Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /flakes/lib/flake.nix
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
1 files changed, 58 insertions, 18 deletions
diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix
index 8faa136..5b78fb6 100644
--- a/flakes/lib/flake.nix
+++ b/flakes/lib/flake.nix
@@ -1,28 +1,68 @@
 {
  inputs.nixpkgs.url = "github:NixOS/nixpkgs";
+  inputs.flake-parts.url = "github:hercules-ci/flake-parts";
+  inputs.disko.url = "github:nix-community/disko";
+  # replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged
+  inputs.colmena.url = "github:immae/colmena/add-lib-get-flake";
+  inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere";
+  inputs.nixos-anywhere.inputs.disko.follows = "disko";
+  inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts";
  description = "Useful libs";
-  outputs = { self, nixpkgs }: {
+  outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: {
    lib = rec {
-      computeNarHash = path:
+      mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }:
-        let pkgs = import nixpkgs {};
+        flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } {
-        in
+          systems = [ system ];
-          builtins.readFile (pkgs.runCommand "narHash" {
+          perSystem = { pkgs, ... }: {
-            buildInputs = [ pkgs.nix ];
+            apps."${name}-install" = {
-          } "echo -n $(nix hash-path ${path}) > $out");
+              type = "app";
+              program = pkgs.writeScriptBin "${name}-install" ''
+                #!${pkgs.stdenv.shell}
+                set -euo pipefail
+                : $SOPS_VARS_FILE
+                TEMPDIR=$(mktemp -d)
+                trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT
-      withNarKeyCompat = flakeCompat: path: moduleAttrs:
+                password=$(sops -d $SOPS_VARS_FILE | yq -r .cryptsetup_encryption_keys.${name})
-        let module = (flakeCompat path).${moduleAttrs};
+                mkdir -p $TEMPDIR/boot/initrdSecrets
-            narHash = computeNarHash path;
+                chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
-        in if builtins.isFunction module
+                sops -d $SOPS_VARS_FILE | yq -c '.ssh_host_keys.${name}[]' | while read -r key; do
-          then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })
+                  keytype=$(echo "$key" | yq -r .type)
-          else module // { key = narHash; };
+                  keyprivate=$(echo "$key" | yq -r .private)
+                  keypublic=$(echo "$key" | yq -r .public)
+                  echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key
+                  echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub
+                done
+                chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
-      withNarKey = dep: moduleAttrs:
+                ${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \
-        let module = dep.${moduleAttrs};
+                  -f .#${name}WithEncryption ${targetUser}@${targetHost} \
-        in if builtins.isFunction module
+                  --disk-encryption-keys /run/decrypt-key <(echo -n "$password") \
-          then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })
+                  --extra-files "$TEMPDIR"
-          else module // { key = dep.narHash; };
+              '';
+            };
+          };
+          flake = {
+            nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name};
+            nixosConfigurations."${name}WithEncryption" = let
+              selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; };
+            in
+              (colmena.lib.fromRawFlake selfWithEncryption).nodes.${name};
+            colmena = {
+              meta.nixpkgs = nixpkgs.legacyPackages.${system};
+              meta.specialArgs = moduleArgs;
+              "${name}" = {
+                deployment = { inherit targetHost targetUser; };
+                imports = builtins.attrValues self.nixosModules;
+              };
+            };
+            nixosModules = {
+              _diskoModules = disko.nixosModules.disko;
+            } // nixosModules;
+          };
+        };
    };
  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /flakes/lib/flake.nix
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/flakes/lib/flake.nix b/flakes/lib/flake.nix index 8faa136..5b78fb6 100644 --- a/flakes/lib/flake.nix +++ b/flakes/lib/flake.nix
@@ -1,28 +1,68 @@
1	{	1	{
2	inputs.nixpkgs.url = "github:NixOS/nixpkgs";	2	inputs.nixpkgs.url = "github:NixOS/nixpkgs";
		3	inputs.flake-parts.url = "github:hercules-ci/flake-parts";
		4	inputs.disko.url = "github:nix-community/disko";
		5	# replace with zhaofengli/colmena once https://github.com/zhaofengli/colmena/pull/161 is merged
		6	inputs.colmena.url = "github:immae/colmena/add-lib-get-flake";
		7	inputs.nixos-anywhere.url = "github:numtide/nixos-anywhere";
		8	inputs.nixos-anywhere.inputs.disko.follows = "disko";
		9	inputs.nixos-anywhere.inputs.flake-parts.follows = "flake-parts";
3		10
4	description = "Useful libs";	11	description = "Useful libs";
5	outputs = { self, nixpkgs }: {	12	outputs = { self, nixpkgs, flake-parts, disko, colmena, nixos-anywhere }: {
6	lib = rec {	13	lib = rec {
7	computeNarHash = path:	14	mkColmenaFlake = { name, self, nixpkgs, system ? "x86_64-linux", nixosModules, moduleArgs ? {}, targetHost, targetUser ? "root" }:
8	let pkgs = import nixpkgs {};	15	flake-parts.lib.mkFlake { inputs = { inherit nixpkgs self; }; } {
9	in	16	systems = [ system ];
10	builtins.readFile (pkgs.runCommand "narHash" {	17	perSystem = { pkgs, ... }: {
11	buildInputs = [ pkgs.nix ];	18	apps."${name}-install" = {
12	} "echo -n $(nix hash-path ${path}) > $out");	19	type = "app";
		20	program = pkgs.writeScriptBin "${name}-install" ''
		21	#!${pkgs.stdenv.shell}
		22	set -euo pipefail
		23	: $SOPS_VARS_FILE
		24	TEMPDIR=$(mktemp -d)
		25	trap '[ -d "$TEMPDIR" ] && rm -rf "$TEMPDIR"' EXIT
13		26
14	withNarKeyCompat = flakeCompat: path: moduleAttrs:	27	password=$(sops -d $SOPS_VARS_FILE \| yq -r .cryptsetup_encryption_keys.${name})
15	let module = (flakeCompat path).${moduleAttrs};	28	mkdir -p $TEMPDIR/boot/initrdSecrets
16	narHash = computeNarHash path;	29	chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
17	in if builtins.isFunction module	30	sops -d $SOPS_VARS_FILE \| yq -c '.ssh_host_keys.${name}[]' \| while read -r key; do
18	then args@{ config, lib, pkgs, ... }: (module args // { key = narHash; })	31	keytype=$(echo "$key" \| yq -r .type)
19	else module // { key = narHash; };	32	keyprivate=$(echo "$key" \| yq -r .private)
		33	keypublic=$(echo "$key" \| yq -r .public)
		34	echo "$keyprivate" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key
		35	echo "$keypublic" > $TEMPDIR/boot/initrdSecrets/ssh_host_''${keytype}_key.pub
		36	done
		37	chmod -R go-rwx $TEMPDIR/boot/initrdSecrets
20		38
21	withNarKey = dep: moduleAttrs:	39	${nixos-anywhere.packages.${system}.nixos-anywhere}/bin/nixos-anywhere \
22	let module = dep.${moduleAttrs};	40	-f .#${name}WithEncryption ${targetUser}@${targetHost} \
23	in if builtins.isFunction module	41	--disk-encryption-keys /run/decrypt-key <(echo -n "$password") \
24	then args@{ config, lib, pkgs, ... }: (module args // { key = dep.narHash; })	42	--extra-files "$TEMPDIR"
25	else module // { key = dep.narHash; };	43	'';
		44	};
		45
		46	};
		47	flake = {
		48	nixosConfigurations.${name} = (colmena.lib.fromRawFlake self).nodes.${name};
		49	nixosConfigurations."${name}WithEncryption" = let
		50	selfWithEncryption = nixpkgs.lib.recursiveUpdate self { outputs.colmena.meta.specialArgs.cryptKeyFile = "/run/decrypt-key"; };
		51	in
		52	(colmena.lib.fromRawFlake selfWithEncryption).nodes.${name};
		53	colmena = {
		54	meta.nixpkgs = nixpkgs.legacyPackages.${system};
		55	meta.specialArgs = moduleArgs;
		56	"${name}" = {
		57	deployment = { inherit targetHost targetUser; };
		58	imports = builtins.attrValues self.nixosModules;
		59	};
		60	};
		61	nixosModules = {
		62	_diskoModules = disko.nixosModules.disko;
		63	} // nixosModules;
		64	};
		65	};
26	};	66	};
27	};	67	};
28	}	68	}