don't put private files to store by default

extra-builtins.nix

@@ -1,11 +1,14 @@
 { exec, ... }: {
-  # I might get a somewhat better solution later, "enjoy" this for now
+  secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] {
-  secrets = let
+    # compress and base64 the file to make it representable in nix,
+    # then decompress it back in a derivation (shouldn't there be a better way...)
+    copyToStore = pkgs: path:
+      let
         archive = exec [
           "sh" "-c"
-      "echo '\"' && (cd /etc/nixos/private && tar czv . 2>/dev/null | base64 -w0) && echo '\"'"
+          "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'"
         ];
-  in pkgs: import (pkgs.stdenvNoCC.mkDerivation {
+      in "${pkgs.stdenvNoCC.mkDerivation {
         name = "private";
         unpackPhase = "true";
         buildPhase = "true";
@@ -14,6 +17,7 @@
           cd $out
           echo "${archive}" | base64 -d | tar xzv
         '';
-    url = builtins.toFile "private.tar.gz" archive;
+        url = builtins.toFile "private.tar.gz.base64" archive;
-  });
+      }}/${path}";
+    };
 }

flake.nix

@@ -32,21 +32,21 @@
   outputs = inputs@{ self, nixpkgs, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, nixos-mailserver, ... }:
   let
     # IRL-related stuff I'd rather not put into git
-    priv = pkgs:
+    priv =
-      if builtins.pathExists ./private.nix then (import ./private.nix)
+      if builtins.pathExists ./private.nix then (import ./private.nix { })
-      else if builtins.pathExists ./private/default.nix then (import ./private)
+      else if builtins.pathExists ./private/default.nix then (import ./private { })
       # workaround for git flakes not having access to non-checked out files
-      else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets pkgs
+      else if builtins?extraBuiltins.secrets then builtins.extraBuiltins.secrets
       # yes, this is impure, this is a last ditch effort at getting access to secrets
-      else import /etc/nixos/private;
+      else import /etc/nixos/private { };
     # if x has key s, get it. Otherwise return def
     getOr = def: s: x: with builtins; if hasAttr s x then getAttr s x else def;
     # All private config for hostname
-    getPriv = pkgs: hostname: getOr { } hostname (priv pkgs);
+    getPriv = hostname: getOr { } hostname priv;
     # Private NixOS config for hostname
-    getPrivSys = pkgs: hostname: getOr { } "system" (getPriv pkgs hostname);
+    getPrivSys = hostname: getOr { } "system" (getPriv hostname);
     # Private home-manager config for hostname and username
-    getPrivUser = pkgs: hostname: user: getOr { } user (getPriv pkgs hostname);
+    getPrivUser = hostname: user: getOr { } user (getPriv hostname);
     # extended lib
     lib = nixpkgs.lib // {
       quoteListenAddr = addr:
@@ -116,7 +116,7 @@
           ./system/modules/impermanence.nix
           ./system/modules/common.nix
           impermanence.nixosModule 
-          (getPrivSys (import inputs.nixpkgs { inherit system; }) hostname)
+          (getPrivSys hostname)
           ({ config, pkgs, ... }: {
             nixpkgs.overlays = [ overlay ];
             nix.extraOptions = ''
@@ -160,7 +160,7 @@
                     plugin-files = ${pkgs.nix-plugins.override { nix = config.nix.package; }}/lib/nix/plugins/libnix-extra-builtins.so
                   '';
                 })
-                (getPrivUser (import nixpkgs { inherit system; }) hostname username)
+                (getPrivUser hostname username)
               ];
             }) (builtins.removeAttrs home [ "common" ]);
           }
@@ -190,7 +190,7 @@
                 (user: homeConfig: {
                   "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration (common' // {
                     modules = homeConfig ++ [
-                      (getPrivUser (import nixpkgs { inherit system; }) hostname user)
+                      (getPrivUser hostname user)
                       ({ config, pkgs, lib, ... }: {
                         nixpkgs.overlays = [ overlay ];
                         nix.package = lib.mkDefault pkgs.nixFlakes;

private.nix.sample

@@ -1,4 +1,7 @@
-{
+# copy a path to store (needed because I don't copy the secrets to store by default)
+# arg must be a string because of how nix handles relative paths as absolute
+{ copyToStore ? (pkgs: x: ./. + x)
+, ... }: {
   nixmsi = {
     system = { pkgs, ... }: {
       # insert private config here

system/hosts/nixserver/default.nix

@@ -44,7 +44,6 @@ in {
       grub = {
         enable = true;
         device = "nodev";
-        version = 2;
         efiSupport = true;
         efiInstallAsRemovable = true;
       };

system/hosts/nixserver/mailserver.nix

@@ -27,7 +27,7 @@ in {
     enable = true;
     fqdn = "mail.${cfg.domainName}";
     domains = [ cfg.domainName ];
-    certificateScheme = 1;
+    certificateScheme = "acme";
     certificateFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/fullchain.pem";
     keyFile = config.security.acme.certs."mail.${cfg.domainName}".directory + "/key.pem";
     localDnsResolver = false;