Use Colmena's experimental flake-eval feature

Don't extract sops keys as root
This commit is contained in:
Pim Kunis 2024-11-30 23:22:16 +01:00
parent 842d2afbc0
commit a29d10e507
5 changed files with 139 additions and 30 deletions

View file

@ -12,11 +12,11 @@ Currently managed systems:
Create garbage collection roots like so: Create garbage collection roots like so:
``` ```
colmena build --keep-result colmena build --keep-result --experimental-flake-eval
``` ```
- **sue**: `colmena apply-local --sudo --impure` - **sue**: `sudo colmena apply-local --sudo --experimental-flake-eval`
- **gamepc**: `colmena apply --on gamepc --impure` - **gamepc**: `colmena apply --on gamepc --experimental-flake-eval`
> [!NOTE] > [!NOTE]
> Currently the `--impure` is necessary until I upgrade to NixOS 24.11. See [this PR](https://github.com/zhaofengli/colmena/pull/228). > Currently the `--experimental-flake-eval` flag is necessary. See [this PR](https://github.com/zhaofengli/colmena/pull/228).

View file

@ -1,6 +1,7 @@
inputs @ { inputs @ {
self, self,
nixpkgs, nixpkgs,
colmena,
... ...
}: { }: {
colmena = { colmena = {
@ -35,4 +36,6 @@ inputs @ {
]; ];
}; };
}; };
colmenaHive = colmena.lib.makeHive self.outputs.colmena;
} }

View file

@ -114,6 +114,28 @@
"type": "github" "type": "github"
} }
}, },
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs",
"stable": "stable"
},
"locked": {
"lastModified": 1731527002,
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -168,6 +190,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -183,7 +221,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": { "flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -199,7 +237,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_3": { "flake-compat_4": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1717312683, "lastModified": 1717312683,
@ -215,7 +253,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_4": { "flake-compat_5": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -253,6 +291,21 @@
} }
}, },
"flake-utils": { "flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
}, },
@ -270,7 +323,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": { "flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
}, },
@ -288,7 +341,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_3": { "flake-utils_4": {
"inputs": { "inputs": {
"systems": [ "systems": [
"stylix", "stylix",
@ -327,7 +380,7 @@
}, },
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"gitignore": "gitignore", "gitignore": "gitignore",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
@ -453,9 +506,9 @@
"lanzaboote": { "lanzaboote": {
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_3",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@ -477,6 +530,27 @@
"type": "github" "type": "github"
} }
}, },
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-index-database": { "nix-index-database": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -515,8 +589,8 @@
}, },
"nixos-cosmic": { "nixos-cosmic": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_4",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-stable": [ "nixpkgs-stable": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
@ -569,11 +643,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1732521221, "lastModified": 1730785428,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=", "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d", "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -632,6 +706,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1732521221,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1732824227, "lastModified": 1732824227,
"narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=", "narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
@ -647,7 +737,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1725194671, "lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
@ -663,7 +753,7 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1731890469, "lastModified": 1731890469,
"narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=", "narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=",
@ -727,8 +817,9 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"colmena": "colmena",
"disko": "disko", "disko": "disko",
"flake-utils": "flake-utils", "flake-utils": "flake-utils_2",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
@ -737,7 +828,7 @@
"nixos-cosmic": "nixos-cosmic", "nixos-cosmic": "nixos-cosmic",
"nixos-facter-modules": "nixos-facter-modules", "nixos-facter-modules": "nixos-facter-modules",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
@ -811,6 +902,22 @@
"type": "github" "type": "github"
} }
}, },
"stable": {
"locked": {
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
@ -820,11 +927,11 @@
"base16-kitty": "base16-kitty", "base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux", "base16-tmux": "base16-tmux",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_4",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": { "locked": {
@ -889,7 +996,7 @@
}, },
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1732894027, "lastModified": 1732894027,

View file

@ -10,6 +10,7 @@
nixos-facter-modules.url = "github:numtide/nixos-facter-modules"; nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
colmena.url = "github:zhaofengli/colmena";
git-hooks = { git-hooks = {
url = "github:cachix/git-hooks.nix"; url = "github:cachix/git-hooks.nix";
@ -57,6 +58,7 @@
self, self,
nixpkgs, nixpkgs,
flake-utils, flake-utils,
colmena,
... ...
}: }:
(flake-utils.lib.meld inputs [ (flake-utils.lib.meld inputs [
@ -70,8 +72,7 @@
devShells.default = nixpkgs.legacyPackages.${system}.mkShell { devShells.default = nixpkgs.legacyPackages.${system}.mkShell {
inherit (self.checks.${system}.pre-commit-check) shellHook; inherit (self.checks.${system}.pre-commit-check) shellHook;
buildInputs = buildInputs =
self.checks.${system}.pre-commit-check.enabledPackages self.checks.${system}.pre-commit-check.enabledPackages ++ [colmena.defaultPackage.${system}];
++ (with nixpkgs.legacyPackages.${system}; [colmena]);
}; };
}); });
} }

View file

@ -60,12 +60,10 @@
if user == "root" if user == "root"
then "/root" then "/root"
else "/home/${user}"; else "/home/${user}";
maybeSudo = lib.optional (user == "root") "sudo";
sops = lib.getExe pkgs.sops;
in { in {
name = "${user}-sops-age-key"; name = "${user}-sops-age-key";
value = { value = {
keyCommand = maybeSudo ++ ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)]; keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
name = "keys.txt"; name = "keys.txt";
destDir = "${homeDirectory}/.config/sops/age"; destDir = "${homeDirectory}/.config/sops/age";
inherit user; inherit user;