starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-10 03:13:36 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
dbe62811c7c48778484f0cde332e005f177e6ffd
nix-config/secrets/darwin.nix
Ryan Yin dbe62811c7 fix: agenix on nix-darwin, update flake.nix
2023-12-18 14:05:45 +08:00

86 lines
2.7 KiB
Nix
Raw Blame History

{
config,
pkgs,
agenix,
mysecrets,
username,
...
}: {
imports = [
agenix.darwinModules.default
];
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths = [
"/Users/${username}/.ssh/juliet-age" # macOS
];
age.secrets = {
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
};
# alias-for-work
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
};
"alias-for-work.bash" = {
file = "${mysecrets}/alias-for-work.bash.age";
};
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
# Fix DNS for WireGuard on macOS: https://github.com/ryan4yin/nix-config/issues/5
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
# The following secrets are used by home-manager modules
# But nix-darwin doesn't support environment.etc.<name>.mode
# So we need to change its mode manually
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
};
};
# activationScripts are executed every time you run `nixos-rebuild` / `darwin-rebuild`.
system.activationScripts.postActivation.text = ''
chmod 644 /etc/agenix/*
'';
# When you eboot the system, only these scripts will be executed:
# https://github.com/LnL7/nix-darwin/blob/4eb1c549a9d4/modules/services/activate-system/default.nix6
# So we need to add the following line to the script:
launchd.daemons.activate-system.script = ''
set -e
set -o pipefail
export PATH="${pkgs.gnugrep}/bin:${pkgs.coreutils}/bin:@out@/sw/bin:/usr/bin:/bin:/usr/sbin:/sbin"
systemConfig=$(cat ${config.system.profile}/systemConfig)
# Make this configuration the current configuration.
# The readlink is there to ensure that when $systemConfig = /system
# (which is a symlink to the store), /run/current-system is still
# used as a garbage collection root.
ln -sfn $(cat ${config.system.profile}/systemConfig) /run/current-system
# Prevent the current configuration from being garbage-collected.
ln -sfn /run/current-system /nix/var/nix/gcroots/current-system
${config.system.activationScripts.etcChecks.text}
${config.system.activationScripts.etc.text}
${config.system.activationScripts.keyboard.text}
# The following line is added by me
${config.system.activationScripts.postActivation.text}
'';
}
Reference in New Issue View Git Blame Copy Permalink