Skip to content

Commit

Permalink
Merge pull request #262 from MatrixAI/feature-module
Browse files Browse the repository at this point in the history 
Refactor NixOS modules and implement `home-manager` modules
  • Loading branch information
@brynblack
brynblack authored Aug 30, 2024
2 parents ccedaf2 + bf23802 commit a031b1b
Show file tree
Hide file tree
Showing 3 changed files with 161 additions and 163 deletions.
6 changes: 3 additions & 3 deletions flake.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

170 changes: 10 additions & 160 deletions flake.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,164 +141,14 @@
default = shell { ci = false; };
ci = shell { ci = true; };
};
}) // {
nixosModules.default = { config, ... }:
with nixpkgs-matrix.lib; {
options = {
services.polykey = {
enable = mkEnableOption
"Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent.";

passwordFilePath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail.
'';
};

recoveryCodeFilePath = mkOption {
type = with types; uniq str;
default = "";
description = ''
The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with.
'';
};

recoveryCodeOutPath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey recovery code file output location.
'';
};

statePath = mkOption {
type = with types; uniq str;
default = "/var/lib/polykey";
description =
"The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path.";
};
};
programs.polykey = {
enable = mkEnableOption "Enable the per-user Polykey agent.";

passwordFilePath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail.
'';
};

recoveryCodeFilePath = mkOption {
type = with types; uniq str;
default = "";
description = ''
The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with.
'';
};

recoveryCodeOutPath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey recovery code file output location.
'';
};

statePath = mkOption {
type = with types; uniq str;
default = "%h/.local/share/polykey";
description =
"The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path.";
};
};
};
config = mkMerge [
(mkIf config.services.polykey.enable {
users.groups.polykey = { };

environment.systemPackages =
[ self.outputs.packages.${buildSystem}.default ];

system.activationScripts.makeAgentPaths = ''
mkdir -p ${config.services.polykey.statePath}
chgrp -R polykey ${config.services.polykey.statePath}
chmod 770 ${config.services.polykey.statePath}
'';

systemd.services.polykey = {
description = "Polykey Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = "root";
Group = "polykey";
PermissionsStartOnly = true;
LoadCredential = [
"password:${config.services.polykey.passwordFilePath}"
];
ExecStartPre = ''
-${
self.outputs.packages.${buildSystem}.default
}/bin/polykey \
--password-file ''${CREDENTIALS_DIRECTORY}/password \
--node-path ${config.services.polykey.statePath} \
bootstrap ${
lib.optionalString
(config.services.polykey.recoveryCodeFilePath != "")
"-rcf ${config.services.polykey.recoveryCodeFilePath}"
}\
--recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath}
'';
ExecStart = ''
${
self.outputs.packages.${buildSystem}.default
}/bin/polykey \
--password-file ''${CREDENTIALS_DIRECTORY}/password \
--node-path ${config.services.polykey.statePath} \
agent start \
--recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath}
'';
};
};
})
(mkIf config.programs.polykey.enable {
environment.systemPackages =
[ self.outputs.packages.${buildSystem}.default ];

system.activationScripts.makeUserAgentPaths = ''
mkdir -p ${config.programs.polykey.statePath}
'';

systemd.user.services.polykey = {
description = "Polykey Agent";
wantedBy = [ "default.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = ''
-${
self.outputs.packages.${buildSystem}.default
}/bin/polykey \
--password-file ${config.programs.polykey.passwordFilePath} \
--node-path ${config.programs.polykey.statePath} \
bootstrap ${
lib.optionalString
(config.programs.polykey.recoveryCodeFilePath != "")
"-rcf ${config.programs.polykey.recoveryCodeFilePath}"
}\
--recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath}
'';
ExecStart = ''
${
self.outputs.packages.${buildSystem}.default
}/bin/polykey \
--password-file ${config.programs.polykey.passwordFilePath} \
--node-path ${config.programs.polykey.statePath} \
agent start \
--recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath}
'';
};
};
})
];
};
};
}) // (let
modules = import ./modules.nix {
inherit nixpkgs-matrix;
outputs = self.outputs;
system = "x86_64-linux";
};
in {
nixosModules.default = modules.polykey;
homeModules.default = modules.polykey-home;
});
}
148 changes: 148 additions & 0 deletions modules.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{ outputs, nixpkgs-matrix, system, ... }:

{
polykey = { config, ... }:
with nixpkgs-matrix.lib.${system}; {
options = {
services.polykey = {
enable = mkEnableOption
"Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent.";

passwordFilePath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail.
'';
};

recoveryCodeFilePath = mkOption {
type = with types; uniq str;
default = "";
description = ''
The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with.
'';
};

recoveryCodeOutPath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey recovery code file output location.
'';
};

statePath = mkOption {
type = with types; uniq str;
default = "/var/lib/polykey";
description =
"The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path.";
};
};
};
config = mkIf config.services.polykey.enable {
users.groups.polykey = { };

environment.systemPackages = [ outputs.packages.${system}.default ];

system.activationScripts.makeAgentPaths = ''
mkdir -p ${config.services.polykey.statePath}
chgrp -R polykey ${config.services.polykey.statePath}
chmod 770 ${config.services.polykey.statePath}
'';

systemd.services.polykey = {
description = "Polykey Agent";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
User = "root";
Group = "polykey";
PermissionsStartOnly = true;
LoadCredential =
[ "password:${config.services.polykey.passwordFilePath}" ];
ExecStartPre = ''
-${outputs.packages.${system}.default}/bin/polykey \
--password-file ''${CREDENTIALS_DIRECTORY}/password \
--node-path ${config.services.polykey.statePath} \
bootstrap ${
optionalString
(config.services.polykey.recoveryCodeFilePath != "")
"-rcf ${config.services.polykey.recoveryCodeFilePath}"
}\
--recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath}
'';
ExecStart = ''
${outputs.packages.${system}.default}/bin/polykey \
--password-file ''${CREDENTIALS_DIRECTORY}/password \
--node-path ${config.services.polykey.statePath} \
agent start \
--recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath}
'';
};
};
};
};
polykey-home = { config, ... }:
with nixpkgs-matrix.lib.${system}; {
options = {
programs.polykey = {
enable = mkEnableOption "Enable the user-space Polykey agent.";

passwordFilePath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail.
'';
};

recoveryCodeFilePath = mkOption {
type = with types; uniq str;
default = "";
description = ''
The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with.
'';
};

recoveryCodeOutPath = mkOption {
type = with types; uniq str;
description = ''
The path to the Polykey recovery code file output location.
'';
};

statePath = mkOption {
type = with types; uniq str;
default = "%h/.local/share/polykey";
description =
"The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path.";
};
};
};
config = mkIf config.programs.polykey.enable {
home.packages = [ outputs.packages.${system}.default ];

systemd.user.services.polykey = {
Unit = { Description = "Polykey Agent"; };
Service = {
ExecStartPre = ''
-${outputs.packages.${system}.default}/bin/polykey \
--password-file ${config.programs.polykey.passwordFilePath} \
--node-path ${config.programs.polykey.statePath} \
bootstrap ${
optionalString
(config.programs.polykey.recoveryCodeFilePath != "")
"-rcf ${config.programs.polykey.recoveryCodeFilePath}"
}\
--recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath}
'';
ExecStart = ''
${outputs.packages.${system}.default}/bin/polykey \
--password-file ${config.programs.polykey.passwordFilePath} \
--node-path ${config.programs.polykey.statePath} \
agent start \
--recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath}
'';
};
};
};
};
}

0 comments on commit a031b1b

Please sign in to comment.