Merge branch 'main' into teutat3s

This commit is contained in:
teutat3s 2021-12-01 12:22:19 +01:00
commit f570efefe9
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
5 changed files with 29 additions and 11 deletions

View file

@ -45,5 +45,32 @@ deploy '.#hostName' --hostname host.example.com
> ##### _Note:_ > ##### _Note:_
> Your user will need **passwordless** sudo access > Your user will need **passwordless** sudo access
### Home Manager
Digga's `lib.mkDeployNodes` provides only `system` profile.
In order to deploy your `home-manager` configuration you should provide additional profile(s) to deploy-rs config:
```nix
# Initially, this line looks like this: deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { };
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations
{
<HOSTNAME> = {
profilesOrder = [ "system" "<HM_PROFILE>" "<ANOTHER_HM_PROFILE>"];
profiles.<HM_PROFILE> = {
user = "<YOUR_USERNAME>";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.<YOUR_USERNAME>;
};
profiles.<ANOTHER_HM_PROFILE> = {
user = "<ANOTHER_USERNAME>";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.<ANOTHER_USERNAME>;
};
};
};
```
Substitute `<HOSTNAME>`, `<HM_PROFILE>` and `<YOUR_USERNAME>` placeholders (omitting the `<>`).
`<ANOTHER_HM_PROFILE>` is there to illustrate deploying multiple `home-manager` configurations. Either substitute those as well,
or remove them altogether. Don't forget the `profileOrder` variable.
[d-rs]: https://github.com/serokell/deploy-rs [d-rs]: https://github.com/serokell/deploy-rs

View file

@ -1,11 +1,8 @@
# Secrets # Secrets
Secrets are managed using [git-crypt][git-crypt] and [agenix][agenix] Secrets are managed using [agenix][agenix]
so you can keep your flake in a public repository like GitHub without so you can keep your flake in a public repository like GitHub without
exposing your password or other sensitive data. exposing your password or other sensitive data.
By default, everything in the secrets folder is automatically encrypted. Just
be sure to run `git-crypt init` before putting anything in here.
## Agenix ## Agenix
Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets Currently, there is [no mechanism][secrets-issue] in nix itself to deploy secrets
within the nix store because it is world-readable. within the nix store because it is world-readable.
@ -104,7 +101,6 @@ secrets get decrypted. You can learn about them by looking at the
> You can take a look at the [agenix repository][agenix] for more information > You can take a look at the [agenix repository][agenix] for more information
> about the tool. > about the tool.
[git-crypt]: https://github.com/AGWA/git-crypt
[agenix]: https://github.com/ryantm/agenix [agenix]: https://github.com/ryantm/agenix
[age module]: https://github.com/ryantm/agenix/blob/master/modules/age.nix [age module]: https://github.com/ryantm/agenix/blob/master/modules/age.nix
[secrets-issue]: https://github.com/NixOS/nix/issues/8 [secrets-issue]: https://github.com/NixOS/nix/issues/8

View file

@ -6,7 +6,7 @@ This will help you boostrap a bare host with the help of the
_Note: nothing prevents you from remotely executing the boostrapping _Note: nothing prevents you from remotely executing the boostrapping
process. See below._ process. See below._
Once your target host has booted into the live iso, you need to partion Once your target host has booted into the live iso, you need to partition
and format your disk according to the [official manual][manual]. and format your disk according to the [official manual][manual].
## Mount partitions ## Mount partitions

View file

@ -30,10 +30,6 @@ in
unset _PATH unset _PATH
''); '');
packages = with pkgs; [
git-crypt
];
commands = with pkgs; [ commands = with pkgs; [
(devos nixUnstable) (devos nixUnstable)
(devos agenix) (devos agenix)

View file

@ -3,7 +3,6 @@
home-manager.users = { inherit (hmUsers) nixos; }; home-manager.users = { inherit (hmUsers) nixos; };
users.users.nixos = { users.users.nixos = {
uid = 1000;
password = "nixos"; password = "nixos";
description = "default"; description = "default";
isNormalUser = true; isNormalUser = true;