nix: Make netrc readable by wheel group

This also splits the nix configuration from the default module into its own file.
2021-04-09 11:34:49 +02:00 · 2021-04-09 11:34:49 +02:00 · feb82fca2e
parent 5d31f32df8
commit feb82fca2e
3 changed files with 71 additions and 63 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,21 +1,5 @@
 { config, lib, pkgs, ... }:
-let
-  # Taken from https://nixos.wiki/wiki/Overlays
-  overlaysCompat = pkgs.writeTextFile {
-    name = "overlays-compat";
-    destination = "/overlays.nix";
-    text = ''
-      self: super:
-      with super.lib;
-      let
-        # Load the system config and get the `nixpkgs.overlays` option
-        overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
-      in
-        # Apply all overlays to the input of the current "main" overlay
-        foldl' (flip extends) (_: super) overlays self
-    '';
-  };
-in
+
 {
  # Options that affect multiple modules
  options.sbruder = {
@ -48,6 +32,7 @@ in
    ./network-manager.nix
    ./nginx-interactive-index
    ./nginx.nix
+    ./nix.nix
    ./office.nix
    ./prometheus/node_exporter.nix
    ./pubkeys.nix
@ -105,52 +90,6 @@ in
        allowedUDPPortRanges = lib.singleton { from = 9990; to = 9999; };
      };

-      sops.secrets.binary-cache-secret-key = { };
-      sops.secrets.nix-netrc = { };
-
-      nix = {
-        nixPath = [
-          "/var/src" # pinned nixpkgs and configuration
-          "nixpkgs=/var/src/nixpkgs" # for nix run
-          "nixpkgs-overlays=${overlaysCompat}"
-        ];
-        # Make sudoers trusted nix users
-        trustedUsers = [ "@wheel" ];
-
-        binaryCaches = [
-          "https://nix-cache.sbruder.de/"
-        ];
-        binaryCachePublicKeys = [
-          "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
-        ];
-
-        # On-the-fly optimisation of nix store
-        autoOptimiseStore = true;
-        extraOptions = ''
-          # Binary cache upload
-          secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
-          netrc-file = ${config.sops.secrets.nix-netrc.path}
-        '' + lib.optionalString config.sbruder.full ''
-          # Keep output of derivations with gc root
-          keep-outputs = true
-          keep-derivations = true
-        '';
-
-        # Make nix build in background less noticeable
-        daemonNiceLevel = 10;
-        daemonIONiceLevel = 5; # 0-7
-      };
-
-      nixpkgs.overlays = [
-        (import ../pkgs)
-        (final: prev: {
-          unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
-            config = config.nixpkgs.config;
-            overlays = config.nixpkgs.overlays;
-          };
-        })
-      ];
-
      # Globally set Let’s Encrypt requirements
      security.acme = {
        acceptTerms = true;
--- a/modules/nix.nix
+++ b/modules/nix.nix
@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+let
+  # Taken from https://nixos.wiki/wiki/Overlays
+  overlaysCompat = pkgs.writeTextFile {
+    name = "overlays-compat";
+    destination = "/overlays.nix";
+    text = ''
+      self: super:
+      with super.lib;
+      let
+        # Load the system config and get the `nixpkgs.overlays` option
+        overlays = (import <nixpkgs/nixos> { }).config.nixpkgs.overlays;
+      in
+        # Apply all overlays to the input of the current "main" overlay
+        foldl' (flip extends) (_: super) overlays self
+    '';
+  };
+in
+{
+  sops.secrets.binary-cache-secret-key = { };
+  sops.secrets.nix-netrc = {
+    group = "wheel";
+    mode = "0440";
+  };
+
+  nix = {
+    nixPath = [
+      "/var/src" # pinned nixpkgs and configuration
+      "nixpkgs=/var/src/nixpkgs" # for nix run
+      "nixpkgs-overlays=${overlaysCompat}"
+    ];
+    # Make sudoers trusted nix users
+    trustedUsers = [ "@wheel" ];
+
+    binaryCaches = [
+      "https://nix-cache.sbruder.de/"
+    ];
+    binaryCachePublicKeys = [
+      "nix-cache.sbruder.de-1:bU13eF6IMMW2hgO7StgB6JCAoZPeAQ27NAzV0kru1XM="
+    ];
+
+    # On-the-fly optimisation of nix store
+    autoOptimiseStore = true;
+    extraOptions = ''
+      # Binary cache upload
+      secret-key-files = ${config.sops.secrets.binary-cache-secret-key.path}
+      netrc-file = ${config.sops.secrets.nix-netrc.path}
+    '' + lib.optionalString config.sbruder.full ''
+      # Keep output of derivations with gc root
+      keep-outputs = true
+      keep-derivations = true
+    '';
+
+    # Make nix build in background less noticeable
+    daemonNiceLevel = 10;
+    daemonIONiceLevel = 5; # 0-7
+  };
+
+  nixpkgs.overlays = [
+    (import ../pkgs)
+    (final: prev: {
+      unstable = import (import ../nix/sources.nix).nixpkgs-unstable {
+        config = config.nixpkgs.config;
+        overlays = config.nixpkgs.overlays;
+      };
+    })
+  ];
+}
--- a/users/simon/default.nix
+++ b/users/simon/default.nix
@ -9,6 +9,7 @@
    extraGroups = [
      "adbusers"
      "dialout"
+      "keys"
      "libvirtd"
      "lp"
      "networkmanager"