search

dustinlyons / nixos-config

General purpose Nix configuration for macOS / NixOS with starter templates + step-by-step guides ✨
BSD 3-Clause "New" or "Revised" License
1.8k stars 113 forks source link

dustinlyons/nix-secrets.git dependency #39

Closed multivac61 closed 10 months ago

multivac61 commented 11 months ago

Hey Dustin!

I'm updating my config to the new apps/host/modules/overlays setup with secrets. Getting an error due to your private dependency dustinlyons/nix-secrets.git in flake.nix

nixos-config on  modular [$✘»!]
✦2 ❯ nix flake archive
warning: Git tree '/Users/olafur/dev/nixos-config' is dirty
no such identity: /Users/olafur/.ssh/id_github: No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at 'ssh://git@github.com/dustinlyons/nix-secrets.git', using 'master'
no such identity: /Users/olafur/.ssh/id_github: No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
error:
       … while updating the lock file of flake 'git+file:///Users/olafur/dev/nixos-config'

       … while updating the flake input 'secrets'

       … while fetching the input 'git+ssh://git@github.com/dustinlyons/nix-secrets.git'

       error: program 'git' failed with exit code 128
    secrets = {
      url = "git+ssh://git@github.com/dustinlyons/nix-secrets.git";
      flake = false;
    };

I understand that it is a bit complicated, but I wonder if you could update the README.md? If I understand correctly I would have my own nix-secrets private repo or similar? Why not store the secrets directly in this config? Portability?

dustinlyons commented 11 months ago

Hi @multivac61! Thanks for bringing this to my attention. Looks like I introduced a regression with my refactor. As part of install, it should be asking you for your repo name. I'll fix it shortly.

Re: the nix-secrets repo, I personally think it's better security posture to never include encrypted secrets as part of a public repository. Some folks may disagree (because they're encrypted!), but I like to eliminate all possible attack vectors. Who knows if some tooling has an exploit, or I accidentally do something stupid and include something sensitive when not intended. It's just better for me to keep a nix-secrets repository as private, to avoid any possible error. So that's how the templates are designed. Hope this helps.

dustinlyons commented 11 months ago

@multivac61 Okay, I made some changes. Can you try again?

  1. As part of the nix run .#apply step, it will now ask you for your Github name and secrets repo.
  2. nix run .#apply then takes this and modifies the flake with your response.

Let me know if you run into any other issues.

dustinlyons commented 10 months ago

Hi @multivac61, any luck getting this to run?

multivac61 commented 10 months ago

Apologies for the delay, I went with the non-secret approach. Will try out now 😊

multivac61 commented 10 months ago

Works as expected 👍 Thank you Dustin!

p.s. when running mkdir -p nixos-config && (cd nixos-config && nix flake --extra-experimental-features 'nix-command flakes' init -t github:dustinlyons/nixos-config#starter), fish, my terminal emulator complained about the brackets () fish: command substitutions not allowed here

dustinlyons commented 10 months ago

Awesome, thanks! I'll correct the redundant ()'s.