Keeping secrets safe as submodules

[paullotz]

Hello, is it possible to keep the secrets safe in a private Git submodule? Trying it with this approach but it does seem to work:

inputs.secrets.flake = false;
inputs.secrets.url = "git+file:secrets?ref=main&submodule=1";

I get an error during deploying the configuration:

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: path '/nix/store/yy2rn3wln4ysvqh7w27xih82frfbzqb8-source/secrets' does not exist

Folder is there with a default.nix and secrets.nix, submodule is inited and properly working gitwise.

[paullotz]

Resolving the does not exist error with this ´inputs.secrets.url = "git+file:///secrets?ref=main&submodules=1";´

which brought up new errors :)

´´´ 🚀 ℹ️ [deploy] [INFO] Evaluating flake in . warning: Git tree '/home/pl/Code/nix-configuration' is dirty fatal: '/secrets' does not appear to be a git repository fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists. warning: could not update mtime for file '/home/pl/.cache/nix/gitv3/0il30q0n0kmqg5jxd4svmklp4ir8n1sds53g2y2wnmg4w7p5smy9/refs/heads/main': No such file or directory error: … while updating the lock file of flake 'git+file:///home/pl/Code/nix-configuration'

   … while updating the flake input 'secrets'

   … while fetching the input 'git+file:///secrets?ref=main&submodules=1'

   error: resolving Git reference 'main': revspec 'main' not found

🚀 ❌ [deploy] [ERROR] Failed to evaluate deployment data: Evaluation resulted in a bad exit code: Some(1)

´´´

[paullotz]

Replaced the submodule approach (git+file) with loading the credentials from remote

inputs.secrets.url = "git+ssh://git@github.com/.../...git?ref=main";
inputs.secrets.flake = false

Adding it to the modules worked with: inputs.secrets.outPath