From 880ffeec878271b19e639d49d85e76f178b7462c Mon Sep 17 00:00:00 2001 From: magic_rb Date: Sat, 21 Oct 2023 17:46:17 +0200 Subject: [PATCH] Fix evaluation without secrets Signed-off-by: magic_rb --- flake-secret.lock | 15 +++++++++------ flake.lock | 15 +++++++++------ flake.nix | 2 +- lib/load_secrets.nix | 6 +++--- nixos/systems/heater/nixpkgs.nix | 1 + nixos/systems/omen/firewall.nix | 4 +++- nixos/systems/omen/networking.nix | 10 +++++----- 7 files changed, 31 insertions(+), 22 deletions(-) diff --git a/flake-secret.lock b/flake-secret.lock index 1ceef4d..af0a155 100644 --- a/flake-secret.lock +++ b/flake-secret.lock @@ -868,14 +868,17 @@ }, "impermenance": { "locked": { - "lastModified": 1696322197, - "narHash": "sha256-WvxAZaeefq88RpXGKwGPekvqcITK7jIB38ow6ULHCTQ=", - "path": "/nix/persist/home/main/repos/impermanence", - "type": "path" + "lastModified": 1697902518, + "narHash": "sha256-L0wNEjROZFZS/2DxH3LkRYxgKAtVwNRcMab41jK9MDE=", + "owner": "MagicRB", + "repo": "impermanence", + "rev": "1e7f9def3b0d74dccb9f3876ba3ba7666641aa52", + "type": "github" }, "original": { - "path": "/nix/persist/home/main/repos/impermanence", - "type": "path" + "owner": "MagicRB", + "repo": "impermanence", + "type": "github" } }, "iserv-proxy": { diff --git a/flake.lock b/flake.lock index 7fda8e9..0b19b47 100644 --- a/flake.lock +++ b/flake.lock @@ -868,14 +868,17 @@ }, "impermenance": { "locked": { - "lastModified": 1696322197, - "narHash": "sha256-WvxAZaeefq88RpXGKwGPekvqcITK7jIB38ow6ULHCTQ=", - "path": "/nix/persist/home/main/repos/impermanence", - "type": "path" + "lastModified": 1697902518, + "narHash": "sha256-L0wNEjROZFZS/2DxH3LkRYxgKAtVwNRcMab41jK9MDE=", + "owner": "MagicRB", + "repo": "impermanence", + "rev": "1e7f9def3b0d74dccb9f3876ba3ba7666641aa52", + "type": "github" }, "original": { - "path": "/nix/persist/home/main/repos/impermanence", - "type": "path" + "owner": "MagicRB", + "repo": "impermanence", + "type": "github" } }, "iserv-proxy": { diff --git a/flake.nix b/flake.nix index abb6ddc..532c35c 100644 --- a/flake.nix +++ b/flake.nix @@ -18,7 +18,7 @@ website.url = "sourcehut:~magic_rb/website"; microvm.url = "github:astro/microvm.nix"; notnft.url = "github:chayleaf/notnft"; - impermenance.url = "path:///nix/persist/home/main/repos/impermanence"; + impermenance.url = "github:MagicRB/impermanence"; numen-nix.url = "github:anpandey/numen-nix"; hydra.url = "github:t184256/hydra/nix-ca-reprise"; diff --git a/lib/load_secrets.nix b/lib/load_secrets.nix index 063a4ff..1f2c0b9 100644 --- a/lib/load_secrets.nix +++ b/lib/load_secrets.nix @@ -4,11 +4,11 @@ { lib, ... }: { flake.libOverlays.loadSecrets = - final: prev: (lib.traceVal { + final: prev: { loadSecrets = path: if builtins.pathExists "${path}/default.nix" then import path { lib = final; } else - {}; - }); + builtins.trace "Not loading secrets!" {}; + }; } diff --git a/nixos/systems/heater/nixpkgs.nix b/nixos/systems/heater/nixpkgs.nix index 75e6780..f7a7843 100644 --- a/nixos/systems/heater/nixpkgs.nix +++ b/nixos/systems/heater/nixpkgs.nix @@ -11,6 +11,7 @@ emacs-rofi tree-sitter-grammars emacs-master-nativecomp + ledger-compat ]) ++ (with inputs'.nixng.overlays; [ diff --git a/nixos/systems/omen/firewall.nix b/nixos/systems/omen/firewall.nix index 3e4a014..80ea66c 100644 --- a/nixos/systems/omen/firewall.nix +++ b/nixos/systems/omen/firewall.nix @@ -80,9 +80,11 @@ # TCP 22 altra [ (is.eq ip.protocol (f: with f; set [ tcp ])) (is.eq th.dport (set [ 22 ])) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept ] - # ICMP to blowhole, toothpick + # ICMP to blowhole, toothpick, altra [ (is.eq ip.protocol (f: f.icmp)) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (set [ (secret.network.ips.toothpick or "") (secret.network.ips.altra.ip or "") (secret.network.ips.blowhole.ip or "") ])) accept ] + [ (is.eq ip.protocol (f: f.tcp)) (is.eq th.dport 8883) (is.eq ip.saddr (secret.network.ips.omen.vpn or "")) (is.eq ip.daddr (secret.network.ips.altra.ip or "")) accept ] + # accept syncthing sharing [ (is.eq ip.protocol (f: f.udp)) (is.eq th.sport "22000") (is.eq th.dport "22000") accept ] [ (is.eq ip.protocol (f: f.tcp)) (is.eq th.dport "22000") accept ] diff --git a/nixos/systems/omen/networking.nix b/nixos/systems/omen/networking.nix index aa07681..6dd955e 100644 --- a/nixos/systems/omen/networking.nix +++ b/nixos/systems/omen/networking.nix @@ -10,7 +10,7 @@ in hostId = "10c7ffc5"; - nameservers = [ secret.network.ips.blowhole.ip ]; + nameservers = [ (secret.network.ips.blowhole.ip or "") ]; firewall.enable = false; @@ -36,7 +36,7 @@ in case $IFACE in eth0) - echo $IP_ADDRS | ${lib.getExe' pkgs.grepcidr "grepcidr"} ${secret.network.networks.home.amsterdam} > /dev/null + echo $IP_ADDRS | ${lib.getExe' pkgs.grepcidr "grepcidr"} ${secret.network.networks.home.amsterdam or ""} > /dev/null home_net=$? case $STATE in @@ -63,7 +63,7 @@ in }; systemd.network.links."50-eth0" = { - matchConfig.MACAddress = secret.network.mac.usbc-omen; + matchConfig.MACAddress = secret.network.mac.usbc-omen or ""; linkConfig.Name = "eth0"; }; @@ -85,12 +85,12 @@ in services.resolved.enable = false; environment.etc."resolv.conf".text = '' - nameserver ${secret.network.ips.blowhole.ip} + nameserver ${secret.network.ips.blowhole.ip or ""} ''; services.resolved.extraConfig = '' [Resolve] - DNS=${secret.network.ips.blowhole.ip} + DNS=${secret.network.ips.blowhole.ip or ""} FallbackDNS= '';