9 changed files with 34 additions and 31 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
-modules/secrets/** filter=git-crypt diff=git-crypt
--- a/README.md
+++ b/README.md
@ -9,9 +9,13 @@ A full set of configuration files managed via NixOS. This project is an **unoffi

 ### Note on secrets management

-Secrets are managed using [git-crypt](https://github.com/AGWA/git-crypt). To unlock the repo, use `git-crypt unlock [path to key file]`. git-crypt will transparently encrypt/decrypt files stored in `modules/secrets` going forward, but you'll need this key file on all hosts that are using secrets.
+Secrets are stored in a separate repo called `secrets`, which is included here as a flake input. This is a poor man's secret management solution, but y'know what, it works. These "secrets" will be readable to users on the system with access to the `/nix/store/`, but for single-user systems, it's fine.

-Note: This is a poor man's secret management solution. These secrets will be world-readable in the `/nix/store/`.
+Initialize the submodule with:
+
+```sh
+git submodule update --init --recursive
+```

 ### First-time installation

@ -79,7 +83,7 @@ To enable root builds on a host, add this to its config:
 nix.distributedBuilds = true;
 ```

-For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `modules/secrets.nix`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).
+For hosts where `nix.distributedBuilds` is true, this repo automatically gives the local root user SSH access to an unprivileged user on the build systems. This is configured in `nix-secrets`, but the build systems are defined in [`modules/system/nix.nix`](https://code.8bitbuddhism.com/aires/nix-configuration/src/commit/433821ef0c46f08855a041c3aa97143a954564f5/modules/system/nix.nix#L57).

 If you want to ensure a build happens on a remote system, you can use:

--- a/flake.lock
+++ b/flake.lock
@ -366,7 +366,8 @@
        "nix-flatpak": "nix-flatpak",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-unstable": "nixpkgs-unstable"
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "secrets": "secrets"
      }
    },
    "rust-overlay": {
@ -394,6 +395,22 @@
        "type": "github"
      }
    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1726240258,
+        "narHash": "sha256-kdESoz3wOmRxcSCFC7JttpR75s+2mEoK4nSW2LZxt5o=",
+        "ref": "refs/heads/main",
+        "rev": "98c890dfd160353f4f1b2490263edf3deeb43a27",
+        "revCount": 76,
+        "type": "git",
+        "url": "file:./secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:./secrets"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -33,6 +33,12 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    # "Secrets management"
+    secrets = {
+      url = "git+file:./secrets";
+      flake = false;
+    };
+
    # Repository for Gnome triple buffering patch
    # For details, see https://wiki.nixos.org/wiki/GNOME#Dynamic_triple_buffering
    gnome-triplebuffering = {
@ -49,6 +55,7 @@
      nix-flatpak,
      nixos-hardware,
      nixpkgs,
+      secrets,
      ...
    }:
    let
@ -62,6 +69,7 @@
      # Define shared modules and imports
      defaultModules = [
        ./modules/autoimport.nix
+        (import secrets)
        lix-module.nixosModules.default
        lanzaboote.nixosModules.lanzaboote
        nix-flatpak.nixosModules.nix-flatpak
--- a/modules/common.nix
+++ b/modules/common.nix
@ -12,7 +12,6 @@
    # Install base packages
    aux.system.packages = with pkgs; [
      fastfetch # Show a neat system statistics screen when opening a terminal
-      git-crypt # Secrets management
      htop # System monitor
      zellij # Terminal multiplexer
    ];
--- a/modules/secrets/Freight-20240828T164047Z-001.zip
+++ b/modules/secrets/Freight-20240828T164047Z-001.zip
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
--- a/packages/freight-pro.nix
+++ b/packages/freight-pro.nix
@ -1,25 +0,0 @@
-{ stdenv, pkgs }:
-
-stdenv.mkDerivation rec {
-  pname = "freight-pro-fonts";
-  version = "20240828T164047Z-001";
-  nativeBuildInputs = [ pkgs.unzip ];
-  buildInputs = [ pkgs.unzip ];
-
-  src = ../modules/secrets/Freight-20240828T164047Z-001.zip;
-
-  unpackPhase = ''
-    runHook preUnpack
-    ${pkgs.unzip}/bin/unzip $src
-
-    runHook postUnpack
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    install -Dm644 ${pname}-${version}/*.otf -t $out/share/fonts/opentype
-
-    runHook postInstall
-  '';
-}
--- a/1
+++ b/1
@ -0,0 +1 @@
+Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27
				`@ -1 +0,0 @@`
				`modules/secrets/** filter=git-crypt diff=git-crypt`
				`@ -0,0 +1 @@`
				`Subproject commit 98c890dfd160353f4f1b2490263edf3deeb43a27`