karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix docker/kubernetes secret management

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-01-20 12:08:27 +00:00
parent 67e7549452
commit d9c9e40f6c
6 changed files with 64 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
hosts/common/configs/user/console/docker/default.nix
View File

@@ -1,6 +1,7 @@
{ {
user ? throw "user argument is required", user ? throw "user argument is required",
home ? throw "home argument is required", home ? throw "home argument is required",
rootless ? true,
}: }:
{ {
config, config,
@@ -8,45 +9,49 @@
pkgs, pkgs,
... ...
}: }:
{ lib.mkMerge (
virtualisation.docker.rootless = { [
enable = true; {
setSocketVariable = true; virtualisation.docker.rootless = {
enableOnBoot = false; enable = rootless;
storageDriver = "btrfs"; setSocketVariable = true;
enableOnBoot = false;
storageDriver = "btrfs";
daemon.settings = { daemon.settings = {
experimental = true; experimental = true;
ipv6 = true; ipv6 = true;
fixed-cidr-v6 = "fd00::/80"; fixed-cidr-v6 = "fd00::/80";
};
autoPrune = {
enable = true;
flags = [ "--all" ];
};
};
home-manager.users.${user}.home = {
packages = with pkgs; [ docker-compose ];
sessionVariables = {
DOCKER_CONFIG = "${home}/.config/docker";
};
};
}
]
++ (lib.lists.optional rootless {
environment.persistence."/persist"."${home}/.local/share/docker" = { };
systemd.user = {
services.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
sockets.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
}; };
})
autoPrune = { ++ (lib.lists.optional (!rootless) {
enable = true; users.users.${user}.extraGroups = [ "docker" ];
flags = [ "--all" ]; })
}; )
};
home-manager.users.${user}.home = {
packages = with pkgs; [ docker-compose ];
sessionVariables = {
DOCKER_CONFIG = "${home}/.config/docker";
};
};
}
// lib.mkIf config.virtualisation.docker.rootless.enable {
environment.persistence."/persist"."${home}/.local/share/docker" = { };
systemd.user = {
services.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
sockets.docker.after = [
config.environment.persistence."/persist"."${home}/.local/share/docker".mount
];
};
}
// lib.mkIf (!config.virtualisation.docker.rootless.enable) {
users.users.${user}.extraGroups = [ "docker" ];
}

6
hosts/common/configs/user/console/kubernetes/default.nix
View File

@@ -12,12 +12,16 @@
}) })
]; ];
environment.persistence."/cache"."${home}/.kube/cache" = { }; environment.persistence = {
"/persist"."${home}/.kube" = { };
"/cache"."${home}/.kube/cache" = { };
};
home-manager.users.${user} = { home-manager.users.${user} = {
home.packages = with pkgs; [ home.packages = with pkgs; [
kubectl kubectl
kubernetes-helm kubernetes-helm
kustomize
kind kind
]; ];

10
hosts/common/configs/user/console/zsh/default.nix
View File

@@ -4,10 +4,7 @@
}: }:
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
environment = { environment.persistence."/persist"."${home}/.local/share/zsh" = { };
sessionVariables.ZDOTDIR = "$HOME/.config/zsh";
persistence."/persist"."${home}/.local/share/zsh" = { };
};
home-manager.users.${user} = { home-manager.users.${user} = {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
@@ -36,6 +33,9 @@
''; '';
}; };
home.file.".zshenv".enable = false; home = {
file.".zshenv".enable = false;
sessionVariables.ZDOTDIR = "${home}/.config/zsh";
};
}; };
} }

4
hosts/elara/users/nikara/configs/console/docker/default.nix
View File

@@ -4,9 +4,7 @@
}: }:
{ lib, ... }: { lib, ... }:
{ {
virtualisation.docker.rootless.enable = lib.mkForce false; home-manager.users.${user}.sops.secrets = {
sops.secrets = {
"docker" = { "docker" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml; sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
path = "${home}/.config/docker/config.json"; path = "${home}/.config/docker/config.json";

30
hosts/elara/users/nikara/configs/console/kubernetes/default.nix
View File

@@ -14,30 +14,8 @@
}) })
]; ];
environment.persistence."/persist"."${home}/.kube" = { }; home-manager.users.${user}.home.packages = with pkgs; [
telepresence
home-manager.users.${user} = { kubeval
home.packages = with pkgs; [ ];
telepresence
kubeval
kustomize
];
sops.secrets = {
"kubeconfig/d90270" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
path = "${home}/.kube/d90270";
};
"kubeconfig/d90271" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
path = "${home}/.kube/d90271";
};
"kubeconfig/d90272" = {
sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
path = "${home}/.kube/d90272";
};
};
};
} }

5
hosts/elara/users/nikara/default.nix
View File

@@ -11,7 +11,10 @@ in
(import ../../../common/configs/user/console/bashmount { inherit user home; }) (import ../../../common/configs/user/console/bashmount { inherit user home; })
(import ../../../common/configs/user/console/brightnessctl { inherit user home; }) (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
(import ../../../common/configs/user/console/btop { inherit user home; }) (import ../../../common/configs/user/console/btop { inherit user home; })
(import ../../../common/configs/user/console/docker { inherit user home; }) (import ../../../common/configs/user/console/docker {
inherit user home;
rootless = false;
})
(import ../../../common/configs/user/console/fastfetch { inherit user home; }) (import ../../../common/configs/user/console/fastfetch { inherit user home; })
(import ../../../common/configs/user/console/git { inherit user home; }) (import ../../../common/configs/user/console/git { inherit user home; })
(import ../../../common/configs/user/console/gpg-agent { inherit user home; }) (import ../../../common/configs/user/console/gpg-agent { inherit user home; })