1.3 KiB
after checking out, drop secrets into secrets/
to build:
nixos-rebuild --flake "/etc/nixos/#uninsane" {build,switch}
query with:
nix flake show
secrets
secrets/default.nix
declares the secrets exposed at evaluation time.
these are defined outside git by writing the actual values to secrets/local.nix
.
don't check in the local.nix file. use git update-index --assume-unchanged secrets/local.nix
to prevent it from ever being added.
but after that you can set them to their real value and run git update-index --assume-unchanged secrets/*
building images
to build a distributable image (GPT-formatted image with rootfs and /boot partition):
nix build .#imgs.lappy
this can then be dd
'd onto a disk and directly booted from a EFI system.
there's some post-processing to do before running a rebuild on the deployed system (e.g. change fstab UUIDs)
refer to flake.nix for more details
admin tips
online: https://nixos.wiki/wiki/Cheatsheet
verify ALL nix store contents with:
sudo nix-store --verify --check-contents # add the --repair flag to auto-repair as well
search for a package with:
nix search nixpkgs <query string>
find which package owns some file with:
nix-locate /bin/vim # or any other package-relative path