update secrets documentation

2022-05-27 01:01:06 -07:00
parent 27f1360681
commit 0b3e7a2c4a
3 changed files with 9 additions and 9 deletions
--- a/TODO.md
+++ b/TODO.md
@@ -13,3 +13,7 @@
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
+
+# better secrets management? read:
+- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
+- git-crypt (https://github.com/bobbbay/dotfiles.git)
--- a/readme.md
+++ b/readme.md
@@ -12,7 +12,11 @@ nix flake show


 # secrets
-change files in secrets/. they need to be checked into git with some placeholder text for them to be exposed to the flake,
+
+`secrets/default.nix` declares the secrets exposed at evaluation time.
+these are defined *outside* git by writing the actual values to `secrets/local.nix`.
+
+*don't* check in the local.nix file. use `git update-index --assume-unchanged secrets/local.nix` to prevent it from ever being added.
 but after that you can set them to their real value and run `git update-index --assume-unchanged secrets/*`

 ## building images
--- a/secrets/readme.md
+++ b/secrets/readme.md
@@ -1,8 +0,0 @@
-populate the files here which are referenced from the rest of the nix config.
-
-after modifying them, run `git update-index --assume-unchanged secrets/local.nix`
-
-hacky secrets management. TODO: read:
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
- git-crypt (https://github.com/bobbbay/dotfiles.git)
-