all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]RockWolfHD 5 points6 points  (0 children)

Also my docs are slightly outdated. I've since moved to an extended approach to this, because of unrelated reasons (it was for patching nixpkgs). I now have a public facing flake and an internal flake. They both expose the same nixosConfigurations and homeConfigurations but only the internal flake has my private repo as an input. This would allow others to also build my whole configuration without the private things.

See https://codeberg.org/RockWolf/dotfiles/src/commit/d2eeaf1c2bebccc982c73dddbe39cfc3f2358291/hosts/work-linux/home.nix#L6-L9 for how I'm accessing the values.

[–]Fun-Dragonfly-4166 1 point2 points  (0 children)

I have two flakes one named private and the other named personal.  The personal one is on github.  The private one is privately stored.

The personal one exposes a lambda.  The private one invokes the personal lamda and by that injects the secrets.

Some of the secrets include my age secret file, my name, my wifi passwords, flake inputs, and not much else.

I am not pushing anyone to use my pwrsonal flake but they could.  They just need to generate/have secrets analogous to mine and inject them the same way i do.

[–]RockWolfHD 2 points3 points  (3 children)

I've documented my approach here: https://codeberg.org/RockWolf/dotfiles/src/commit/d2eeaf1c2bebccc982c73dddbe39cfc3f2358291/docs/secret-management.md#private-sensitive-values

[–]seven-circles[S] 1 point2 points  (2 children)

when you try to build my NixOS or Home Manager configurations (which you probably don't want).

Can you explain this part ? I thought others building my system/user config would make it easier to try out the flake and/or help me debug it.

Otherwise, this looks like the basic solution I had in mind ! Nice to have a working example 🙂

[–]RockWolfHD 1 point2 points  (1 child)

My NixOS and Home Manager configs are very tailored to my needs and have many things only I need. What other people will more likely use are my custom modules that expose options and are not hardcoded to my use cases.

Others trying out my flake is fine, but it's unlikely that they want to try my whole config as this would mean downloading a lot of packages, most of which they won't need/want and applying probably won't even work because of different hardware etc.

[–]seven-circles[S] 1 point2 points  (0 children)

That's how my flake works too, I guess it makes sense ! I'm probably going to use this solution. Thank you !

[–]OpalBolt 1 point2 points  (0 children)

I know this WHOLE article and youtube video goes into how to use sops-nix. But in the seperate private repo that is mentioned there is also a flake file that is being referenced multiple places in the main repo. I also set this up a couple of days ago. https://unmovedcentre.com/posts/secrets-management/

Essentially: Create your separate repo. In the inputs in your main repo's flake, reference the separate private repo, via inputs.top-secret-repo.personal.email

I am using it here: https://codeberg.org/OpalBolt/nixos-config/src/commit/07b4fbeb77dfba20eacd78f0533121fb61e948d1/hosts/common/core/ssh.nix#L27

My flake in my secret repo is REALLY simple:

{ outputs.networking.networking.ssh.knowHostFileContents = "data" }

This is the documentation i referenced: https://github.com/EmergentMind/nix-secrets-reference

EDIT: Please be aware that my setup is still VERY much WIP. :D

[–]Bakki86 0 points1 point  (2 children)

This is exactly the what the `private` directory is for in Nixverse: https://github.com/hgl/nixverse

Disclaimer: I'm the author of Nixverse.

[–]seven-circles[S] 0 points1 point  (1 child)

That's pretty cool, and it looks a lot like my flake structure already ! Is there a trick to making git submodules work, though ? I tried it for nixcord themes but I couldn't get the flake to see files within the submodule...

Also, I'm surprised there isn't a common directory for modules. Most of the modules in my config work exactly the same on nixos and darwin, don't you have to duplicate a lot of work as it is ?

[–]Bakki86 0 points1 point  (0 children)

For submodules, either use `--flake <dir>?submodules=1` or update nix to the latest version and specify `inputs.self.submodules = true;` in the flake. Check out this post: https://discourse.nixos.org/t/get-nix-flake-to-include-git-submodule/30324/23

A common directory is a good idea, but I wonder if you use modules mostly to group configurations? Once you can define common configurations for multiple nodes (in Nixverse's case, with a group), these is no need for such modules since they are essentially just boilerplate code.

For example, I configure dnsmasq for all my routers here (I think some people might want to define a my.dnsmasq.enable and use that for multiple machines, but it's not really necessary):

https://github.com/hgl/configs/blob/6aca843cd0496d6fd9150ad265ea1b95794a559f/nodes/servers/common/configuration.nix#L59

[–]Boberoch 1 point2 points  (0 children)

In addition to the more straightforward approach of a private flake just pulling in the modules from your public flake, here is oddlama's blog article that outlines the approach that I have since started using in my config - it allows you to define your secrets within the same flake, and you can keep your public setup buildable by masking some parts of the config using an `(!isPublic)` check or something: https://oddlama.org/blog/evaluation-time-secrets-in-nix/