From feb82fca2ee2e214a0b1baa8d48cb4921a8d0c1e Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Fri, 9 Apr 2021 11:34:49 +0200 Subject: [PATCH] nix: Make netrc readable by wheel group This also splits the nix configuration from the default module into its own file. --- modules/default.nix | 65 ++------------------------------------- modules/nix.nix | 68 +++++++++++++++++++++++++++++++++++++++++ users/simon/default.nix | 1 + 3 files changed, 71 insertions(+), 63 deletions(-) create mode 100644 modules/nix.nix diff --git a/modules/default.nix b/modules/default.nix index f93a627..61fd82d 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,21 +1,5 @@ { config, lib, pkgs, ... }: -let - # Taken from https://nixos.wiki/wiki/Overlays - overlaysCompat = pkgs.writeTextFile { - name = "overlays-compat"; - destination = "/overlays.nix"; - text = '' - self: super: - with super.lib; - let - # Load the system config and get the `nixpkgs.overlays` option - overlays = (import { }).config.nixpkgs.overlays; - in - # Apply all overlays to the input of the current "main" overlay - foldl' (flip extends) (_: super) overlays self - ''; - }; -in + { # Options that affect multiple modules options.sbruder = { @@ -48,6 +32,7 @@ in ./network-manager.nix ./nginx-interactive-index ./nginx.nix + ./nix.nix ./office.nix ./prometheus/node_exporter.nix ./pubkeys.nix @@ -105,52 +90,6 @@ in allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; }; }; - sops.secrets.binary-cache-secret-key = { }; - sops.secrets.nix-netrc = { }; - - nix = { - nixPath = [ - "/var/src" # pinned nixpkgs and configuration - "nixpkgs=/var/src/nixpkgs" # for nix run - "nixpkgs-overlays=${overlaysCompat}" - ]; - # Make sudoers trusted nix users - trustedUsers = [ "@wheel" ]; - - binaryCaches = [ - "https://nix-cache.sbruder.de/" - ]; - binaryCachePublicKeys = [ - "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM=" - ]; - - # On-the-fly optimisation of nix store - autoOptimiseStore = true; - extraOptions = '' - # Binary cache upload - secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path} - netrc-file = ${config.sops.secrets.nix-netrc.path} - '' + lib.optionalString config.sbruder.full '' - # Keep output of derivations with gc root - keep-outputs = true - keep-derivations = true - ''; - - # Make nix build in background less noticeable - daemonNiceLevel = 10; - daemonIONiceLevel = 5; # 0-7 - }; - - nixpkgs.overlays = [ - (import ../pkgs) - (final: prev: { - unstable = import (import ../nix/sources.nix).nixpkgs-unstable { - config = config.nixpkgs.config; - overlays = config.nixpkgs.overlays; - }; - }) - ]; - # Globally set Let’s Encrypt requirements security.acme = { acceptTerms = true; diff --git a/modules/nix.nix b/modules/nix.nix new file mode 100644 index 0000000..ea843d3 --- /dev/null +++ b/modules/nix.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: +let + # Taken from https://nixos.wiki/wiki/Overlays + overlaysCompat = pkgs.writeTextFile { + name = "overlays-compat"; + destination = "/overlays.nix"; + text = '' + self: super: + with super.lib; + let + # Load the system config and get the `nixpkgs.overlays` option + overlays = (import { }).config.nixpkgs.overlays; + in + # Apply all overlays to the input of the current "main" overlay + foldl' (flip extends) (_: super) overlays self + ''; + }; +in +{ + sops.secrets.binary-cache-secret-key = { }; + sops.secrets.nix-netrc = { + group = "wheel"; + mode = "0440"; + }; + + nix = { + nixPath = [ + "/var/src" # pinned nixpkgs and configuration + "nixpkgs=/var/src/nixpkgs" # for nix run + "nixpkgs-overlays=${overlaysCompat}" + ]; + # Make sudoers trusted nix users + trustedUsers = [ "@wheel" ]; + + binaryCaches = [ + "https://nix-cache.sbruder.de/" + ]; + binaryCachePublicKeys = [ + "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM=" + ]; + + # On-the-fly optimisation of nix store + autoOptimiseStore = true; + extraOptions = '' + # Binary cache upload + secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path} + netrc-file = ${config.sops.secrets.nix-netrc.path} + '' + lib.optionalString config.sbruder.full '' + # Keep output of derivations with gc root + keep-outputs = true + keep-derivations = true + ''; + + # Make nix build in background less noticeable + daemonNiceLevel = 10; + daemonIONiceLevel = 5; # 0-7 + }; + + nixpkgs.overlays = [ + (import ../pkgs) + (final: prev: { + unstable = import (import ../nix/sources.nix).nixpkgs-unstable { + config = config.nixpkgs.config; + overlays = config.nixpkgs.overlays; + }; + }) + ]; +} diff --git a/users/simon/default.nix b/users/simon/default.nix index 57cdaca..738ea37 100644 --- a/users/simon/default.nix +++ b/users/simon/default.nix @@ -9,6 +9,7 @@ extraGroups = [ "adbusers" "dialout" + "keys" "libvirtd" "lp" "networkmanager"