remove the last remnants of the old secrets
system.
using SOPS exclusively now
This commit is contained in:
parent
ff002c3197
commit
492506ab01
7
TODO.md
7
TODO.md
|
@ -2,7 +2,6 @@
|
||||||
- set firefox default search engine
|
- set firefox default search engine
|
||||||
- iron out video drivers
|
- iron out video drivers
|
||||||
- emoji picker application
|
- emoji picker application
|
||||||
- emoji font (Font Awesome) for sway status bar
|
|
||||||
- find a Masto/Pleroma app which works on mobile
|
- find a Masto/Pleroma app which works on mobile
|
||||||
|
|
||||||
# cleanup
|
# cleanup
|
||||||
|
@ -16,9 +15,3 @@
|
||||||
overlays = [{ ... }: {
|
overlays = [{ ... }: {
|
||||||
nixpkgs.crossSystem.system = "aarch64-linux";
|
nixpkgs.crossSystem.system = "aarch64-linux";
|
||||||
}];
|
}];
|
||||||
|
|
||||||
# better secrets management? read:
|
|
||||||
- decrypted at activation time: https://github.com/Mic92/sops-nix
|
|
||||||
less promising:
|
|
||||||
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
|
|
||||||
- git-crypt (https://github.com/bobbbay/dotfiles.git)
|
|
||||||
|
|
|
@ -65,7 +65,7 @@
|
||||||
nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
|
nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
|
||||||
in (nixosSystem {
|
in (nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
|
specialArgs = { inherit home-manager nurpkgs; };
|
||||||
modules = [
|
modules = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
./modules
|
./modules
|
||||||
|
@ -82,13 +82,13 @@
|
||||||
# boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
|
# boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
|
||||||
# then `nixos-rebuild ...`
|
# then `nixos-rebuild ...`
|
||||||
decl-img = { name, system, extraModules ? [] }: (
|
decl-img = { name, system, extraModules ? [] }: (
|
||||||
(self.decl-machine { inherit name; inherit system; extraModules = extraModules ++ [./image.nix]; })
|
(self.decl-machine { inherit name system; extraModules = extraModules ++ [./image.nix]; })
|
||||||
.config.system.build.raw
|
.config.system.build.raw
|
||||||
);
|
);
|
||||||
|
|
||||||
decl-bootable-machine = { name, system }: {
|
decl-bootable-machine = { name, system }: {
|
||||||
nixosConfiguration = self.decl-machine { inherit name; inherit system; };
|
nixosConfiguration = self.decl-machine { inherit name system; };
|
||||||
img = self.decl-img { inherit name; inherit system; };
|
img = self.decl-img { inherit name system; };
|
||||||
};
|
};
|
||||||
|
|
||||||
overlaysModule = system: { config, pkgs, ...}: {
|
overlaysModule = system: { config, pkgs, ...}: {
|
||||||
|
|
|
@ -1,5 +1,3 @@
|
||||||
after checking out, drop secrets into secrets/
|
|
||||||
|
|
||||||
to build:
|
to build:
|
||||||
```sh
|
```sh
|
||||||
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
|
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
|
||||||
|
@ -13,11 +11,8 @@ nix flake show
|
||||||
|
|
||||||
# secrets
|
# secrets
|
||||||
|
|
||||||
`secrets/default.nix` declares the secrets exposed at evaluation time.
|
we use [sops](https://github.com/Mic92/sops-nix) for secrets.
|
||||||
these are defined *outside* git by writing the actual values to `secrets/local.nix`.
|
see helpers/universal/secrets.nix for some tips.
|
||||||
|
|
||||||
*don't* check in the local.nix file. use `git update-index --assume-unchanged secrets/local.nix` to prevent it from ever being added.
|
|
||||||
but after that you can set them to their real value and run `git update-index --assume-unchanged secrets/*`
|
|
||||||
|
|
||||||
## building images
|
## building images
|
||||||
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
{
|
|
||||||
} // import ./local.nix
|
|
|
@ -1,3 +0,0 @@
|
||||||
{
|
|
||||||
# populate secrets on a per-machine basis below (and don't push changes to this file to git)
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user