From ca34eb01ca3b06c99466338b8b8a92c8e840be61 Mon Sep 17 00:00:00 2001 From: Andre Date: Thu, 29 Feb 2024 17:50:18 -0500 Subject: [PATCH] I'm an idiot. I could've just used fetchgit and a submodule this whole time. --- .gitmodules | 3 +++ README.md | 34 +++++++++++++++---------------- hosts/common/default.nix | 6 +++--- modules/base/system.nix | 43 +--------------------------------------- nix-secrets | 1 + 5 files changed, 24 insertions(+), 63 deletions(-) create mode 100644 .gitmodules create mode 160000 nix-secrets diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..fd4c2d1 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "nix-secrets"] + path = nix-secrets + url = ssh://git@code.8bitbuddhism.com:22222/andre/nix-secrets.git diff --git a/README.md b/README.md index e2b618e..a49861b 100644 --- a/README.md +++ b/README.md @@ -6,32 +6,30 @@ A full set of configuration files managed via NixOS. This project follows the ge ### Note on secrets management -Secrets are stored in a separate repo called `nix-secrets`, which gets pulled automagically for all configs. See `hosts/common/default.nix`. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine. +Secrets are stored in a separate repo called `nix-secrets`, which is included here as a submodule. It gets pulled into the main config via `hosts/common/default.nix`. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine. -### Building the system +Initialize the submodule with: -When using nix-secrets, we need to separate the build process into two steps (because of secrets being stored in a private repo; the alternative is to give root access to the private repo on all hosts). First step is to create the build by running this as `aires`: - -```zsh -nixos-rebuild build --flake .#Shura +```sh +git submodule update --init --recursive ``` -When the build is done, run this command as root: +### Applying the configuration -```zsh -sudo ./result/bin/switch-to-configuration switch +To apply the config for the first time (e.g. on a fresh install), run this command, replacing `Shura` with the name of the host: + +```sh +sudo nixos-rebuild switch --flake .#Shura +``` + +For subsequent builds, you can omit the hostname: + +```sh +sudo nixos-rebuild switch --flake . ``` `switch` replaces the running system immediately, or you can use `boot` to only apply the switch during the next reboot. After applying the build at least once (or setting the hostname manually), you can omit the hostname from the command and just run `nixos-rebuild build --flake .` -#### Normal build process - -Normally (without a secret GitHub repo) you'd just use `sudo nixos-rebuild` like so: - -```zsh -sudo nixos-rebuild switch --flake .#Shura -``` - ### Testing To quickly validate the configuration, create a dry build. This builds the config without actually adding it to the system: @@ -51,7 +49,7 @@ nixos-rebuild build-vm --flake . `flake.lock` locks the version of any packages/modules used. To update them, run `nix flake update` first: ```zsh -nix flake update && nixos-rebuild build --flake . && sudo ./result/bin/switch-to-configuration switch +nix flake update && sudo nixos-rebuild switch --flake . ``` Home-manager also installs a ZSH alias, so you can just run `update` or `upgrade` for the same effect. diff --git a/hosts/common/default.nix b/hosts/common/default.nix index d19efe3..0f93409 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -1,9 +1,9 @@ { lib, ... }: let - # Fetch secrets. - # NOTE: This requires access to a private repo. Make sure you generate the build as `aires`, then switch to it as root. + # Fetch secrets + # IMPORTANT: Make sure this repo exists on the filesystem first! nix-secrets = builtins.fetchGit { - url = "ssh://git@code.8bitbuddhism.com:22222/andre/nix-secrets.git"; + url = "/home/aires/Development/nix-configuration/nix-secrets"; ref = "main"; rev = "75076eba4de5d8539cc1a2a85bf3924c9ae4b7b9"; }; diff --git a/modules/base/system.nix b/modules/base/system.nix index f74e36f..2e8c6ff 100644 --- a/modules/base/system.nix +++ b/modules/base/system.nix @@ -35,47 +35,7 @@ with lib; }; }; - # Enable automatic updates. I'm using a weird setup here to account for pulling secrets from a private repo, which requires aires' SSH keys. - systemd.services = { - "nixos-rebuild" = { - script = '' - ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --flake . - ''; - path = [ "/run/current-system/sw" ]; - serviceConfig = { - Type = "oneshot"; - User = "${config.users.users.aires.name}"; - WorkingDirectory = "${config.users.users.aires.home}/Development/nix-configuration"; - }; - }; - - "nixos-activate" = { - script = '' - ${config.users.users.aires.home}/Development/nix-configuration/result/bin/switch-to-configuration switch - ''; - path = [ "/run/current-system/sw" ]; - requires = [ "nixos-rebuild.service" ]; - serviceConfig = { - Type = "oneshot"; - User = "${config.users.users.root.name}"; - WorkingDirectory = "${config.users.users.aires.home}/Development/nix-configuration"; - }; - }; - }; - systemd.timers = { - "nixos-update" = { - wantedBy = [ "timers.target" ]; - wants = [ "network-online.target" ]; - timerConfig = { - Unit = "nixos-activate.service"; - OnCalendar = "daily"; - Persistent = true; - }; - }; - }; - - # Configure automatic updates (deprecated in favor of systemd timers) - /* + # Configure automatic updates system = { # Enable automatic updates autoUpgrade = { @@ -92,7 +52,6 @@ with lib; allowReboot = false; }; }; - */ # Set your time zone. time.timeZone = "America/New_York"; diff --git a/nix-secrets b/nix-secrets new file mode 160000 index 0000000..75076eb --- /dev/null +++ b/nix-secrets @@ -0,0 +1 @@ +Subproject commit 75076eba4de5d8539cc1a2a85bf3924c9ae4b7b9