General: add git-crypt secrets

2024-09-21 12:40:45 -04:00 · 2024-09-21 12:40:45 -04:00 · d2d7fed25d
parent a14cfdf9e6
commit d2d7fed25d
8 changed files with 30 additions and 34 deletions
--- a/README.md
+++ b/README.md
@ -9,13 +9,9 @@ A full set of configuration files managed via NixOS. This project is an **unoffi

 ### Note on secrets management

-Secrets are stored in a separate repo called `secrets`, which is included here as a flake input. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine.
+Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets.

-Initialize the submodule with:
-
-```sh
-git submodule update --init --recursive
-```
+Note: This is a poor man's secret management solution. These secrets will be world-readable in the `/nix/store/`.

 ### First-time installation

@ -83,7 +79,7 @@ To enable root builds on a host, add this to its config:
 nix.distributedBuilds = true;
 ```

-For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `nix-secrets`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).
+For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `modules/secrets.nix`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).

 If you want to ensure a build happens on a remote system, you can use:

--- a/flake.lock
+++ b/flake.lock
@ -366,8 +366,7 @@
        "nix-flatpak": "nix-flatpak",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable",
-        "secrets": "secrets"
+        "nixpkgs-unstable": "nixpkgs-unstable"
      }
    },
    "rust-overlay": {
@ -395,22 +394,6 @@
        "type": "github"
      }
    },
-    "secrets": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1726240258,
-        "narHash": "sha256-kdESoz3wOmRxcSCFC7JttpR75s+2mEoK4nSW2LZxt5o=",
-        "ref": "refs/heads/main",
-        "rev": "98c890dfd160353f4f1b2490263edf3deeb43a27",
-        "revCount": 76,
-        "type": "git",
-        "url": "file:./secrets"
-      },
-      "original": {
-        "type": "git",
-        "url": "file:./secrets"
-      }
-    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -33,12 +33,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    # "Secrets management"
-    secrets = {
-      url = "git+file:./secrets";
-      flake = false;
-    };
-
    # Repository for Gnome triple buffering patch
    # For details, see https://wiki.nixos.org/wiki/GNOME#Dynamic_triple_buffering
    gnome-triplebuffering = {
@ -55,7 +49,6 @@
      nix-flatpak,
      nixos-hardware,
      nixpkgs,
-      secrets,
      ...
    }:
    let
@ -69,7 +62,6 @@
      # Define shared modules and imports
      defaultModules = [
        ./modules/autoimport.nix
-        (import secrets)
        lix-module.nixosModules.default
        lanzaboote.nixosModules.lanzaboote
        nix-flatpak.nixosModules.nix-flatpak
--- a/modules/common.nix
+++ b/modules/common.nix
@ -12,6 +12,7 @@
    # Install base packages
    aux.system.packages = with pkgs; [
      fastfetch # Show a neat system statistics screen when opening a terminal
+      git-crypt # Secrets management
      htop # System monitor
      zellij # Terminal multiplexer
    ];
--- a/modules/secrets/Freight-20240828T164047Z-001.zip
+++ b/modules/secrets/Freight-20240828T164047Z-001.zip
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
--- a/packages/freight-pro.nix
+++ b/packages/freight-pro.nix
@ -0,0 +1,25 @@
+{ stdenv, pkgs }:
+
+stdenv.mkDerivation rec {
+  pname = "freight-pro-fonts";
+  version = "20240828T164047Z-001";
+  nativeBuildInputs = [ pkgs.unzip ];
+  buildInputs = [ pkgs.unzip ];
+
+  src = ../modules/secrets/Freight-20240828T164047Z-001.zip;
+
+  unpackPhase = ''
+    runHook preUnpack
+    ${pkgs.unzip}/bin/unzip $src
+
+    runHook postUnpack
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -Dm644 ${pname}-${version}/*.otf -t $out/share/fonts/opentype
+
+    runHook postInstall
+  '';
+}
--- a/1
+++ b/1
@ -1 +0,0 @@
-Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27
				`@ -1 +0,0 @@`
				`Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27`