From 75ef84913f929b0ec313d389406fd7730747330c Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Tue, 12 Dec 2023 20:30:26 +0800 Subject: [PATCH] fix: agenix failed to decrypt secrets when booting --- flake.lock | 225 +--------------------- flake.nix | 10 +- hosts/idols/ai/hardware-configuration.nix | 1 + secrets/nixos.nix | 4 +- 4 files changed, 10 insertions(+), 230 deletions(-) diff --git a/flake.lock b/flake.lock index 2398bb19..8151db8a 100644 --- a/flake.lock +++ b/flake.lock @@ -274,21 +274,6 @@ "type": "github" } }, - "flake-compat_2": { - "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": [ @@ -331,28 +316,6 @@ "type": "github" } }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1698882062, - "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems_2" @@ -371,24 +334,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "gitignore": { "inputs": { "nixpkgs": [ @@ -543,25 +488,6 @@ "type": "github" } }, - "lib-aggregate": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1699790908, - "narHash": "sha256-8CO4KQhiEyO7rce4KVOq8arpk9802fVwxtN/oLeRFag=", - "owner": "nix-community", - "repo": "lib-aggregate", - "rev": "6c60a229fa422698325b2788e93dfeeba3f11391", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lib-aggregate", - "type": "github" - } - }, "mesa-panfork": { "flake": false, "locked": { @@ -616,49 +542,6 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_6", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1699952346, - "narHash": "sha256-l+8awD7Gq5iIZSbzC7BNO3e5sFBgm1Ivea8WyawRMlQ=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "333af7cb0f3dc54e893d2032e4032821bc90e145", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1698974481, - "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixlib": { "locked": { "lastModified": 1693701915, @@ -765,21 +648,6 @@ "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1699750082, - "narHash": "sha256-4Vx6Vr975vPGzGACyu4u6JfWo2Auwy0AeC6sTSOXdTQ=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "55682344eae38a1975ccd2cfac0dcb4197faedf8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, "nixpkgs-stable": { "locked": { "lastModified": 1678872516, @@ -812,27 +680,6 @@ "type": "github" } }, - "nixpkgs-wayland": { - "inputs": { - "flake-compat": "flake-compat_2", - "lib-aggregate": "lib-aggregate", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_7" - }, - "locked": { - "lastModified": 1699967945, - "narHash": "sha256-oghYgECEGWBVqNQ+fczJ3J5wYy/rILYAPO+mszLd17M=", - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "rev": "0cfb157a692a733481daa5dd3b4566e6440567bb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "type": "github" - } - }, "nixpkgs_2": { "locked": { "lastModified": 1698134075, @@ -898,38 +745,6 @@ } }, "nixpkgs_6": { - "locked": { - "lastModified": 1699839047, - "narHash": "sha256-FAoWKSDZ9vpd8sLeJYeVGUnSlOCqkSochTEvOA7+qeM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8423b2dff7b10463eb97f9242bd62a1ff8d2ee3e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_7": { - "locked": { - "lastModified": 1699781429, - "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_8": { "locked": { "lastModified": 1692221125, "narHash": "sha256-nKUDlbLL8/WW3Fpx9Y0sY+LliTqU3/GexvHU9BdA8Qk=", @@ -947,7 +762,7 @@ }, "nur-ryan4yin": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1694184827, @@ -1037,7 +852,6 @@ "nixpkgs": "nixpkgs_5", "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-wayland": "nixpkgs-wayland", "nur-ryan4yin": "nur-ryan4yin", "nushell-scripts": "nushell-scripts", "wallpapers": "wallpapers" @@ -1098,21 +912,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "thead-kernel": { "flake": false, "locked": { @@ -1130,28 +929,6 @@ "type": "github" } }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1699786194, - "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "wallpapers": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 9d402eab..e95d0c14 100644 --- a/flake.nix +++ b/flake.nix @@ -309,7 +309,7 @@ # modern window compositor hyprland.url = "github:hyprwm/Hyprland/v0.32.3"; # community wayland nixpkgs - nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; + # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; # anyrun - a wayland launcher anyrun = { url = "github:Kirottu/anyrun"; @@ -411,19 +411,19 @@ nixConfig = { # substituers will be appended to the default substituters when fetching packages extra-substituters = [ + "https://nix-community.cachix.org" # my own cache server "https://ryan4yin.cachix.org" "https://anyrun.cachix.org" "https://hyprland.cachix.org" - "https://nix-community.cachix.org" - "https://nixpkgs-wayland.cachix.org" + # "https://nixpkgs-wayland.cachix.org" ]; extra-trusted-public-keys = [ - "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" + "ryan4yin.cachix.org-1:Gbk27ZU5AYpGS9i3ssoLlwdvMIh0NxG0w8it/cv9kbU=" "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s=" "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; }; } diff --git a/hosts/idols/ai/hardware-configuration.nix b/hosts/idols/ai/hardware-configuration.nix index 1576904a..f7abaeaf 100644 --- a/hosts/idols/ai/hardware-configuration.nix +++ b/hosts/idols/ai/hardware-configuration.nix @@ -70,6 +70,7 @@ device = "/dev/disk/by-uuid/1167076c-dee1-486c-83c1-4b1af37555cd"; fsType = "btrfs"; options = ["subvol=@persistent" "compress-force=zstd:1"]; + # impermanence's data is required for booting. neededForBoot = true; }; diff --git a/secrets/nixos.nix b/secrets/nixos.nix index 23d92a11..b8010765 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -17,7 +17,9 @@ # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! age.identityPaths = [ - "/home/${username}/.ssh/juliet-age" # Linux + # To decrypt secrets on boot, this key should exists when the system is booting, + # so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence. + "/persistent/home/${username}/.ssh/juliet-age" # Linux ]; # Used only by NixOS Modules