~kaction/config

0e5b489cbfe35bb415d8d25711547f401e2e7ce8 — Dmitry Bogatov 2 months ago 9d2e050 + a642e61
Merge branch 'feature/use-ask-secret-manager' into next

* feature/use-ask-secret-manager:
  manifest: get rid of secrets
  msmtp, mpop: use "ask" secret manager
  Add terraform(1) into the universe set
  gh: use ask(1) secret manager
11 files changed, 33 insertions(+), 11 deletions(-)

M flake.lock
M flake.nix
D manifest/.gitattributes
M manifest/default.nix
D manifest/secret/auth.sh
D manifest/secret/dbx.json
D manifest/secret/foo.txt
M universe/default.nix
M universe/mpop/mpop.conf
M universe/msmtp/generator.py
M universe/posixrc/init.sh
M flake.lock => flake.lock +16 -0
@@ 1,5 1,20 @@
{
  "nodes": {
    "future": {
      "locked": {
        "lastModified": 1625865946,
        "narHash": "sha256-0GzAVzSf5DIsCw83oZnw74BzNAcEce2dve+YJdjkaEQ=",
        "rev": "95726968d92a53f9f2836defe19378ef4f48773c",
        "revCount": 301386,
        "type": "git",
        "url": "https://github.com/nixos/nixpkgs"
      },
      "original": {
        "rev": "95726968d92a53f9f2836defe19378ef4f48773c",
        "type": "git",
        "url": "https://github.com/nixos/nixpkgs"
      }
    },
    "mk-passwd": {
      "inputs": {
        "nixpkgs": "nixpkgs"


@@ 84,6 99,7 @@
    },
    "root": {
      "inputs": {
        "future": "future",
        "mk-passwd": "mk-passwd",
        "nix-sys": "nix-sys",
        "nixpkgs": "nixpkgs_3"

M flake.nix => flake.nix +6 -1
@@ 6,13 6,16 @@
{
  description = "Personal flake of ~kaction";
  inputs.nixpkgs.url = "git+https://github.com/nixos/nixpkgs?tag=20.09";
  inputs.future.url =
    "git+https://github.com/nixos/nixpkgs?rev=95726968d92a53f9f2836defe19378ef4f48773c";
  inputs.mk-passwd.url = "git+https://git.sr.ht/~kaction/mk-passwd?tag=0.1.1";
  inputs.nix-sys.url =
    "git+https://git.sr.ht/~kaction/nix-sys?rev=fbc860acdae3c716d50d8844ac52a57ccb76e61e";
  outputs = { self, nixpkgs, mk-passwd, nix-sys }:
  outputs = { self, nixpkgs, mk-passwd, nix-sys, future }:
    let
      system = "x86_64-linux"; # See note [On supported architectures]
      pkgs = import nixpkgs { inherit system; };
      future' = import future { inherit system; };

      # Set of packages provided by nixpkgs with all atrribute names
      # prefixed with "pristine-". Makes writing derivations that need


@@ 64,6 67,8 @@
        in pkgs // pristine // rebuilded // { # nixfmt: sort
          inherit (pkgs.pkgsStatic) execline;
          inherit system;
          inherit (future') terraform;

          Documentation =
            callPackage ./universe/Documentation { inherit nixpkgs; };
          attach-shell = call ./universe/attach-shell;

D manifest/.gitattributes => manifest/.gitattributes +0 -1
@@ 1,1 0,0 @@
secret/** filter=git-crypt diff=git-crypt

M manifest/default.nix => manifest/default.nix +0 -2
@@ 54,7 54,6 @@ let
          "/home/kaction/Mail/tmp" = user-mkdir;
          "/home/kaction/.config" = user-mkdir;
          "/home/kaction/.config/dbxcli" = user-mkdir;
          "/home/kaction/.config/dbxcli/auth.json" = symlink ./secret/dbx.json;
          "/home/kaction/.config/git/config" = symlink (substituteAll {
            src = ./user/git.conf;
            logp = writeScript "logp" ''


@@ 72,7 71,6 @@ let
          "/etc/group" = symlink "${auth}/group";
          "/etc/gshadow" = { action = "unlink"; };
          "/etc/hosts" = symlink' ./hosts;
          "/etc/profile.d/auth.sh" = symlink ./secret/auth.sh;
          "/etc/doas.conf" = symlink ./doas.conf;
          "/etc/nix/nix.conf" = symlink ./nix.conf;
          "/etc/nsswitch.conf" = symlink ./nsswitch.conf;

D manifest/secret/auth.sh => manifest/secret/auth.sh +0 -0
D manifest/secret/dbx.json => manifest/secret/dbx.json +0 -0
D manifest/secret/foo.txt => manifest/secret/foo.txt +0 -0
M universe/default.nix => universe/default.nix +1 -0
@@ 66,6 66,7 @@ buildEnv {
    strace # When things break, and they break all the time.
    surfraw
    tig
    terraform
    tree # Useful to inspect result of Nix derivation build
    trezord
    uenv

M universe/mpop/mpop.conf => universe/mpop/mpop.conf +1 -2
@@ 9,5 9,4 @@ keep on
tls on
tls_starttls off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
passwordeval cat /dev/shm/kaction/volatile/kaction.cc

passwordeval ask mpop://demigod@kaction.cc

M universe/msmtp/generator.py => universe/msmtp/generator.py +1 -1
@@ 21,7 21,7 @@ with open(config, "w") as config, open(newmail, "w") as newmail:
        account default
        host smtp.migadu.com
        user {user}@kaction.cc
        passwordeval cat /proc/self/fd/91/volatile/kaction.cc
        passwordeval ask smtp://demigod@kaction.cc
        port 587
        protocol smtp
        auth on

M universe/posixrc/init.sh => universe/posixrc/init.sh +8 -4
@@ 1,6 1,13 @@
alias ls='ls --color=auto'
alias cd-root='cd "$(git root)"'
alias gh='GITHUB_TOKEN=${GITHUB_TOKEN} command gh'
alias gh='GITHUB_TOKEN=`ask https://kaction@github.com` command gh'

terraform() {
	AWS_ACCESS_KEY_ID=`ask https://dbogatov@aws.amazon.com/public` \
	AWS_SECRET_ACCESS_KEY=`ask https://dbogatov@aws.amazon.com/private` \
	AWS_DEFAULT_REGION=us-west-2 \
	command terraform "$@"
}

vidir() {
	if [ $# = 0 ] ; then


@@ 10,8 17,5 @@ vidir() {
	fi
}

if [ -r /etc/profile.d/auth.sh ] ; then
	. /etc/profile.d/auth.sh
fi
mkdir -p "/dev/shm/${USER}/volatile"
echo "${MSMTP_PASSWORD:-}" > "/dev/shm/${USER}/volatile/kaction.cc"