From 80daec912f635046db11593392e5732fbf6a3737 Mon Sep 17 00:00:00 2001 From: Zax71 <67716263+zax71@users.noreply.github.com> Date: Tue, 29 Apr 2025 17:31:49 +0100 Subject: [PATCH] Add syntax hylighting in README.md --- README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 5b03331..f79310f 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ You should already have secrets provisioning set up using, e.g., [sops-nix](http Given a NixOS system configuration `sys = nixpkgs.lib.nixosSystem { ... }` we can derive a new configuration from it by calling `extendModules`. The interesting part is that we can now use `sys` and all the values inside of it in the new modules, e.g.: -``` +```nix newsys = sys.extendModules { modules = [ ... ]; specialArgs = { prev = sys; }; @@ -29,8 +29,8 @@ Given a NixOS system configuration `sys = nixpkgs.lib.nixosSystem { ... }` we ca What makes this so interesting is that you can replace a value in a module while taking reference to its previous value. Something that would previously end you up in an infinite recursion: -``` - environment.etc."test.cfg".text = ''${prev.config.environment.etc."test.cfg".text} more text here afterwards''; +```nix +environment.etc."test.cfg".text = ''${prev.config.environment.etc."test.cfg".text} more text here afterwards''; ``` This can be used to extract the names of configuration files from systemd service configurations and later inject different names back into them. @@ -44,7 +44,7 @@ In the example, we will securely provision bridge-passwords for Mosquitto. Create your Mosquitto config as usual. But use placeholders sandwiched between `!!` to name your secrets. -``` +```nix services.mosquitto = { enable = true; listeners = [ @@ -73,7 +73,7 @@ Create your Mosquitto config as usual. But use placeholders sandwiched between ` Also, you will configure your favorite secrets provisioning tool here to ensure that the secrets are later available at runtime: -``` +```nix sops.secrets.br1passwd = {}; sops.secrets.br2passwd = {}; ``` @@ -82,7 +82,7 @@ Also, you will configure your favorite secrets provisioning tool here to ensure
2. Create a derived system to add secret-provisioning module -``` +```nix nixosConfigurations = let base_sys = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -108,7 +108,7 @@ Also, you will configure your favorite secrets provisioning tool here to ensure This is the part that is specific to each service. You will need to do some investigation to figure out how the configuration is passed to the service. Firstly, extract the path of the generated config file: -``` +```nix let start = "${prev.config.systemd.services.mosquitto.serviceConfig.ExecStart}"; mosquitto_cfgfile = builtins.head (builtins.match ".*-c ([^[:space:]]+)" "${start}"); @@ -118,7 +118,7 @@ in Now, create a transformator to replace the secret placeholders in this file: -``` +```nix scalpel.trafos."mosquitto.conf" = { source = mosquitto_cfgfile; matchers."BR1_PASSWORD".secret = config.sops.secrets.br1passwd.path; @@ -130,8 +130,8 @@ Now, create a transformator to replace the secret placeholders in this file: ``` Finally, replace the configuraton file with the newly created one: - -``` +nix +```nix systemd.services.mosquitto.serviceConfig.ExecStart = lib.mkForce ( builtins.replaceStrings [ "${mosquitto_cfgfile}" ] [ "${config.scalpel.trafos."mosquitto.conf".destination} "] "${start}" ); @@ -146,7 +146,7 @@ WARNING: THIS CONTAINER USES PUBLICALLY KNOWN PRIVATE KEYS. DO NOT USE THEM IN Y To quickly test the example, you can run it as a NixOS container after cloning the Flake. -``` +```nix sudo nixos-container create em --flake .#exampleContainer sudo nixos-container start em sudo machinectl shell em @@ -154,14 +154,14 @@ sudo machinectl shell em Inside the container, we can see the changes in action: -``` -$ systemctl cat mosquitto | grep ExecStart +```console +user@example:~$ systemctl cat mosquitto | grep ExecStart ExecStart=/nix/store/jd00fshpzdc8mm1gqf2x8s7pkb8yb8nj-mosquitto-2.0.14/bin/mosquitto -c /run/scalpel/mosquitto.conf -$ ls -la /run/scalpel/ +user@example:~$ ls -la /run/scalpel/ -r--r----- 1 mosquitto mosquitto 373 Jun 18 17:10 mosquitto.conf -$ cat /run/scalpel/mosquitto.conf +user@example:~$ cat /run/scalpel/mosquitto.conf [...] connection br1 addresses 127.0.0.2:1883