From fcad909111e40198ed1a6d0628ae9fcb8b8c6cea Mon Sep 17 00:00:00 2001 From: Jack O'Sullivan Date: Tue, 22 Feb 2022 01:30:27 +0000 Subject: [PATCH] Add secrets support to dev VMs --- devshell/commands.nix | 5 ++++- nixos/modules/build.nix | 1 + nixos/modules/secrets.nix | 14 +++++++++++--- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/devshell/commands.nix b/devshell/commands.nix index f926a12..fc069f3 100644 --- a/devshell/commands.nix +++ b/devshell/commands.nix @@ -1,6 +1,7 @@ { pkgs, ... }: let homeFlake = "$HOME/.config/nixpkgs/flake.nix"; + devKey = ".keys/dev.key"; in { commands = [ @@ -67,7 +68,9 @@ in command = '' cd "$PRJ_ROOT" - nix run ".#nixosConfigurations.\"$1\".config.my.buildAs.devVM" + tmp="$(mktemp -d nix-vm.XXXXXXXXXX --tmpdir)" + install -Dm0400 "${devKey}" "$tmp/xchg/dev.key" + TMPDIR="$tmp" USE_TMPDIR=1 nix run ".#nixosConfigurations.\"$1\".config.my.buildAs.devVM" ''; } { diff --git a/nixos/modules/build.nix b/nixos/modules/build.nix index af4cf1a..04c29d5 100644 --- a/nixos/modules/build.nix +++ b/nixos/modules/build.nix @@ -62,6 +62,7 @@ in virtualisation = { diskImage = dummyOption; forwardPorts = dummyOption; + sharedDirectories = dummyOption; }; }; diff --git a/nixos/modules/secrets.nix b/nixos/modules/secrets.nix index e03fcef..9033361 100644 --- a/nixos/modules/secrets.nix +++ b/nixos/modules/secrets.nix @@ -1,6 +1,7 @@ { lib, config, secretsPath, ... }: let inherit (builtins) mapAttrs; + inherit (lib) mkMerge mkIf; inherit (lib.my) mkOpt'; cfg = config.my.secrets; @@ -11,7 +12,14 @@ in files = mkOpt' (attrsOf unspecified) { } "Secrets to decrypt with agenix."; }; - config.age.secrets = mapAttrs (f: opts: { - file = "${secretsPath}/${f}.age"; - } // opts) cfg.files; + config = mkMerge [ + { + age.secrets = mapAttrs (f: opts: { + file = "${secretsPath}/${f}.age"; + } // opts) cfg.files; + } + (mkIf config.my.build.isDevVM { + age.identityPaths = [ "/tmp/xchg/dev.key" ]; + }) + ]; }