shelvacu/nix-stuff
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

wip-gitea-sops

Browse Source
This commit is contained in:
Shelvacu
2024-10-23 21:31:01 -07:00
parent aee5440fde
commit cb3aa29d9a
6 changed files with 115 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/lib/default.nix
View File

@@ -9,4 +9,6 @@
};
config._module.args.vaculib = config.vacu.vaculib;
config.vacu.vaculib.mkOutOption = val: lib.mkOption { readOnly = true; default = val; };
}

3
common/lib/makeWrapper.nix
View File

@@ -29,6 +29,7 @@ in
prepend_flags ? [ ],
add_flags ? [ ],
append_flags ? [ ],
runtimeHook ? null,
}@args:
let
prependFlags = prepend_flags ++ add_flags;
@@ -88,6 +89,8 @@ in
runHook postInstall
'';
inherit runtimeHook;
meta.mainProgram = new;
};
}

41
common/sops.nix
View File

@@ -2,17 +2,17 @@
lib,
pkgs,
config,
vaculib,
...
}:
let
inherit (lib) mkOption;
userKeys = lib.attrValues config.vacu.ssh.authorizedKeys;
liamKey = config.vacu.ssh.knownHosts.liam.publicKey;
ssh-to-age = lib.getExe pkgs.ssh-to-age;
sopsConfig =
pkgs.runCommand "sops.yaml" { env.sshUserKeys = lib.concatStringsSep "\n" userKeys; }
''
set -xe
set -e
liamKey="$(echo "${liamKey}" | ${ssh-to-age})"
declare -a userKeys
mapfile -t userKeys < <(echo "$sshUserKeys" | ${ssh-to-age})
@@ -21,30 +21,31 @@ let
creation_rules:
- path_regex: ^secrets/misc/
key_groups:
- age:
END
for k in "''${userKeys[@]}"; do
echo " - $k" >> $out
done
cat <<END >> $out
- age: [$(printf '"%s", ' "''${userKeys[@]}")]
- path_regex: ^secrets/liam/
key_groups:
- age:
- $liamKey
END
for k in "''${userKeys[@]}"; do
echo " - $k" >> $out
done
cat <<END >> $out
- age: ["$liamKey",$(printf '"%s", ' "''${userKeys[@]}")]
- path_regex: ^tests/test_secrets
key_groups:
- age: age1eqv5759uknu7d46rqyyzsmgt43qumsge33yp2xygapprnt8zu3sqx6kt8w
- age: ["age1eqv5759uknu7d46rqyyzsmgt43qumsge3makeWrapp3yp2xygapprnt8zu3sqx6kt8w"]
END
'';
testAgeSecret = "AGE-SECRET-KEY-1QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQPQQ94XCHF";
wrappedSops = vaculib.makeWrapper {
original = lib.getExe pkgs.sops;
new = "vacu-nix-stuff-sops";
add_flags = [ "--config" sopsConfig ];
run = lib.singleton ''
set -e
age_keys=("${testAgeSecret}" "$(cat $HOME/.ssh/id_ed25519 | ${lib.getExe pkgs.ssh-to-age} -private-key)")
export SOPS_AGE_KEY
printf -v SOPS_AGE_KEY "%s\n" "''${age_keys[@]}"
# declare -p SOPS_AGE_KEY
'';
};
in
{
options.vacu.sopsConfig = mkOption {
readOnly = true;
default = sopsConfig;
};
options.vacu.sopsConfig = vaculib.mkOutOption sopsConfig;
options.vacu.wrappedSops = vaculib.mkOutOption wrappedSops;
}

138
flake.lock generated
View File

@@ -42,11 +42,11 @@
]
},
"locked": {
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
@@ -63,11 +63,11 @@
]
},
"locked": {
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
@@ -83,11 +83,11 @@
]
},
"locked": {
"lastModified": 1727531434,
"narHash": "sha256-b+GBgCWd2N6pkiTkRZaMFOPztPO4IVTaclYPrQl2uLk=",
"lastModified": 1729712798,
"narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=",
"owner": "nix-community",
"repo": "disko",
"rev": "b709e1cc33fcde71c7db43850a55ebe6449d0959",
"rev": "09a776702b004fdf9c41a024e1299d575ee18a7d",
"type": "github"
},
"original": {
@@ -243,11 +243,11 @@
]
},
"locked": {
"lastModified": 1725234343,
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=",
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
@@ -264,11 +264,11 @@
]
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
@@ -327,11 +327,11 @@
]
},
"locked": {
"lastModified": 1724857454,
"narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
"lastModified": 1729087992,
"narHash": "sha256-u9bQsT6G/yzDVQ7xCcudnKXkS4ZR240Y4Cd9BmrKejc=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
"rev": "43983c5976fef25e774e3f1c9bd04f658e9481c3",
"type": "github"
},
"original": {
@@ -357,11 +357,11 @@
]
},
"locked": {
"lastModified": 1727514110,
"narHash": "sha256-0YRcOxJG12VGDFH8iS8pJ0aYQQUAgo/r3ZAL+cSh9nk=",
"lastModified": 1729104314,
"narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "85f7a7177c678de68224af3402ab8ee1bcee25c8",
"rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
"type": "github"
},
"original": {
@@ -442,11 +442,11 @@
]
},
"locked": {
"lastModified": 1727383923,
"narHash": "sha256-4/vacp3CwdGoPf8U4e/N8OsGYtO09WTcQK5FqYfJbKs=",
"lastModified": 1729551526,
"narHash": "sha256-7LAGY32Xl14OVQp3y6M43/0AtHYYvV6pdyBcp3eoz0s=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ffe2d07e771580a005e675108212597e5b367d2d",
"rev": "5ec753a1fc4454df9285d8b3ec0809234defb975",
"type": "github"
},
"original": {
@@ -463,11 +463,11 @@
]
},
"locked": {
"lastModified": 1727453186,
"narHash": "sha256-nZRCfVEZ9osWXsCD0xCpU66M8JkabMTukBzPRrD/CTA=",
"lastModified": 1729492135,
"narHash": "sha256-yXmCZaw0Pe4H9Xv3BDSoQdSulevJMH34XrtQD3v7aoY=",
"owner": "Jovian-Experiments",
"repo": "Jovian-NixOS",
"rev": "3390ff2632d0d8a14c92473db60fa52bf881f979",
"rev": "82bdda12079fbbe40cd1e26d3cbbf5093ea052c0",
"type": "github"
},
"original": {
@@ -593,11 +593,11 @@
]
},
"locked": {
"lastModified": 1725189302,
"narHash": "sha256-IhXok/kwQqtusPsoguQLCHA+h6gKvgdCrkhIaN+kByA=",
"lastModified": 1728901530,
"narHash": "sha256-I9Qd0LnAsEGHtKE9+uVR0iDFmsijWSy7GT0g3jihG4Q=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "7c4b53a7d9f3a3df902b3fddf2ae245ef20ebcda",
"rev": "a60ac02f9466f85f092e576fd8364dfc4406b5a6",
"type": "github"
},
"original": {
@@ -614,11 +614,11 @@
]
},
"locked": {
"lastModified": 1727507295,
"narHash": "sha256-I/FrX1peu4URoj5T5odfuKR2rm4GjYJJpCGF9c0/lDA=",
"lastModified": 1728901530,
"narHash": "sha256-I9Qd0LnAsEGHtKE9+uVR0iDFmsijWSy7GT0g3jihG4Q=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "f2e1c4aa29fc211947c3a7113cba1dd707433b70",
"rev": "a60ac02f9466f85f092e576fd8364dfc4406b5a6",
"type": "github"
},
"original": {
@@ -850,11 +850,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1727665282,
"narHash": "sha256-oKtfbQB1MBypqIyzkC8QCQcVGOa1soaXaGgcBIoh14o=",
"lastModified": 1729742320,
"narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "11c43c830e533dad1be527ecce379fcf994fbbb5",
"rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
"type": "github"
},
"original": {
@@ -865,11 +865,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1727718448,
"narHash": "sha256-Ykvp0GsAzGMHgg+hVdyaAsctuX/LyUha5a9j2OS7PAI=",
"lastModified": 1729691686,
"narHash": "sha256-BAuPWW+9fa1moZTU+jFh+1cUtmsuF8asgzFwejM4wac=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c8e96cc044b1630d98365d79ba308dac93497bae",
"rev": "32e940c7c420600ef0d1ef396dc63b04ee9cad37",
"type": "github"
},
"original": {
@@ -912,11 +912,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1725762081,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
"type": "github"
},
"original": {
@@ -928,11 +928,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1727634051,
"narHash": "sha256-S5kVU7U82LfpEukbn/ihcyNt2+EvG7Z5unsKW9H/yFA=",
"lastModified": 1729413321,
"narHash": "sha256-I4tuhRpZFa6Fu6dcH9Dlo5LlH17peT79vx1y1SpeKt0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "06cf0e1da4208d3766d898b7fdab6513366d45b9",
"rev": "1997e4aa514312c1af7e2bda7fad1644e778ff26",
"type": "github"
},
"original": {
@@ -957,11 +957,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1725350106,
"narHash": "sha256-TaMMlI2KPJ3wCyxJk6AShOLhNuTeabHCnvYRkLBlEFs=",
"lastModified": 1729100089,
"narHash": "sha256-B44+e/cYjrzgaDvCNz9TyHQy0q9Q6WaDISV57jxejJ8=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "0f2c31e6a57a83ed4e6fa3adc76749620231055d",
"rev": "341dbb1b5867adb95d75e6dabef6627eb0eae38e",
"type": "github"
},
"original": {
@@ -988,11 +988,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1727645871,
"narHash": "sha256-Os3PAThU5XliKkKa+SHsFyV/EsCHogHcYONmpzb6500=",
"lastModified": 1729699620,
"narHash": "sha256-f6S8JX5w9bPLMbaqR5dM5koybZntdSFfKyfq/LQU7rs=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "5f4a4b47597d3b9ac26c41ff4e8da28fa662f200",
"rev": "029eafd70d6e28919a9ec01a94a46b51c4ccff40",
"type": "github"
},
"original": {
@@ -1048,11 +1048,11 @@
]
},
"locked": {
"lastModified": 1727452028,
"narHash": "sha256-ehl/A4HQFRyqj1Fk7cl+dgSf/2Fb1jLwWJtZaMU6RfU=",
"lastModified": 1728905062,
"narHash": "sha256-W/lClt0bRgFRO0WFtytX/LEILpPNq+FOjIfESpkeu5c=",
"owner": "NuschtOS",
"repo": "search",
"rev": "9f7426e532ef8dfc839c4a3fcc567b13a20a70d3",
"rev": "f82d3e1c1c9d1eaeb91878519e2d27b27c66ce84",
"type": "github"
},
"original": {
@@ -1410,11 +1410,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1727734513,
"narHash": "sha256-i47LQwoGCVQq4upV2YHV0OudkauHNuFsv306ualB/Sw=",
"lastModified": 1729695320,
"narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3198a242e547939c5e659353551b0668ec150268",
"rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
"type": "github"
},
"original": {
@@ -1483,11 +1483,11 @@
]
},
"locked": {
"lastModified": 1724833132,
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
"lastModified": 1729077719,
"narHash": "sha256-zayHqZO9gA1U85c4CPvVSnLV8/cBgc2yVrSKWaKeBUs=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
"rev": "5307ba60125bb024d7e52d71d582eafd511f3fee",
"type": "github"
},
"original": {
@@ -1504,11 +1504,11 @@
]
},
"locked": {
"lastModified": 1727431250,
"narHash": "sha256-uGRlRT47ecicF9iLD1G3g43jn2e+b5KaMptb59LHnvM=",
"lastModified": 1729242555,
"narHash": "sha256-6jWSWxv2crIXmYSEb3LEVsFkCkyVHNllk61X4uhqfCs=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "879b29ae9a0378904fbbefe0dadaed43c8905754",
"rev": "d986489c1c757f6921a48c1439f19bfb9b8ecab5",
"type": "github"
},
"original": {
@@ -1549,11 +1549,11 @@
]
},
"locked": {
"lastModified": 1713958148,
"narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
"lastModified": 1729422940,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
"type": "github"
},
"original": {
@@ -1572,11 +1572,11 @@
]
},
"locked": {
"lastModified": 1713958148,
"narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
"lastModified": 1729422940,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
"type": "github"
},
"original": {

8
flake.nix
View File

@@ -269,6 +269,7 @@
sm64 = packages.sm64coopdx;
ak = packages.authorizedKeys;
my-sops = packages.wrappedSops;
inherit (inputs.nixos-apple-silicon-unstable.packages.aarch64-linux)
m1n1
@@ -345,6 +346,10 @@
in
{
formatter = pkgs.nixfmt-rfc-style;
apps.sops = {
type = "app";
program = lib.getExe self.packages.${system}.wrappedSops;
};
packages = rec {
z3 = pkgs.callPackage ./packages/z3 { };
bandcamp-collection-downloader = pkgs.callPackage ./packages/bcd { };
@@ -357,7 +362,8 @@
lib.mapAttrsToList (k: v: "${v} ${k}") plain.config.vacu.ssh.authorizedKeys
)
);
sopsConfig = plain.config.vacu.sopsConfig;
update-gitea-keys = pkgs.callPackage ./scripts/update-gitea-keys.nix { inherit (plain) config; };
inherit (plain.config.vacu) sopsConfig wrappedSops;
nixvim = inputs.nixvim.legacyPackages.${system}.makeNixvimWithModule {
extraSpecialArgs = {
inputs = { };

33
scripts/update-gitea-keys.nix
View File

@@ -2,26 +2,19 @@
config,
writers,
curl,
sops,
lib,
...
}:
let
sopsCommand = [
(lib.getExe sops)
"--config"
../.sops.yaml
"--extract"
''["git.uninsane.org"]''
"-d"
../secrets/misc/git-keys.json
];
curlCommand = [
(lib.getExe curl)
"https://git.uninsane.org/api/v1/user/keys"
];
in
writers.writeScriptBin "update-gitea-keys" ''
age_key=$(ssh-to-age -private-key -i $HOME/.ssh/id_ed25519)
gitea_api_key="$(SOPS_AGE_KEY="$age_key" sops --config ${../.sops.yaml} --extract '["git.uninsane.org"]' -d ${../secrets/misc/git-keys.json})"
curl
writers.writeBashBin "update-gitea-keys" ''
set -e
gitea_api_key="$(${lib.getExe config.vacu.wrappedSops} --extract '["git.uninsane.org"]' -d ${../secrets/misc/git-keys.json})"
api_base="https://git.uninsane.org/api/v1"
api_keys="$api_base/user/keys"
curl_common=( \
${lib.getExe curl} \
--header "Authorization: token $gitea_api_key" \
--header "Content-Type: application/json" \
)
declare -p curl_common
"''${curl_common[@]}" "$api_keys" | jq .
''