chayleaf
69ce2ffdbc
This uses a native plugin (pkgs.nix-plugins) to avoid using --impure, other options involving secret files are too limited for my use case as I need eval-time access to secrets. Moving it to a private flake is another option, but Nix flakes are poorly suited for non-monorepos. Previously I just renamed .git to .git.bak to make sure Nix pulls the "private" subdir into store as well, but this new system may be more robust and can be extended to way be more secure in the future (e.g. right now I copy the secret .nix files to store, but in general there's no need to do that). Of course the main drawback is that now I require a plugin for this flake to work. |
||
|---|---|---|
| home | ||
| pkgs | ||
| system | ||
| .gitignore | ||
| COPYING | ||
| extra-builtins.nix | ||
| flake.lock | ||
| flake.nix | ||
| overlays.nix | ||
| private.nix.sample | ||
| push.sh | ||
| README.md | ||
| update.sh | ||
My Nix config
Home-manager config and modules are in ./home, NixOS config and
modules are in ./system.
Secrets are fetched using a nix plugin at evaluation time to avoid using
--impure. I plan to implement a more robust secrets system later
though.
To install, simply run nixos-rebuild switch --flake . --option extra-builtins-file $(pwd)/extra-builtins.nix and
home-manager switch --flake . --option extra-builtins-file $(pwd)/extra-builtins.nix, since this repo relies on build-time
decryption of secrets using a Nix plugin (to be fair you won't be able
to use it since you don't have the secrets, such as initial root
password). If you don't have nix-plugins though, you can put the
secrets in plaintext to /etc/nixos/private and add --impure flag to
bootstrap the config.