From faed15c0307ab68aa6d8921ec6b3356ba86d749b Mon Sep 17 00:00:00 2001 From: Brynley Llewellyn-Roux Date: Thu, 22 Aug 2024 12:04:12 +1000 Subject: [PATCH] wip: refactoring --- flake.nix | 132 +--------------------------------------------------- modules.nix | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 130 insertions(+), 131 deletions(-) create mode 100644 modules.nix diff --git a/flake.nix b/flake.nix index 72af4134..d35ae2fb 100644 --- a/flake.nix +++ b/flake.nix @@ -141,135 +141,5 @@ default = shell { ci = false; }; ci = shell { ci = true; }; }; - }) // { - nixosModules.default = { config, ... }: - with nixpkgs-matrix.lib; { - options = { - services.polykey = { - enable = mkEnableOption - "Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent."; - - passwordFilePath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. - ''; - }; - - recoveryCodeFilePath = mkOption { - type = with types; uniq str; - default = ""; - description = '' - The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. - ''; - }; - - recoveryCodeOutPath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey recovery code file output location. - ''; - }; - - statePath = mkOption { - type = with types; uniq str; - default = "/var/lib/polykey"; - description = - "The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path."; - }; - }; - programs.polykey = { - enable = mkEnableOption "Enable the per-user Polykey agent."; - - passwordFilePath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. - ''; - }; - - recoveryCodeFilePath = mkOption { - type = with types; uniq str; - default = ""; - description = '' - The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. - ''; - }; - - recoveryCodeOutPath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey recovery code file output location. - ''; - }; - - statePath = mkOption { - type = with types; uniq str; - default = "%h/.local/share/polykey"; - description = - "The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path."; - }; - }; - }; - config = mkIf config.services.polykey.enable { - users.groups.polykey = { }; - - environment.systemPackages = - [ self.outputs.packages.${buildSystem}.default ]; - - system.activationScripts.makeAgentPaths = '' - mkdir -p ${config.services.polykey.statePath} - chgrp -R polykey ${config.services.polykey.statePath} - chmod 770 ${config.services.polykey.statePath} - ''; - - systemd.services.polykey = { - description = "Polykey Agent"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - User = "root"; - Group = "polykey"; - PermissionsStartOnly = true; - LoadCredential = - [ "password:${config.services.polykey.passwordFilePath}" ]; - ExecStartPre = '' - -${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ''${CREDENTIALS_DIRECTORY}/password \ - --node-path ${config.services.polykey.statePath} \ - bootstrap ${ - lib.optionalString - (config.services.polykey.recoveryCodeFilePath != "") - "-rcf ${config.services.polykey.recoveryCodeFilePath}" - }\ - --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} - ''; - ExecStart = '' - ${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ''${CREDENTIALS_DIRECTORY}/password \ - --node-path ${config.services.polykey.statePath} \ - agent start \ - --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} - ''; - }; - }; - }; - }; - homeManagerModules.default = { config, ... }: - with nixpkgs-matrix; - with lib; { - options = { - programs.polykey = { - enable = mkEnableOption "Enable the user-space Polykey agent."; - }; - }; - config = mkIf config.programs.polykey.enable { - home.packages = [ self.outputs.packages.${buildSystem}.default ]; - }; - }; - }; + }) // (import ./modules.nix { inherit nixpkgs-matrix; }); } diff --git a/modules.nix b/modules.nix new file mode 100644 index 00000000..e9efa56c --- /dev/null +++ b/modules.nix @@ -0,0 +1,129 @@ +{ nixpkgs-matrix, ... }: + +{ + nixosModules.default = { config, ... }: + with nixpkgs-matrix.lib; { + options = { + services.polykey = { + enable = mkEnableOption + "Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent."; + + passwordFilePath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. + ''; + }; + + recoveryCodeFilePath = mkOption { + type = with types; uniq str; + default = ""; + description = '' + The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. + ''; + }; + + recoveryCodeOutPath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey recovery code file output location. + ''; + }; + + statePath = mkOption { + type = with types; uniq str; + default = "/var/lib/polykey"; + description = + "The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path."; + }; + }; + programs.polykey = { + enable = mkEnableOption "Enable the per-user Polykey agent."; + + passwordFilePath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. + ''; + }; + + recoveryCodeFilePath = mkOption { + type = with types; uniq str; + default = ""; + description = '' + The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. + ''; + }; + + recoveryCodeOutPath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey recovery code file output location. + ''; + }; + + statePath = mkOption { + type = with types; uniq str; + default = "%h/.local/share/polykey"; + description = + "The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path."; + }; + }; + }; + config = mkIf config.services.polykey.enable { + users.groups.polykey = { }; + + environment.systemPackages = + [ self.outputs.packages.${buildSystem}.default ]; + + system.activationScripts.makeAgentPaths = '' + mkdir -p ${config.services.polykey.statePath} + chgrp -R polykey ${config.services.polykey.statePath} + chmod 770 ${config.services.polykey.statePath} + ''; + + systemd.services.polykey = { + description = "Polykey Agent"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + User = "root"; + Group = "polykey"; + PermissionsStartOnly = true; + LoadCredential = + [ "password:${config.services.polykey.passwordFilePath}" ]; + ExecStartPre = '' + -${self.outputs.packages.${buildSystem}.default}/bin/polykey \ + --password-file ''${CREDENTIALS_DIRECTORY}/password \ + --node-path ${config.services.polykey.statePath} \ + bootstrap ${ + lib.optionalString + (config.services.polykey.recoveryCodeFilePath != "") + "-rcf ${config.services.polykey.recoveryCodeFilePath}" + }\ + --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} + ''; + ExecStart = '' + ${self.outputs.packages.${buildSystem}.default}/bin/polykey \ + --password-file ''${CREDENTIALS_DIRECTORY}/password \ + --node-path ${config.services.polykey.statePath} \ + agent start \ + --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} + ''; + }; + }; + }; + }; + homeManagerModules.default = { config, ... }: + with nixpkgs-matrix; + with lib; { + options = { + programs.polykey = { + enable = mkEnableOption "Enable the user-space Polykey agent."; + }; + }; + config = mkIf config.programs.polykey.enable { + home.packages = [ self.outputs.packages.${buildSystem}.default ]; + }; + }; +}