I'm an idiot. I could've just used fetchgit and a submodule this whole time.

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "nix-secrets"]
+	path = nix-secrets
+	url = ssh://git@code.8bitbuddhism.com:22222/andre/nix-secrets.git

README.md

@@ -6,32 +6,30 @@ A full set of configuration files managed via NixOS. This project follows the ge
 
 ### Note on secrets management
 
-Secrets are stored in a separate repo called `nix-secrets`, which gets pulled automagically for all configs. See `hosts/common/default.nix`. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine.
+Secrets are stored in a separate repo called `nix-secrets`, which is included here as a submodule. It gets pulled into the main config via `hosts/common/default.nix`. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine.
 
-### Building the system
+Initialize the submodule with:
 
-When using nix-secrets, we need to separate the build process into two steps (because of secrets being stored in a private repo; the alternative is to give root access to the private repo on all hosts). First step is to create the build by running this as `aires`:
-
-```zsh
-nixos-rebuild build --flake .#Shura
+```sh
+git submodule update --init --recursive
 ```
 
-When the build is done, run this command as root:
+### Applying the configuration
 
-```zsh
-sudo ./result/bin/switch-to-configuration switch
+To apply the config for the first time (e.g. on a fresh install), run this command, replacing `Shura` with the name of the host:
+
+```sh
+sudo nixos-rebuild switch --flake .#Shura
+```
+
+For subsequent builds, you can omit the hostname:
+
+```sh
+sudo nixos-rebuild switch --flake .
 ```
 
 `switch` replaces the running system immediately, or you can use `boot` to only apply the switch during the next reboot. After applying the build at least once (or setting the hostname manually), you can omit the hostname from the command and just run `nixos-rebuild build --flake .`
 
-#### Normal build process
-
-Normally (without a secret GitHub repo) you'd just use `sudo nixos-rebuild` like so:
-
-```zsh
-sudo nixos-rebuild switch --flake .#Shura
-```
-
 ### Testing
 
 To quickly validate the configuration, create a dry build. This builds the config without actually adding it to the system:
@@ -51,7 +49,7 @@ nixos-rebuild build-vm --flake .
 `flake.lock` locks the version of any packages/modules used. To update them, run `nix flake update` first:
 
 ```zsh
-nix flake update && nixos-rebuild build --flake . && sudo ./result/bin/switch-to-configuration switch
+nix flake update && sudo nixos-rebuild switch --flake .
 ```
 
 Home-manager also installs a ZSH alias, so you can just run `update` or `upgrade` for the same effect.

hosts/common/default.nix

@@ -1,9 +1,9 @@
 { lib, ... }: 
 let
-  # Fetch secrets.
-  # NOTE: This requires access to a private repo. Make sure you generate the build as `aires`, then switch to it as root.
+  # Fetch secrets
+  # IMPORTANT: Make sure this repo exists on the filesystem first!
   nix-secrets = builtins.fetchGit {
-    url = "ssh://git@code.8bitbuddhism.com:22222/andre/nix-secrets.git";
+  	url = "/home/aires/Development/nix-configuration/nix-secrets";
     ref = "main";
     rev = "75076eba4de5d8539cc1a2a85bf3924c9ae4b7b9";
   };

modules/base/system.nix

@@ -35,47 +35,7 @@ with lib;
 			};
 		};
 
-    # Enable automatic updates. I'm using a weird setup here to account for pulling secrets from a private repo, which requires aires' SSH keys.
-    systemd.services = {
-      "nixos-rebuild" = {
-        script = ''
-          ${pkgs.nixos-rebuild}/bin/nixos-rebuild build --flake .
-        '';
-		path = [ "/run/current-system/sw" ];
-        serviceConfig = {
-          Type = "oneshot";
-          User = "${config.users.users.aires.name}";
-          WorkingDirectory = "${config.users.users.aires.home}/Development/nix-configuration";
-        };
-      };
-
-      "nixos-activate" = {
-        script = ''
-          ${config.users.users.aires.home}/Development/nix-configuration/result/bin/switch-to-configuration switch
-        '';
-		path = [ "/run/current-system/sw" ];
-        requires = [ "nixos-rebuild.service" ];
-        serviceConfig = {
-          Type = "oneshot";
-          User = "${config.users.users.root.name}";
-          WorkingDirectory = "${config.users.users.aires.home}/Development/nix-configuration";
-        };
-      };
-    };
-    systemd.timers = {
-      "nixos-update" = {
-        wantedBy = [ "timers.target" ];
-        wants = [ "network-online.target" ];
-        timerConfig = {
-          Unit = "nixos-activate.service";
-          OnCalendar = "daily";
-          Persistent = true; 
-        };
-      };
-    };
-
-		# Configure automatic updates (deprecated in favor of systemd timers)
-    /*
+		# Configure automatic updates
 		system = {
 			# Enable automatic updates
 			autoUpgrade = {
@@ -92,7 +52,6 @@ with lib;
 				allowReboot = false;
 			};
 		};
-    */
 
 		# Set your time zone.
 		time.timeZone = "America/New_York";

nix-secrets

@@ -0,0 +1 @@
+Subproject commit 75076eba4de5d8539cc1a2a85bf3924c9ae4b7b9