diff --git a/flake.lock b/flake.lock index a261d298..4e6263c3 100644 --- a/flake.lock +++ b/flake.lock @@ -39,11 +39,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1724733243, - "narHash": "sha256-0oYi7F5GHsBr714FvPxRyqkIyGAQAiLYF+4+lmtjxRQ=", + "lastModified": 1724748625, + "narHash": "sha256-aJn/QBY200UOvRCtsBbWdlixHoYxSp+UHlxSZ25HTpE=", "owner": "MatrixAI", "repo": "nixpkgs-matrix", - "rev": "d8946c1dddce9eb3136080a1efc47f7afee76ecc", + "rev": "850aaa543b8913ee2ef69f145265211f344ca9b2", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 42272438..67fab15c 100644 --- a/flake.nix +++ b/flake.nix @@ -141,164 +141,14 @@ default = shell { ci = false; }; ci = shell { ci = true; }; }; - }) // { - nixosModules.default = { config, ... }: - with nixpkgs-matrix.lib; { - options = { - services.polykey = { - enable = mkEnableOption - "Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent."; - - passwordFilePath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. - ''; - }; - - recoveryCodeFilePath = mkOption { - type = with types; uniq str; - default = ""; - description = '' - The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. - ''; - }; - - recoveryCodeOutPath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey recovery code file output location. - ''; - }; - - statePath = mkOption { - type = with types; uniq str; - default = "/var/lib/polykey"; - description = - "The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path."; - }; - }; - programs.polykey = { - enable = mkEnableOption "Enable the per-user Polykey agent."; - - passwordFilePath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. - ''; - }; - - recoveryCodeFilePath = mkOption { - type = with types; uniq str; - default = ""; - description = '' - The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. - ''; - }; - - recoveryCodeOutPath = mkOption { - type = with types; uniq str; - description = '' - The path to the Polykey recovery code file output location. - ''; - }; - - statePath = mkOption { - type = with types; uniq str; - default = "%h/.local/share/polykey"; - description = - "The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path."; - }; - }; - }; - config = mkMerge [ - (mkIf config.services.polykey.enable { - users.groups.polykey = { }; - - environment.systemPackages = - [ self.outputs.packages.${buildSystem}.default ]; - - system.activationScripts.makeAgentPaths = '' - mkdir -p ${config.services.polykey.statePath} - chgrp -R polykey ${config.services.polykey.statePath} - chmod 770 ${config.services.polykey.statePath} - ''; - - systemd.services.polykey = { - description = "Polykey Agent"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - User = "root"; - Group = "polykey"; - PermissionsStartOnly = true; - LoadCredential = [ - "password:${config.services.polykey.passwordFilePath}" - ]; - ExecStartPre = '' - -${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ''${CREDENTIALS_DIRECTORY}/password \ - --node-path ${config.services.polykey.statePath} \ - bootstrap ${ - lib.optionalString - (config.services.polykey.recoveryCodeFilePath != "") - "-rcf ${config.services.polykey.recoveryCodeFilePath}" - }\ - --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} - ''; - ExecStart = '' - ${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ''${CREDENTIALS_DIRECTORY}/password \ - --node-path ${config.services.polykey.statePath} \ - agent start \ - --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} - ''; - }; - }; - }) - (mkIf config.programs.polykey.enable { - environment.systemPackages = - [ self.outputs.packages.${buildSystem}.default ]; - - system.activationScripts.makeUserAgentPaths = '' - mkdir -p ${config.programs.polykey.statePath} - ''; - - systemd.user.services.polykey = { - description = "Polykey Agent"; - wantedBy = [ "default.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStartPre = '' - -${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ${config.programs.polykey.passwordFilePath} \ - --node-path ${config.programs.polykey.statePath} \ - bootstrap ${ - lib.optionalString - (config.programs.polykey.recoveryCodeFilePath != "") - "-rcf ${config.programs.polykey.recoveryCodeFilePath}" - }\ - --recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath} - ''; - ExecStart = '' - ${ - self.outputs.packages.${buildSystem}.default - }/bin/polykey \ - --password-file ${config.programs.polykey.passwordFilePath} \ - --node-path ${config.programs.polykey.statePath} \ - agent start \ - --recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath} - ''; - }; - }; - }) - ]; - }; - }; + }) // (let + modules = import ./modules.nix { + inherit nixpkgs-matrix; + outputs = self.outputs; + system = "x86_64-linux"; + }; + in { + nixosModules.default = modules.polykey; + homeModules.default = modules.polykey-home; + }); } diff --git a/modules.nix b/modules.nix new file mode 100644 index 00000000..8a779399 --- /dev/null +++ b/modules.nix @@ -0,0 +1,148 @@ +{ outputs, nixpkgs-matrix, system, ... }: + +{ + polykey = { config, ... }: + with nixpkgs-matrix.lib.${system}; { + options = { + services.polykey = { + enable = mkEnableOption + "Enable the Polykey agent. Users with the `polykey` group or root permissions will be able to manage the agent."; + + passwordFilePath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. + ''; + }; + + recoveryCodeFilePath = mkOption { + type = with types; uniq str; + default = ""; + description = '' + The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. + ''; + }; + + recoveryCodeOutPath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey recovery code file output location. + ''; + }; + + statePath = mkOption { + type = with types; uniq str; + default = "/var/lib/polykey"; + description = + "The path to the Polykey node state directory. Will default to `/var/lib/polykey`, but can be overwritten to a custom path."; + }; + }; + }; + config = mkIf config.services.polykey.enable { + users.groups.polykey = { }; + + environment.systemPackages = [ outputs.packages.${system}.default ]; + + system.activationScripts.makeAgentPaths = '' + mkdir -p ${config.services.polykey.statePath} + chgrp -R polykey ${config.services.polykey.statePath} + chmod 770 ${config.services.polykey.statePath} + ''; + + systemd.services.polykey = { + description = "Polykey Agent"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + User = "root"; + Group = "polykey"; + PermissionsStartOnly = true; + LoadCredential = + [ "password:${config.services.polykey.passwordFilePath}" ]; + ExecStartPre = '' + -${outputs.packages.${system}.default}/bin/polykey \ + --password-file ''${CREDENTIALS_DIRECTORY}/password \ + --node-path ${config.services.polykey.statePath} \ + bootstrap ${ + optionalString + (config.services.polykey.recoveryCodeFilePath != "") + "-rcf ${config.services.polykey.recoveryCodeFilePath}" + }\ + --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} + ''; + ExecStart = '' + ${outputs.packages.${system}.default}/bin/polykey \ + --password-file ''${CREDENTIALS_DIRECTORY}/password \ + --node-path ${config.services.polykey.statePath} \ + agent start \ + --recovery-code-out-file ${config.services.polykey.recoveryCodeOutPath} + ''; + }; + }; + }; + }; + polykey-home = { config, ... }: + with nixpkgs-matrix.lib.${system}; { + options = { + programs.polykey = { + enable = mkEnableOption "Enable the user-space Polykey agent."; + + passwordFilePath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey password file. This is required to be set for the module to work, otherwise this module will fail. + ''; + }; + + recoveryCodeFilePath = mkOption { + type = with types; uniq str; + default = ""; + description = '' + The path to the Polykey recovery code file. This is not required, but if set will read a recovery code from the provided path to bootstrap a new state with. + ''; + }; + + recoveryCodeOutPath = mkOption { + type = with types; uniq str; + description = '' + The path to the Polykey recovery code file output location. + ''; + }; + + statePath = mkOption { + type = with types; uniq str; + default = "%h/.local/share/polykey"; + description = + "The path to the Polykey node state directory. Will default to `$HOME/.local/share/polykey`, but can be overwritten to a custom path."; + }; + }; + }; + config = mkIf config.programs.polykey.enable { + home.packages = [ outputs.packages.${system}.default ]; + + systemd.user.services.polykey = { + Unit = { Description = "Polykey Agent"; }; + Service = { + ExecStartPre = '' + -${outputs.packages.${system}.default}/bin/polykey \ + --password-file ${config.programs.polykey.passwordFilePath} \ + --node-path ${config.programs.polykey.statePath} \ + bootstrap ${ + optionalString + (config.programs.polykey.recoveryCodeFilePath != "") + "-rcf ${config.programs.polykey.recoveryCodeFilePath}" + }\ + --recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath} + ''; + ExecStart = '' + ${outputs.packages.${system}.default}/bin/polykey \ + --password-file ${config.programs.polykey.passwordFilePath} \ + --node-path ${config.programs.polykey.statePath} \ + agent start \ + --recovery-code-out-file ${config.programs.polykey.recoveryCodeOutPath} + ''; + }; + }; + }; + }; +}