pim/nixos-configs
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Use Colmena's experimental flake-eval feature

Browse source 
Don't extract sops keys as root
This commit is contained in:
Pim Kunis 2024-11-30 23:22:16 +01:00
parent 842d2afbc0
commit a29d10e507
5 changed files with 139 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -12,11 +12,11 @@ Currently managed systems:
Create garbage collection roots like so:
```
colmena build --keep-result
colmena build --keep-result --experimental-flake-eval
```
- **sue**: `colmena apply-local --sudo --impure`
- **gamepc**: `colmena apply --on gamepc --impure`
- **sue**: `sudo colmena apply-local --sudo --experimental-flake-eval`
- **gamepc**: `colmena apply --on gamepc --experimental-flake-eval`
> [!NOTE]
> Currently the `--impure` is necessary until I upgrade to NixOS 24.11. See [this PR](https://github.com/zhaofengli/colmena/pull/228).
> Currently the `--experimental-flake-eval` flag is necessary. See [this PR](https://github.com/zhaofengli/colmena/pull/228).

3
colmena.nix
View file

@ -1,6 +1,7 @@
inputs @ {
self,
nixpkgs,
colmena,
...
}: {
colmena = {
@ -35,4 +36,6 @@ inputs @ {
];
};
};
colmenaHive = colmena.lib.makeHive self.outputs.colmena;
}

149
flake.lock
View file

@ -114,6 +114,28 @@
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs",
"stable": "stable"
},
"locked": {
"lastModified": 1731527002,
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"crane": {
"inputs": {
"flake-compat": [
@ -168,6 +190,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -183,7 +221,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -199,7 +237,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1717312683,
@ -215,7 +253,7 @@
"type": "github"
}
},
"flake-compat_4": {
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -253,6 +291,21 @@
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
@ -270,7 +323,7 @@
"type": "github"
}
},
"flake-utils_2": {
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
@ -288,7 +341,7 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_4": {
"inputs": {
"systems": [
"stylix",
@ -327,7 +380,7 @@
},
"git-hooks": {
"inputs": {
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs-unstable"
@ -453,9 +506,9 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
],
@ -477,6 +530,27 @@
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
@ -515,8 +589,8 @@
},
"nixos-cosmic": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs",
"flake-compat": "flake-compat_4",
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": [
"nixpkgs-unstable"
],
@ -569,11 +643,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1732521221,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
"lastModified": 1730785428,
"narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
"rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
"type": "github"
},
"original": {
@ -632,6 +706,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1732521221,
"narHash": "sha256-2ThgXBUXAE1oFsVATK1ZX9IjPcS4nKFOAjhPNKuiMn0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4633a7c72337ea8fd23a4f2ba3972865e3ec685d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1732824227,
"narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
@ -647,7 +737,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
@ -663,7 +753,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1731890469,
"narHash": "sha256-D1FNZ70NmQEwNxpSSdTXCSklBH1z2isPR84J6DQrJGs=",
@ -727,8 +817,9 @@
},
"root": {
"inputs": {
"colmena": "colmena",
"disko": "disko",
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"git-hooks": "git-hooks",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
@ -737,7 +828,7 @@
"nixos-cosmic": "nixos-cosmic",
"nixos-facter-modules": "nixos-facter-modules",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",
"sops-nix": "sops-nix",
@ -811,6 +902,22 @@
"type": "github"
}
},
"stable": {
"locked": {
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",
@ -820,11 +927,11 @@
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_3",
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_4",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_4",
"systems": "systems_3"
},
"locked": {
@ -889,7 +996,7 @@
},
"treefmt-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1732894027,

5
flake.nix
View file

@ -10,6 +10,7 @@
nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
flake-utils.url = "github:numtide/flake-utils";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
colmena.url = "github:zhaofengli/colmena";
git-hooks = {
url = "github:cachix/git-hooks.nix";
@ -57,6 +58,7 @@
self,
nixpkgs,
flake-utils,
colmena,
...
}:
(flake-utils.lib.meld inputs [
@ -70,8 +72,7 @@
devShells.default = nixpkgs.legacyPackages.${system}.mkShell {
inherit (self.checks.${system}.pre-commit-check) shellHook;
buildInputs =
self.checks.${system}.pre-commit-check.enabledPackages
++ (with nixpkgs.legacyPackages.${system}; [colmena]);
self.checks.${system}.pre-commit-check.enabledPackages ++ [colmena.defaultPackage.${system}];
};
});
}

4
nixos/default.nix
View file

@ -60,12 +60,10 @@
if user == "root"
then "/root"
else "/home/${user}";
maybeSudo = lib.optional (user == "root") "sudo";
sops = lib.getExe pkgs.sops;
in {
name = "${user}-sops-age-key";
value = {
keyCommand = maybeSudo ++ ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
keyCommand = ["nix" "run" "nixpkgs#sops" "--" "--extract" "[\"sops_age_key\"]" "-d" (builtins.toString sopsFile)];
name = "keys.txt";
destDir = "${homeDirectory}/.config/sops/age";
inherit user;