chayleaf
69ce2ffdbc
This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work.
20 lines
798 B
Markdown
20 lines
798 B
Markdown
# My Nix config
|
|
|
|
Home-manager config and modules are in `./home`, NixOS config and
|
|
modules are in `./system`.
|
|
|
|
Secrets are fetched using a nix plugin at evaluation time to avoid using
|
|
`--impure`. I plan to implement a more robust secrets system later
|
|
though.
|
|
|
|
To install, simply run `nixos-rebuild switch --flake . --option
|
|
extra-builtins-file $(pwd)/extra-builtins.nix` and
|
|
`home-manager switch --flake . --option extra-builtins-file
|
|
$(pwd)/extra-builtins.nix`, since this repo relies on build-time
|
|
decryption of secrets using a Nix plugin (to be fair you won't be able
|
|
to use it since you don't have the secrets, such as initial root
|
|
password). If you don't have `nix-plugins` though, you can put the
|
|
secrets in plaintext to `/etc/nixos/private` and add `--impure` flag to
|
|
bootstrap the config.
|
|
|