dustinlyons/nix-secrets.git dependency

Question

dustinlyons/nix-secrets.git dependency

multivac61 opened this issue 8 months ago · comments

Hey Dustin!

I'm updating my config to the new apps/host/modules/overlays setup with secrets. Getting an error due to your private dependency dustinlyons/nix-secrets.git in flake.nix

nixos-config on  modular [$✘»!]
✦2 ❯ nix flake archive
warning: Git tree '/Users/olafur/dev/nixos-config' is dirty
no such identity: /Users/olafur/.ssh/id_github: No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
warning: could not read HEAD ref from repo at 'ssh://git@github.com/dustinlyons/nix-secrets.git', using 'master'
no such identity: /Users/olafur/.ssh/id_github: No such file or directory
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
error:
       … while updating the lock file of flake 'git+file:///Users/olafur/dev/nixos-config'

       … while updating the flake input 'secrets'

       … while fetching the input 'git+ssh://git@github.com/dustinlyons/nix-secrets.git'

       error: program 'git' failed with exit code 128

    secrets = {
      url = "git+ssh://git@github.com/dustinlyons/nix-secrets.git";
      flake = false;
    };

I understand that it is a bit complicated, but I wonder if you could update the README.md? If I understand correctly I would have my own nix-secrets private repo or similar? Why not store the secrets directly in this config? Portability?

Dustin Lyons · Answer 1 · Sat Dec 30 2023 05:41:44 GMT+0800 (China Standard Time)

Hi @multivac61! Thanks for bringing this to my attention. Looks like I introduced a regression with my refactor. As part of install, it should be asking you for your repo name. I'll fix it shortly.

Re: the nix-secrets repo, I personally think it's better security posture to never include encrypted secrets as part of a public repository. Some folks may disagree (because they're encrypted!), but I like to eliminate all possible attack vectors. Who knows if some tooling has an exploit, or I accidentally do something stupid and include something sensitive when not intended. It's just better for me to keep a nix-secrets repository as private, to avoid any possible error. So that's how the templates are designed. Hope this helps.

Dustin Lyons · Answer 2 · Sun Dec 31 2023 01:51:03 GMT+0800 (China Standard Time)

@multivac61 Okay, I made some changes. Can you try again?

As part of the nix run .#apply step, it will now ask you for your Github name and secrets repo.
nix run .#apply then takes this and modifies the flake with your response.

Let me know if you run into any other issues.

Dustin Lyons · Answer 3 · Tue Jan 09 2024 23:54:21 GMT+0800 (China Standard Time)

Hi @multivac61, any luck getting this to run?

multivac61 · Answer 4 · Wed Jan 10 2024 04:46:53 GMT+0800 (China Standard Time)

Apologies for the delay, I went with the non-secret approach. Will try out now 😊

multivac61 · Answer 5 · Wed Jan 10 2024 05:09:15 GMT+0800 (China Standard Time)

Works as expected 👍 Thank you Dustin!

p.s. when running mkdir -p nixos-config && (cd nixos-config && nix flake --extra-experimental-features 'nix-command flakes' init -t github:dustinlyons/nixos-config#starter), fish, my terminal emulator complained about the brackets () fish: command substitutions not allowed here

Dustin Lyons · Answer 6 · Wed Jan 10 2024 23:06:14 GMT+0800 (China Standard Time)

Awesome, thanks! I'll correct the redundant ()'s.