From 20a01c89afd8e54fba2f345fb9d72eec1cbafda4 Mon Sep 17 00:00:00 2001 From: Hunter Halloran Date: Fri, 30 Jan 2026 12:48:48 -0500 Subject: [PATCH] fix: Move ragenix to externally managed, and ask for env file references --- .gitignore | 4 +- flake.lock | 180 +--------------------------------------------------- flake.nix | 82 +----------------------- package.nix | 2 - 4 files changed, 6 insertions(+), 262 deletions(-) diff --git a/.gitignore b/.gitignore index e630a8a..293689c 100644 --- a/.gitignore +++ b/.gitignore @@ -4,7 +4,7 @@ __pycache__/ *.egg-info/ .venv/ .uv/ -.env +*.env .env.*.local .pytest_cache/ .mypy_cache/ @@ -38,4 +38,4 @@ management-dashboard-web-app/users.txt # Nix result result-* -.direnv/ \ No newline at end of file +.direnv/ diff --git a/flake.lock b/flake.lock index 7ed4d7e..6bae7c7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,67 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "ragenix", - "nixpkgs" - ], - "systems": "systems_2" - }, - "locked": { - "lastModified": 1761656077, - "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=", - "owner": "ryantm", - "repo": "agenix", - "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, - "crane": { - "locked": { - "lastModified": 1760924934, - "narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=", - "owner": "ipetkov", - "repo": "crane", - "rev": "c6b4d5308293d0d04fcfeee92705017537cad02f", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "darwin": { - "inputs": { - "nixpkgs": [ - "ragenix", - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" @@ -80,46 +18,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "ragenix", - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1769461804, @@ -136,56 +34,10 @@ "type": "github" } }, - "ragenix": { - "inputs": { - "agenix": "agenix", - "crane": "crane", - "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1761832913, - "narHash": "sha256-VCNVjjuRvrKPiYYwqhE3BAKIaReiKXGpxGp27lZ0MFM=", - "owner": "yaxitech", - "repo": "ragenix", - "rev": "83bccfdea758241999f32869fb6b36f7ac72f1ac", - "type": "github" - }, - "original": { - "owner": "yaxitech", - "repo": "ragenix", - "type": "github" - } - }, "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "ragenix": "ragenix" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "ragenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1761791894, - "narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "59c45eb69d9222a4362673141e00ff77842cd219", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" + "nixpkgs": "nixpkgs" } }, "systems": { @@ -202,36 +54,6 @@ "repo": "default", "type": "github" } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index d6dd1fc..9711703 100644 --- a/flake.nix +++ b/flake.nix @@ -4,15 +4,9 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; - - # For secrets management - ragenix = { - url = "github:yaxitech/ragenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; - outputs = { self, nixpkgs, flake-utils, ragenix }: + outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { @@ -63,11 +57,6 @@ # Camera SDK camera-sdk - # Secrets management - ragenix.packages.${system}.default - age - ssh-to-age - # Utilities jq yq @@ -94,83 +83,18 @@ echo "Available commands:" echo " - docker-compose: Manage containers" echo " - supabase: Supabase CLI" - echo " - ragenix: Manage encrypted secrets" - echo " - age: Encrypt/decrypt files" echo "" echo "To activate Python venv: source .venv/bin/activate" echo "To edit secrets: ragenix -e secrets/env.age" echo "" + echo "NOTE: Secrets should be managed by ragenix in athenix for production deployments" + echo "" ''; # Additional environment configuration DOCKER_BUILDKIT = "1"; COMPOSE_DOCKER_CLI_BUILD = "1"; }; - - # NixOS module for easy integration - nixosModules.default = { config, lib, ... }: { - options.services.usda-vision = { - enable = lib.mkEnableOption "USDA Vision camera management system"; - - secretsFile = lib.mkOption { - type = lib.types.path; - description = "Path to the ragenix-managed secrets file"; - }; - - dataDir = lib.mkOption { - type = lib.types.str; - default = "/var/lib/usda-vision"; - description = "Directory for USDA Vision application data"; - }; - }; - - config = lib.mkIf config.services.usda-vision.enable { - environment.systemPackages = [ - usda-vision-package - camera-sdk - pkgs.docker-compose - ]; - - environment.variables.LD_LIBRARY_PATH = "${camera-sdk}/lib"; - - virtualisation.docker = { - enable = true; - autoPrune.enable = true; - }; - - systemd.services.usda-vision = { - description = "USDA Vision Docker Compose Stack"; - after = [ "docker.service" "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - - preStart = '' - # Sync application code - ${pkgs.rsync}/bin/rsync -av --delete \ - --checksum \ - --exclude='node_modules' \ - --exclude='.env' \ - --exclude='__pycache__' \ - --exclude='.venv' \ - ${usda-vision-package}/opt/usda-vision/ ${config.services.usda-vision.dataDir}/ - - # Copy secrets if managed by ragenix - if [ -f "${config.services.usda-vision.secretsFile}" ]; then - cp "${config.services.usda-vision.secretsFile}" ${config.services.usda-vision.dataDir}/.env - fi - ''; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - WorkingDirectory = config.services.usda-vision.dataDir; - ExecStart = "${pkgs.docker-compose}/bin/docker-compose up -d --build"; - ExecStop = "${pkgs.docker-compose}/bin/docker-compose down"; - TimeoutStartSec = 300; - }; - }; - }; - }; } ); } diff --git a/package.nix b/package.nix index b0e9730..d83cdf7 100644 --- a/package.nix +++ b/package.nix @@ -48,8 +48,6 @@ stdenv.mkDerivation { if [ -f $src/docker-compose.yml ]; then # Basic path replacements with sed ${gnused}/bin/sed \ - -e 's|env_file:.*management-dashboard-web-app/\.env|env_file: /var/lib/usda-vision/.env|g' \ - -e 's|\./management-dashboard-web-app/\.env|/var/lib/usda-vision/.env|g' \ -e 's|\./management-dashboard-web-app|/var/lib/usda-vision/management-dashboard-web-app|g' \ -e 's|\./media-api|/var/lib/usda-vision/media-api|g' \ -e 's|\./video-remote|/var/lib/usda-vision/video-remote|g' \