ewancroft.uk / nix
My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix(darwin): remove unused self from macmini specialArgs; fix developerDirs sops timing

- Drop `specialArgs = { inherit self; }` from darwinConfigurations.macmini —
self was never consumed and caused a builtins.derivation context warning
- Add setupSecrets to developerDirs dag dependencies so sops secrets are
available before repo cloning runs
- Fall back to direct sops decryption with age key when sops-nix hasn't yet
written the decrypted token file (Darwin launchd timing issue)
- Export GIT_SSH_COMMAND to ensure ssh is on PATH during activation
- Remove launchd user agents for Tailscale and AltServer launchers

Ewan Croft e3eb12c0 489f7b57

+28 -33
+8 -3
flake.nix
··· 125 125 server = nixpkgs.lib.nixosSystem { 126 126 specialArgs = { 127 127 inherit self; 128 - pkgs-unstable = import nixpkgs-unstable { system = "x86_64-linux"; config.allowUnfree = true; }; 128 + pkgs-unstable = import nixpkgs-unstable { 129 + system = "x86_64-linux"; 130 + config.allowUnfree = true; 131 + }; 129 132 }; 130 133 modules = nixosModules ++ [ 131 134 ./hosts/server ··· 136 139 server-arm = nixpkgs.lib.nixosSystem { 137 140 specialArgs = { 138 141 inherit self; 139 - pkgs-unstable = import nixpkgs-unstable { system = "aarch64-linux"; config.allowUnfree = true; }; 142 + pkgs-unstable = import nixpkgs-unstable { 143 + system = "aarch64-linux"; 144 + config.allowUnfree = true; 145 + }; 140 146 }; 141 147 modules = nixosModules ++ [ 142 148 ./hosts/server ··· 147 153 148 154 darwinConfigurations = { 149 155 macmini = nix-darwin.lib.darwinSystem { 150 - specialArgs = { inherit self; }; 151 156 modules = darwinModules ++ [ 152 157 ./hosts/macmini 153 158 { nixpkgs.hostPlatform = "aarch64-darwin"; }
+20 -2
home/default.nix
··· 148 148 # ~/Developer/Git — GitHub repos (ewanc26, minus nix) + non-mirror Forgejo repos. 149 149 # ~/Developer/Local — private Forgejo repos (requires userApiTokenFile to be set). 150 150 # Repos are cloned via SSH on first activation; existing dirs are never touched. 151 - home.activation.developerDirs = lib.hm.dag.entryAfter [ "writeBoundary" ] '' 151 + home.activation.developerDirs = lib.hm.dag.entryAfter [ "writeBoundary" "setupSecrets" ] '' 152 152 $DRY_RUN_CMD mkdir -p "$HOME/Developer/Git" 153 153 $DRY_RUN_CMD mkdir -p "$HOME/Developer/Local" 154 + 155 + # Ensure ssh is visible to git during activation (PATH is stripped). 156 + export GIT_SSH_COMMAND="/usr/bin/ssh" 154 157 155 158 # ── GitHub ──────────────────────────────────────────────────────────────── 156 159 if ${pkgs.curl}/bin/curl --silent --max-time 5 --output /dev/null "https://github.com"; then ··· 179 182 if ${pkgs.curl}/bin/curl --silent --max-time 5 --output /dev/null "https://${cfg.forgejo.hostname}"; then 180 183 forgejo_token_arg="" 181 184 ${lib.optionalString (cfg.forgejo.userApiTokenFile != null) '' 182 - forgejo_token_arg="&token=$(cat "${cfg.forgejo.userApiTokenFile}")" 185 + _token_file="${cfg.forgejo.userApiTokenFile}" 186 + # On Darwin, sops-nix decrypts via a launchd agent after activation, 187 + # so the pre-decrypted file may not exist yet. Fall back to decrypting 188 + # directly with the user age key if available. 189 + if [ ! -f "$_token_file" ] && [ -f "$HOME/.config/age/keys.txt" ]; then 190 + _raw="${builtins.toString ../secrets/forgejo-user-token}" 191 + _token_file=$(mktemp) 192 + SOPS_AGE_KEY_FILE="$HOME/.config/age/keys.txt" \ 193 + ${pkgs.sops}/bin/sops --decrypt --input-type binary --output-type binary \ 194 + "$_raw" > "$_token_file" 2>/dev/null || { rm -f "$_token_file"; _token_file=""; } 195 + fi 196 + if [ -n "$_token_file" ] && [ -f "$_token_file" ]; then 197 + forgejo_token_arg="&token=$(cat "$_token_file")" 198 + else 199 + echo "developer: forgejo token unavailable, skipping private repos" 200 + fi 183 201 ''} 184 202 185 203 page=1
-28
hosts/macmini/default.nix
··· 31 31 # See docs/time-machine.md for first-time setup instructions. 32 32 myConfig.darwin.externalDisk.timeMachineVolumeUUID = "9217DB34-722B-4596-8ADD-20C8060FC257"; 33 33 34 - # Tailscale — auto-start at login so SSH ProxyCommand never fails on boot. 35 - launchd.user.agents."com.tailscale.tailscaled-launcher" = { 36 - serviceConfig = { 37 - ProgramArguments = [ 38 - "/usr/bin/open" 39 - "-a" 40 - "/Applications/Tailscale.app" 41 - ]; 42 - RunAtLoad = true; 43 - KeepAlive = false; 44 - }; 45 - }; 46 - 47 - # AltServer is a menu bar app (LSUIElement = true) so macOS intentionally 48 - # hides it from Spotlight — this is by design and cannot be changed. 49 - # Launch it automatically at login via a launchd user agent instead. 50 - launchd.user.agents."com.rileytestut.AltServer-launcher" = { 51 - serviceConfig = { 52 - ProgramArguments = [ 53 - "/usr/bin/open" 54 - "-a" 55 - "/Applications/AltServer.app" 56 - ]; 57 - RunAtLoad = true; 58 - KeepAlive = false; # one-shot: open the app then exit 59 - }; 60 - }; 61 - 62 34 # Timezone — driven from myConfig.timeZone 63 35 time.timeZone = cfg.timeZone; 64 36