remove the last remnants of the old secrets system.

using SOPS exclusively now
2022-06-08 17:07:48 -07:00 · 2022-06-08 17:07:48 -07:00 · 492506ab01
commit 492506ab01
parent ff002c3197
5 changed files with 6 additions and 23 deletions
--- a/TODO.md
+++ b/TODO.md
@ -2,7 +2,6 @@
 - set firefox default search engine
 - iron out video drivers
 - emoji picker application
- emoji font (Font Awesome) for sway status bar
 - find a Masto/Pleroma app which works on mobile

 # cleanup
@ -16,9 +15,3 @@
   overlays = [{ ... }: {
     nixpkgs.crossSystem.system = "aarch64-linux";
   }];
-
-# better secrets management? read:
- decrypted at activation time: https://github.com/Mic92/sops-nix
-less promising:
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
- git-crypt (https://github.com/bobbbay/dotfiles.git)
--- a/flake.nix
+++ b/flake.nix
@ -65,7 +65,7 @@
      nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
      in (nixosSystem {
        inherit system;
-        specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
+        specialArgs = { inherit home-manager nurpkgs; };
        modules = [
          ./configuration.nix
          ./modules
@ -82,13 +82,13 @@
    #   boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
    #   then `nixos-rebuild ...`
    decl-img = { name, system, extraModules ? [] }: (
-      (self.decl-machine { inherit name; inherit system; extraModules = extraModules ++ [./image.nix]; })
+      (self.decl-machine { inherit name system; extraModules = extraModules ++ [./image.nix]; })
        .config.system.build.raw
    );

    decl-bootable-machine = { name, system }: {
-      nixosConfiguration = self.decl-machine { inherit name; inherit system; };
-      img = self.decl-img { inherit name; inherit system; };
+      nixosConfiguration = self.decl-machine { inherit name system; };
+      img = self.decl-img { inherit name system; };
    };

    overlaysModule = system: { config, pkgs, ...}: {
--- a/readme.md
+++ b/readme.md
@ -1,5 +1,3 @@
-after checking out, drop secrets into secrets/
-
 to build:
 ```sh
 nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
@ -13,11 +11,8 @@ nix flake show

 # secrets

-`secrets/default.nix` declares the secrets exposed at evaluation time.
-these are defined *outside* git by writing the actual values to `secrets/local.nix`.
-
-*don't* check in the local.nix file. use `git update-index --assume-unchanged secrets/local.nix` to prevent it from ever being added.
-but after that you can set them to their real value and run `git update-index --assume-unchanged secrets/*`
+we use [sops](https://github.com/Mic92/sops-nix) for secrets.
+see helpers/universal/secrets.nix for some tips.

 ## building images

--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -1,2 +0,0 @@
-{
-} // import ./local.nix
--- a/secrets/local.nix
+++ b/secrets/local.nix
@ -1,3 +0,0 @@
-{
-  # populate secrets on a per-machine basis below (and don't push changes to this file to git)
-}