General: add git-crypt secrets
This commit is contained in:
parent
a14cfdf9e6
commit
d2d7fed25d
10
README.md
10
README.md
|
@ -9,13 +9,9 @@ A full set of configuration files managed via NixOS. This project is an **unoffi
|
||||||
|
|
||||||
### Note on secrets management
|
### Note on secrets management
|
||||||
|
|
||||||
Secrets are stored in a separate repo called `secrets`, which is included here as a flake input. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine.
|
Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets.
|
||||||
|
|
||||||
Initialize the submodule with:
|
Note: This is a poor man's secret management solution. These secrets will be world-readable in the `/nix/store/`.
|
||||||
|
|
||||||
```sh
|
|
||||||
git submodule update --init --recursive
|
|
||||||
```
|
|
||||||
|
|
||||||
### First-time installation
|
### First-time installation
|
||||||
|
|
||||||
|
@ -83,7 +79,7 @@ To enable root builds on a host, add this to its config:
|
||||||
nix.distributedBuilds = true;
|
nix.distributedBuilds = true;
|
||||||
```
|
```
|
||||||
|
|
||||||
For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `nix-secrets`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).
|
For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `modules/secrets.nix`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).
|
||||||
|
|
||||||
If you want to ensure a build happens on a remote system, you can use:
|
If you want to ensure a build happens on a remote system, you can use:
|
||||||
|
|
||||||
|
|
19
flake.lock
19
flake.lock
|
@ -366,8 +366,7 @@
|
||||||
"nix-flatpak": "nix-flatpak",
|
"nix-flatpak": "nix-flatpak",
|
||||||
"nixos-hardware": "nixos-hardware",
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs_2",
|
||||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
"nixpkgs-unstable": "nixpkgs-unstable"
|
||||||
"secrets": "secrets"
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"rust-overlay": {
|
"rust-overlay": {
|
||||||
|
@ -395,22 +394,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"secrets": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1726240258,
|
|
||||||
"narHash": "sha256-kdESoz3wOmRxcSCFC7JttpR75s+2mEoK4nSW2LZxt5o=",
|
|
||||||
"ref": "refs/heads/main",
|
|
||||||
"rev": "98c890dfd160353f4f1b2490263edf3deeb43a27",
|
|
||||||
"revCount": 76,
|
|
||||||
"type": "git",
|
|
||||||
"url": "file:./secrets"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"type": "git",
|
|
||||||
"url": "file:./secrets"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"systems": {
|
"systems": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1681028828,
|
"lastModified": 1681028828,
|
||||||
|
|
|
@ -33,12 +33,6 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
# "Secrets management"
|
|
||||||
secrets = {
|
|
||||||
url = "git+file:./secrets";
|
|
||||||
flake = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Repository for Gnome triple buffering patch
|
# Repository for Gnome triple buffering patch
|
||||||
# For details, see https://wiki.nixos.org/wiki/GNOME#Dynamic_triple_buffering
|
# For details, see https://wiki.nixos.org/wiki/GNOME#Dynamic_triple_buffering
|
||||||
gnome-triplebuffering = {
|
gnome-triplebuffering = {
|
||||||
|
@ -55,7 +49,6 @@
|
||||||
nix-flatpak,
|
nix-flatpak,
|
||||||
nixos-hardware,
|
nixos-hardware,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
secrets,
|
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
@ -69,7 +62,6 @@
|
||||||
# Define shared modules and imports
|
# Define shared modules and imports
|
||||||
defaultModules = [
|
defaultModules = [
|
||||||
./modules/autoimport.nix
|
./modules/autoimport.nix
|
||||||
(import secrets)
|
|
||||||
lix-module.nixosModules.default
|
lix-module.nixosModules.default
|
||||||
lanzaboote.nixosModules.lanzaboote
|
lanzaboote.nixosModules.lanzaboote
|
||||||
nix-flatpak.nixosModules.nix-flatpak
|
nix-flatpak.nixosModules.nix-flatpak
|
||||||
|
|
|
@ -12,6 +12,7 @@
|
||||||
# Install base packages
|
# Install base packages
|
||||||
aux.system.packages = with pkgs; [
|
aux.system.packages = with pkgs; [
|
||||||
fastfetch # Show a neat system statistics screen when opening a terminal
|
fastfetch # Show a neat system statistics screen when opening a terminal
|
||||||
|
git-crypt # Secrets management
|
||||||
htop # System monitor
|
htop # System monitor
|
||||||
zellij # Terminal multiplexer
|
zellij # Terminal multiplexer
|
||||||
];
|
];
|
||||||
|
|
BIN
modules/secrets/Freight-20240828T164047Z-001.zip
Normal file
BIN
modules/secrets/Freight-20240828T164047Z-001.zip
Normal file
Binary file not shown.
BIN
modules/secrets/default.nix
Normal file
BIN
modules/secrets/default.nix
Normal file
Binary file not shown.
25
packages/freight-pro.nix
Normal file
25
packages/freight-pro.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{ stdenv, pkgs }:
|
||||||
|
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
pname = "freight-pro-fonts";
|
||||||
|
version = "20240828T164047Z-001";
|
||||||
|
nativeBuildInputs = [ pkgs.unzip ];
|
||||||
|
buildInputs = [ pkgs.unzip ];
|
||||||
|
|
||||||
|
src = ../modules/secrets/Freight-20240828T164047Z-001.zip;
|
||||||
|
|
||||||
|
unpackPhase = ''
|
||||||
|
runHook preUnpack
|
||||||
|
${pkgs.unzip}/bin/unzip $src
|
||||||
|
|
||||||
|
runHook postUnpack
|
||||||
|
'';
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
runHook preInstall
|
||||||
|
|
||||||
|
install -Dm644 ${pname}-${version}/*.otf -t $out/share/fonts/opentype
|
||||||
|
|
||||||
|
runHook postInstall
|
||||||
|
'';
|
||||||
|
}
|
1
secrets
1
secrets
|
@ -1 +0,0 @@
|
||||||
Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27
|
|
Loading…
Reference in a new issue