diff --git a/README.md b/README.md index b1ec0ac..08586a8 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,9 @@ A full set of configuration files managed via NixOS. This project is an **unoffi ### Note on secrets management -Secrets are stored in a separate repo called `secrets`, which is included here as a flake input. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine. +Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets. -Initialize the submodule with: - -```sh -git submodule update --init --recursive -``` +Note: This is a poor man's secret management solution. These secrets will be world-readable in the `/nix/store/`. ### First-time installation @@ -83,7 +79,7 @@ To enable root builds on a host, add this to its config: nix.distributedBuilds = true; ``` -For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `nix-secrets`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57). +For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `modules/secrets.nix`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57). If you want to ensure a build happens on a remote system, you can use: diff --git a/flake.lock b/flake.lock index 5def222..f4d58c2 100644 --- a/flake.lock +++ b/flake.lock @@ -366,8 +366,7 @@ "nix-flatpak": "nix-flatpak", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable", - "secrets": "secrets" + "nixpkgs-unstable": "nixpkgs-unstable" } }, "rust-overlay": { @@ -395,22 +394,6 @@ "type": "github" } }, - "secrets": { - "flake": false, - "locked": { - "lastModified": 1726240258, - "narHash": "sha256-kdESoz3wOmRxcSCFC7JttpR75s+2mEoK4nSW2LZxt5o=", - "ref": "refs/heads/main", - "rev": "98c890dfd160353f4f1b2490263edf3deeb43a27", - "revCount": 76, - "type": "git", - "url": "file:./secrets" - }, - "original": { - "type": "git", - "url": "file:./secrets" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 5c87e74..85f919c 100644 --- a/flake.nix +++ b/flake.nix @@ -33,12 +33,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # "Secrets management" - secrets = { - url = "git+file:./secrets"; - flake = false; - }; - # Repository for Gnome triple buffering patch # For details, see https://wiki.nixos.org/wiki/GNOME#Dynamic_triple_buffering gnome-triplebuffering = { @@ -55,7 +49,6 @@ nix-flatpak, nixos-hardware, nixpkgs, - secrets, ... }: let @@ -69,7 +62,6 @@ # Define shared modules and imports defaultModules = [ ./modules/autoimport.nix - (import secrets) lix-module.nixosModules.default lanzaboote.nixosModules.lanzaboote nix-flatpak.nixosModules.nix-flatpak diff --git a/modules/common.nix b/modules/common.nix index e7ef71d..7561b26 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -12,6 +12,7 @@ # Install base packages aux.system.packages = with pkgs; [ fastfetch # Show a neat system statistics screen when opening a terminal + git-crypt # Secrets management htop # System monitor zellij # Terminal multiplexer ]; diff --git a/modules/secrets/Freight-20240828T164047Z-001.zip b/modules/secrets/Freight-20240828T164047Z-001.zip new file mode 100644 index 0000000..cffad6c Binary files /dev/null and b/modules/secrets/Freight-20240828T164047Z-001.zip differ diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix new file mode 100644 index 0000000..8e8c01b Binary files /dev/null and b/modules/secrets/default.nix differ diff --git a/packages/freight-pro.nix b/packages/freight-pro.nix new file mode 100644 index 0000000..fe4dd67 --- /dev/null +++ b/packages/freight-pro.nix @@ -0,0 +1,25 @@ +{ stdenv, pkgs }: + +stdenv.mkDerivation rec { + pname = "freight-pro-fonts"; + version = "20240828T164047Z-001"; + nativeBuildInputs = [ pkgs.unzip ]; + buildInputs = [ pkgs.unzip ]; + + src = ../modules/secrets/Freight-20240828T164047Z-001.zip; + + unpackPhase = '' + runHook preUnpack + ${pkgs.unzip}/bin/unzip $src + + runHook postUnpack + ''; + + installPhase = '' + runHook preInstall + + install -Dm644 ${pname}-${version}/*.otf -t $out/share/fonts/opentype + + runHook postInstall + ''; +} diff --git a/secrets b/secrets deleted file mode 160000 index 98c890d..0000000 --- a/secrets +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27