remove the last remnants of the old secrets
system.
using SOPS exclusively now
This commit is contained in:
parent
ff002c3197
commit
492506ab01
7
TODO.md
7
TODO.md
|
@ -2,7 +2,6 @@
|
|||
- set firefox default search engine
|
||||
- iron out video drivers
|
||||
- emoji picker application
|
||||
- emoji font (Font Awesome) for sway status bar
|
||||
- find a Masto/Pleroma app which works on mobile
|
||||
|
||||
# cleanup
|
||||
|
@ -16,9 +15,3 @@
|
|||
overlays = [{ ... }: {
|
||||
nixpkgs.crossSystem.system = "aarch64-linux";
|
||||
}];
|
||||
|
||||
# better secrets management? read:
|
||||
- decrypted at activation time: https://github.com/Mic92/sops-nix
|
||||
less promising:
|
||||
- https://christine.website/blog/nixos-encrypted-secrets-2021-01-20
|
||||
- git-crypt (https://github.com/bobbbay/dotfiles.git)
|
||||
|
|
|
@ -65,7 +65,7 @@
|
|||
nixosSystem = import (patchedPkgs + "/nixos/lib/eval-config.nix");
|
||||
in (nixosSystem {
|
||||
inherit system;
|
||||
specialArgs = { inherit home-manager; inherit nurpkgs; secrets = import ./secrets/default.nix; };
|
||||
specialArgs = { inherit home-manager nurpkgs; };
|
||||
modules = [
|
||||
./configuration.nix
|
||||
./modules
|
||||
|
@ -82,13 +82,13 @@
|
|||
# boot, checkout this flake into /etc/nixos AND UPDATE THE UUIDS IT REFERENCES.
|
||||
# then `nixos-rebuild ...`
|
||||
decl-img = { name, system, extraModules ? [] }: (
|
||||
(self.decl-machine { inherit name; inherit system; extraModules = extraModules ++ [./image.nix]; })
|
||||
(self.decl-machine { inherit name system; extraModules = extraModules ++ [./image.nix]; })
|
||||
.config.system.build.raw
|
||||
);
|
||||
|
||||
decl-bootable-machine = { name, system }: {
|
||||
nixosConfiguration = self.decl-machine { inherit name; inherit system; };
|
||||
img = self.decl-img { inherit name; inherit system; };
|
||||
nixosConfiguration = self.decl-machine { inherit name system; };
|
||||
img = self.decl-img { inherit name system; };
|
||||
};
|
||||
|
||||
overlaysModule = system: { config, pkgs, ...}: {
|
||||
|
|
|
@ -1,5 +1,3 @@
|
|||
after checking out, drop secrets into secrets/
|
||||
|
||||
to build:
|
||||
```sh
|
||||
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
|
||||
|
@ -13,11 +11,8 @@ nix flake show
|
|||
|
||||
# secrets
|
||||
|
||||
`secrets/default.nix` declares the secrets exposed at evaluation time.
|
||||
these are defined *outside* git by writing the actual values to `secrets/local.nix`.
|
||||
|
||||
*don't* check in the local.nix file. use `git update-index --assume-unchanged secrets/local.nix` to prevent it from ever being added.
|
||||
but after that you can set them to their real value and run `git update-index --assume-unchanged secrets/*`
|
||||
we use [sops](https://github.com/Mic92/sops-nix) for secrets.
|
||||
see helpers/universal/secrets.nix for some tips.
|
||||
|
||||
## building images
|
||||
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
{
|
||||
} // import ./local.nix
|
|
@ -1,3 +0,0 @@
|
|||
{
|
||||
# populate secrets on a per-machine basis below (and don't push changes to this file to git)
|
||||
}
|
Loading…
Reference in New Issue
Block a user