[wip] handling env file (still fails)

rm unused dep nix-templating fix imports
2025-06-22 12:02:26 +02:00 · 2025-06-22 12:02:26 +02:00 · 45e97e8339
commit 45e97e8339
parent ebd79d2d5e
5 changed files with 44 additions and 23 deletions
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -59,6 +59,7 @@ in
        inputs.nixpkgs

        sources.flake-parts
+        sources.nixpkgs
        sources.flake-inputs
        sources.git-hooks
        sources.vars
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -260,7 +260,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
-  nodes.attic.virtualisation.memorySize = 2 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -32,7 +32,7 @@ in
  ## options that really need to be injected from the resource. Everything else
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
-    imports = [
+    imports = with sources; [
      "${agenix}/modules/age.nix"
      "${disko}/module.nix"
      "${vars}/options.nix"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -155,14 +155,14 @@
      "type": "Git",
      "repository": {
        "type": "GitHub",
-        "owner": "lassulus",
+        "owner": "kiaragrouwstra",
        "repo": "vars"
      },
-      "branch": "main",
+      "branch": "templates",
      "submodules": false,
-      "revision": "856c18f0e7b95e262ac88ba9ddebf506a16fd4a5",
-      "url": "https://github.com/lassulus/vars/archive/856c18f0e7b95e262ac88ba9ddebf506a16fd4a5.tar.gz",
-      "hash": "095dmc67pf5idj4pgnibjbgfxpkm73px3sc6hylc9j0sqh3379q7"
+      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
+      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
    }
  },
  "version": 5
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@ -7,10 +7,6 @@
 let
  inherit (lib) mkIf mkMerge;
  sources = import ../../../npins;
-  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; })
-    fileContents
-    template_text
-    ;
 in
 {
  imports = with sources; [
@ -80,11 +76,45 @@ in
        8080
      ];

+      vars.settings.on-machine.enable = true;
+      vars.generators."templates" = rec {
+        dependencies = [ "attic" ];
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+        script = lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (template: _: ''
+            cp "$templates/${template}" "$out/${template}"
+            echo "filling placeholders in template ${template}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators."attic".files
+            )}
+          '') files
+        );
+
+        files."attic.env" = {
+          secret = true;
+          template = pkgs.writeText "attic.env" ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.vars.generators.attic.files.token.placeholder}
+            AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.attic.s3AccessKeyFile})
+            AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.attic.s3SecretKeyFile})
+          '';
+        };
+      };
+
      vars.generators.attic = {
        runtimeInputs = [ pkgs.openssl ];
        files.token.secret = true;
        script = ''
-          genrsa -traditional 4096 | base64 -w0 > $out/token
+          genrsa -traditional 4096 | base64 -w0 > "$out"/token
        '';
      };

@ -93,17 +123,7 @@ in
        # one `monolithic` and any number of `api-server` nodes
        mode = "monolithic";

-        environmentFile = "${
-          template_text {
-            name = "attic.env";
-            outPath = "./attic.env";
-            text = ''
-              ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${fileContents config.vars.generators.attic.files.token.path}
-              AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.attic.s3AccessKeyFile})
-              AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.attic.s3SecretKeyFile})
-            '';
-          }
-        }/bin/attic.env";
+        environmentFile = config.vars.generators."templates".files."attic.env".path;

        # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
        settings = {