/koi/containers/verdaccio/default.nix
View file

@ -1,19 +1,9 @@
{ abs, pkgs, config, ... } @ inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
trivial = import (abs "lib/trivial.nix") inputs;
configDrv = trivial.storeDirectory ./config;
UID = 1100;
in {
imports = [
(secrets.declare [{
name = "verdaccio-htpasswd";
owner = "verdaccio";
}])
];
desu.secrets.verdaccio-htpasswd.owner = "verdaccio";
users.users.verdaccio = {
isNormalUser = true;
@ -23,8 +13,8 @@ in {
virtualisation.oci-containers.containers.verdaccio = {
image = "verdaccio/verdaccio:5.31@sha256:c77fec2127a1c3d17fc0795786f1e1bd88258e6d7af1835786ced4f7c7287da8";
volumes = [
"${configDrv}:/verdaccio/conf"
"${secrets.file config "verdaccio-htpasswd"}:/verdaccio/htpasswd"
"${./config.yaml}:/verdaccio/conf/config.yaml"
"${config.desu.secrets.verdaccio-htpasswd.path}:/verdaccio/htpasswd"
"/srv/verdaccio/storage:/verdaccio/storage"
"/srv/verdaccio/plugins:/verdaccio/plugins"
];

15
hosts/koi/containers/wakapi/default.nix
View file

@ -1,18 +1,9 @@
{ abs, pkgs, config, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1115;
in {
imports = [
(secrets.declare [
{
name = "wakapi-env";
owner = "wakapi";
}
])
];
desu.secrets.wakapi-env.owner = "wakapi";
users.users.wakapi = {
isNormalUser = true;
@ -55,7 +46,7 @@ in {
};
environmentFiles = [
(secrets.file config "wakapi-env")
config.desu.secrets.wakapi-env.path
];
user = "${builtins.toString UID}";

17
hosts/koi/containers/zond/default.nix
View file

@ -1,20 +1,9 @@
{ abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
UID = 1116;
in {
# todo 2: update UMAMI_HOST in teisu-env
imports = [
(secrets.declare [
{
name = "umami-env";
owner = "umami";
}
])
];
desu.secrets.umami-env.owner = "umami";
users.users.umami = {
isNormalUser = true;
@ -39,7 +28,7 @@ in {
};
environmentFiles = [
(secrets.file config "umami-env")
config.desu.secrets.umami-env.path
];
user = "${builtins.toString UID}";

8
hosts/koi/services/landing/default.nix
View file

@ -1,11 +1,9 @@
{ abs, pkgs, ... } @ inputs:
{ pkgs, ... }:
let
trivial = import (abs "lib/trivial.nix") inputs;
in {
{
services.nginx.virtualHosts."stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
root = trivial.storeDirectory ./assets;
root = pkgs.copyPathToStore ./assets;
};
}

17
hosts/koi/services/nginx.nix
View file

@ -1,13 +1,8 @@
{ pkgs, abs, config, ... }@inputs:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
in {
# sadly due to our network setup we cant properly extract this to a container
# not a big deal though, since we only need to run it once
imports = [
(secrets.declare ["cloudflare-email" "cloudflare-token"])
];
{
desu.secrets.cloudflare-email.owner = "nginx";
desu.secrets.cloudflare-token.owner = "nginx";
services.nginx = {
enable = true;
@ -78,8 +73,8 @@ in {
group = "nginx";
dnsProvider = "cloudflare";
credentialFiles = {
"CLOUDFLARE_EMAIL_FILE" = config.age.secrets.cloudflare-email.path;
"CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflare-token.path;
"CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
"CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
};
};
in {

42
hosts/koi/services/sing-box.nix
View file

@ -1,20 +1,14 @@
{ pkgs, abs, config, ... }:
{ config, ... }:
let
secrets = import (abs "lib/secrets.nix");
secretsUnsafe = pkgs.callPackage (abs "lib/secrets-unsafe.nix") {};
in {
imports = [
(secrets.declare [
"arumi-singbox-pub"
"arumi-singbox-sid"
"arumi-singbox-koi-uuid"
"vless-sakura-ip"
"vless-sakura-pk"
"vless-sakura-sid"
"vless-sakura-uuid"
])
];
{
desu.secrets.arumi-singbox-pub = {};
desu.secrets.arumi-singbox-sid = {};
desu.secrets.arumi-singbox-koi-uuid = {};
desu.secrets.vless-sakura-ip = {};
desu.secrets.vless-sakura-pk = {};
desu.secrets.vless-sakura-sid = {};
desu.secrets.vless-sakura-uuid = {};
services.sing-box = {
enable = true;
@ -36,7 +30,7 @@ in {
tag = "xtls-arumi";
type = "vless";
flow = "xtls-rprx-vision";
server = secretsUnsafe.readUnsafe "arumi-ip";
server = config.desu.readUnsafeSecret "arumi-ip";
server_port = 443;
domain_strategy = "";
packet_encoding = "";
@ -46,32 +40,32 @@ in {
server_name = "updates.cdn-apple.com";
reality = {
enabled = true;
public_key._secret = secrets.file config "arumi-singbox-pub";
short_id._secret = secrets.file config "arumi-singbox-sid";
public_key._secret = config.desu.secrets.arumi-singbox-pub.path;
short_id._secret = config.desu.secrets.arumi-singbox-sid.path;
};
utls = { enabled = true; fingerprint = "edge"; };
};
uuid._secret = secrets.file config "arumi-singbox-koi-uuid";
uuid._secret = config.desu.secrets.arumi-singbox-koi-uuid.path;
}
{
# thanks kamillaova
tag = "xtls-sakura";
flow = "xtls-rprx-vision";
server._secret = secrets.file config "vless-sakura-ip";
server._secret = config.desu.secrets.vless-sakura-ip.path;
server_port = 443;
tls = {
alpn = [ "h2" ];
enabled = true;
reality = {
enabled = true;
public_key._secret = secrets.file config "vless-sakura-pk";
short_id._secret = secrets.file config "vless-sakura-sid";
public_key._secret = config.desu.secrets.vless-sakura-pk.path;
short_id._secret = config.desu.secrets.vless-sakura-sid.path;
};
server_name = "telegram.org";
utls = { enabled = true; fingerprint = "edge"; };
};
type = "vless";
uuid._secret = secrets.file config "vless-sakura-uuid";
uuid._secret = config.desu.secrets.vless-sakura-uuid.path;
}
{
tag = "final";

73
lib/containers.nix
View file

@ -1,7 +1,5 @@
{ pkgs, lib, ... }@inputs:
let
trivial = import ./trivial.nix inputs;
in
{ ... }:
{
# this function is quite deeply tied to my home network setup
# i should make it more generic one day
@ -48,71 +46,4 @@ in
localAddress = "${ip}/16";
}) // containerConfig;
};
# nixos oci-containers fucking suck, so we just do a one-shot
# systemd service that invokes docker-compose
#
# not very reproducible nor declarative, but compatible with pretty much
# anything, which is (imo) more important for a home server
mkDockerComposeContainer =
{ directory
, name ? builtins.baseNameOf directory
, autoStart ? true
, extraConfig ? { }
, env ? { }
, envFiles ? [ ]
, extraFlags ? [ ]
, after ? [ ]
}:
let
# referencing the file directly would make the service dependant
# on the entire flake, resulting in the container being restarted
# every time we change anything at all
storeDir = trivial.storeDirectory directory;
inlineEnvNames = builtins.attrNames env;
inlineEnvDrv = lib.optionals (builtins.length inlineEnvNames != 0) [
(pkgs.writeText "${name}.env" (
builtins.concatStringsSep "\n" (
map (name: "${name}=${builtins.toJSON env.${name}}") inlineEnvNames
)
))
];
allEnvFiles = envFiles ++ inlineEnvDrv;
cmdline = builtins.concatStringsSep " " (
[
"--build"
"--remove-orphans"
] ++ extraFlags
);
cmdlineBeforeUp = builtins.concatStringsSep " " (
map (env: "--env-file ${lib.escapeShellArg env}") allEnvFiles
);
in
{
systemd.services."docker-compose-${name}" = {
wantedBy = if autoStart then [ "multi-user.target" ] else [ ];
after = [ "docker.service" "docker.socket" ] ++ after;
serviceConfig = {
WorkingDirectory = storeDir;
ExecStart = "${pkgs.docker}/bin/docker compose ${cmdlineBeforeUp} up ${cmdline}";
ExecStopPost = "${pkgs.docker}/bin/docker compose down";
} // (extraConfig.serviceConfig or { });
} // (builtins.removeAttrs extraConfig [ "serviceConfig" ]);
};
# buildDockerfile = { name, context }: builtins.derivation {
# name = "${name}-image";
# # __noChroot = true;
# src = context;
# builder = pkgs.writeShellScript "builder.sh" (let
# docker = "${pkgs.docker}/bin/docker";
# in ''
# ${docker} build -t ${name} $src
# ${docker} save -o $out ${name}
# ${docker} image rm ${name}
# '');
# system = pkgs.system;
# };
}

5
lib/desu/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./secrets.nix
];
}

22
lib/desu/secrets-unsafe.nix Normal file
View file

@ -0,0 +1,22 @@
{
age,
writeShellScript,
system,
...
}:
{
readUnsafe = name: let
identityPath = ../secrets/unsafe.key;
path = ../secrets + "/UNSAFE.${name}.age";
drv = builtins.derivation {
system = system;
name = name;
src = path;
builder = writeShellScript "read-${name}.sh" ''
${age}/bin/age --decrypt --identity ${identityPath} $src > $out
'';
};
in builtins.readFile drv;
}

66
lib/desu/secrets.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, pkgs, lib, ... }:
{
options = with lib; {
desu.readUnsafeSecret = mkOption { type = types.anything; };
desu.secrets = mkOption {
type = types.attrsOf (types.submodule ({ name, ... }: {
options = {
path = mkOption {
type = types.str;
default = config.age.secrets.${name}.path;
};
unsafe = mkOption {
type = types.bool;
default = false;
};
mode = mkOption {
type = types.str;
default = "0400";
};
owner = mkOption {
type = types.str;
default = "0";
};
group = mkOption {
type = types.str;
default = "0";
};
};
}));
};
};
config = {
desu.readUnsafeSecret = name: let
identityPath = ../../secrets/unsafe.key;
path = ../../secrets + "/UNSAFE.${name}.age";
drv = builtins.derivation {
system = pkgs.system;
name = name;
src = path;
builder = pkgs.writeShellScript "read-${name}.sh" ''
${pkgs.age}/bin/age --decrypt --identity ${identityPath} $src > $out
'';
};
in builtins.readFile drv;
age.secrets = builtins.listToAttrs (
map (name: let
cfg = config.desu.secrets.${name};
in {
# unsafe secrets are handled at build-time
name = if cfg.unsafe then null else name;
value = {
file = ../../secrets + "/${name}.age";
owner = cfg.owner;
group = cfg.group;
mode = cfg.mode;
};
}) (builtins.attrNames config.desu.secrets)
);
};
}

24
lib/trivial.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }@inputs:
{
storeDirectory = dir:
let
dirName = builtins.baseNameOf dir;
drv = derivation {
name = dirName;
src = dir;
builder = pkgs.writeShellScript "builder.sh" ''
${pkgs.coreutils}/bin/mkdir -p $out/${dirName}
for i in $(${pkgs.coreutils}/bin/ls -A $src); do
${pkgs.coreutils}/bin/cp -rf $src/$i $out/${dirName}
done
'';
system = pkgs.system;
};
in
"${drv}/${dirName}";
yaml2json = file: pkgs.runCommand "yaml2json" { buildInputs = [ pkgs.yq ]; } ''
yq -j < ${file} > $out
'';
}