From 923229dc00bc5c50639a2c91b38a5223f0a0d96d Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 21 Nov 2024 13:25:27 +0100 Subject: [PATCH 1/4] configuration/common: Allow overriding nix version per host --- configuration/common/nix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/common/nix.nix b/configuration/common/nix.nix index 8ae4666..f0a1837 100644 --- a/configuration/common/nix.nix +++ b/configuration/common/nix.nix @@ -62,7 +62,7 @@ }; }; - nix.package = pkgs.nixVersions.nix_2_18; + nix.package = lib.mkDefault pkgs.nixVersions.nix_2_18; documentation.doc.enable = false; From 0e00c74ba745efe55912b62164cf4d53344b2c3c Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 21 Nov 2024 13:45:26 +0100 Subject: [PATCH 2/4] configuration/desktop: Handle renamed font in future releases --- configuration/desktop/fonts.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configuration/desktop/fonts.nix b/configuration/desktop/fonts.nix index 92a9a82..0003233 100644 --- a/configuration/desktop/fonts.nix +++ b/configuration/desktop/fonts.nix @@ -7,8 +7,7 @@ roboto roboto-mono noto-fonts - noto-fonts-cjk noto-fonts-emoji comfortaa - ]; + ] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]); } From c63a781dc62694e6d28e4c41ce960579831aa969 Mon Sep 17 00:00:00 2001 From: clerie Date: Thu, 21 Nov 2024 22:31:42 +0100 Subject: [PATCH 3/4] pkgs/clerie-sops: regenerate clerie-sops-config on every call to clerie-sops --- pkgs/clerie-sops/clerie-sops-config.nix | 44 ++++++-------------- pkgs/clerie-sops/clerie-sops-config.py | 55 +++++++++++++++++++++++++ pkgs/clerie-sops/clerie-sops.nix | 7 +++- 3 files changed, 74 insertions(+), 32 deletions(-) create mode 100755 pkgs/clerie-sops/clerie-sops-config.py diff --git a/pkgs/clerie-sops/clerie-sops-config.nix b/pkgs/clerie-sops/clerie-sops-config.nix index f7e13f7..60d9130 100644 --- a/pkgs/clerie-sops/clerie-sops-config.nix +++ b/pkgs/clerie-sops/clerie-sops-config.nix @@ -1,37 +1,19 @@ { pkgs, lib, ... }: -with lib; +pkgs.python313Packages.buildPythonPackage rec { + pname = "clerie-sops-config"; + version = "0.0.1"; -let - hosts = builtins.attrNames (builtins.readDir ../../hosts); + src = ./.; - mkAgeKey = hostname: ssh_pub_file: - pkgs.runCommand "${hostname}.age" { - buildInputs = [ pkgs.ssh-to-age ]; - } '' - ssh-to-age -i ${ssh_pub_file} -o $out - ''; + format = "other"; - ageKeysForHost = hostname: let - ssh_pub_file = ../../hosts + "/${hostname}/ssh.pub"; - in - if builtins.pathExists ssh_pub_file then [ - (fileContents (mkAgeKey hostname ssh_pub_file)) - ] else []; + propagatedBuildInputs = with pkgs; [ + ssh-to-age + ]; - mkCreationRules = hosts: - map (hostname: { - path_regex = escapeRegex "hosts/${hostname}/secrets.json"; - key_groups = [{ - pgp = [ - (fileContents (pkgs.clerie-keys + "/gpg/clerie@clerie.de.fingerprint.txt")) - ]; - age = ageKeysForHost hostname; - }]; - }) hosts; - - sops_config = { - creation_rules = mkCreationRules hosts; - }; -in - pkgs.writeText "sops.json" (builtins.toJSON sops_config) + installPhase = '' + mkdir -p $out/bin + cp clerie-sops-config.py $out/bin/clerie-sops-config + ''; +} diff --git a/pkgs/clerie-sops/clerie-sops-config.py b/pkgs/clerie-sops/clerie-sops-config.py new file mode 100755 index 0000000..254582b --- /dev/null +++ b/pkgs/clerie-sops/clerie-sops-config.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 + +import sys +import json +from pathlib import Path +import re +import subprocess + +def generate_sops_config(repo_root): + admin_keys = [] + + # hardcode fingerprints because we can't really generate them automatically currently + admin_keys.append("0C982F87B7AFBA0F504F90A2629E741947C87928") # clerie@clerie.de + + list_of_host_directories = sorted(list(filter(lambda path_object: path_object.is_dir(), (repo_root / "hosts").iterdir()))) + + creation_rules = [] + + for host_directory in list_of_host_directories: + host_secrets_file = host_directory / "secrets.json" + host_keys = [] + + ssh_host_key_file = host_directory / "ssh.pub" + + if ssh_host_key_file.is_file(): + + ssh_to_age_command = subprocess.run(["ssh-to-age", "-i", str(ssh_host_key_file)], capture_output=True, text=True) + if ssh_to_age_command.returncode == 0: + host_keys.append(ssh_to_age_command.stdout.strip()) + + creation_rules.append({ + "key_groups": [{ + "age": host_keys, + "pgp": admin_keys, + }], + "path_regex": re.escape(str(host_secrets_file)), + }) + + return { + "creation_rules": creation_rules, + } + + + + +if __name__ == "__main__": + if len(sys.argv) != 2: + print("No repo root specified") + exit(1) + + repo_root = Path(sys.argv[1]) + + sops_config = generate_sops_config(repo_root) + + print(json.dumps(sops_config)) diff --git a/pkgs/clerie-sops/clerie-sops.nix b/pkgs/clerie-sops/clerie-sops.nix index 1730e6b..13c5a08 100644 --- a/pkgs/clerie-sops/clerie-sops.nix +++ b/pkgs/clerie-sops/clerie-sops.nix @@ -4,8 +4,13 @@ pkgs.writeShellApplication { name = "clerie-sops"; runtimeInputs = with pkgs; [ sops + clerie-sops-config ]; text = '' - exec sops --config ${pkgs.clerie-sops-config} "$@" + REPO_ROOT="." + if GIT_ROOT=$(git rev-parse --show-toplevel); then + REPO_ROOT="$GIT_ROOT" + fi + exec sops --config <(clerie-sops-config "$REPO_ROOT") "$@" ''; } From f8e3e03987115f1dea0bc15eb4adadb4ee9cbdb6 Mon Sep 17 00:00:00 2001 From: Flake Update Bot Date: Fri, 22 Nov 2024 03:03:03 +0100 Subject: [PATCH 4/4] Update nixpkgs 2024-11-22-02-03 --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 4f0c0ab..9e217be 100644 --- a/flake.lock +++ b/flake.lock @@ -288,11 +288,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1725983898, - "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": {