From 2d3168d438d45c6e531bff6440ce1d211d8c7a80 Mon Sep 17 00:00:00 2001
From: Jay Looney <jay.m.looney@gmail.com>
Date: Sat, 8 Nov 2025 09:17:26 -0600
Subject: [PATCH] feat: remove git-agecrypt / semi-secret-vars

---
 .gitattributes                     |  1 -
 git-agecrypt.toml                  |  2 --
 hosts/lithium/README.md            | 29 +++++++++++++++++++----------
 hosts/lithium/default.nix          |  1 -
 hosts/lithium/semi-secret-vars.nix |  8 --------
 5 files changed, 19 insertions(+), 22 deletions(-)
 delete mode 100644 .gitattributes
 delete mode 100644 git-agecrypt.toml
 delete mode 100644 hosts/lithium/semi-secret-vars.nix

diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index 072eb55..0000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-hosts/lithium/semi-secret-vars.nix filter=git-agecrypt diff=git-agecrypt
diff --git a/git-agecrypt.toml b/git-agecrypt.toml
deleted file mode 100644
index b2ff6dc..0000000
--- a/git-agecrypt.toml
+++ /dev/null
@@ -1,2 +0,0 @@
-[config]
-"hosts/lithium/semi-secret-vars.nix" = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2SVmZ3iJF/rviKhTgkZOvu1fWr6G29K4u6yaxjZn4H jay@lithium"]
diff --git a/hosts/lithium/README.md b/hosts/lithium/README.md
index 1cdad59..a73e9e8 100644
--- a/hosts/lithium/README.md
+++ b/hosts/lithium/README.md
@@ -7,20 +7,29 @@ This is my primary homelab host/NAS, previously powered by TrueNAS Scale/k3s.
 Even with fully declarative Nix/Nixpkgs/NixOS at the end of the day there are
 still some actions that need to be taken manually.
 
-- secrets configuration (both for SOPS and git-agecrypt semi-secrets)
+- secrets configuration for `sops-nix`
 - kanidm user management
 - tailscale auth key
 - jellyfin configuration via web-ui
 
-## Semi-Secrets
+## Secrets and "Private Information"
 
-`semi-secret-vars.nix` is using [git-agecrypt](https://github.com/vlaci/git-agecrypt)
-and following a pattern I discovered here:
- - https://github.com/nyawox/arcanum/blob/4629dfba1bc6d4dd2f4cf45724df81289230b61a/var/README.md
- - https://github.com/vlaci/git-agecrypt
+Originally I had used two providers of secrets, `sops-nix` and `git-agecrypt`,
+and the reasoning for that was, with `git-agecrypt` I could directly encrypt an
+entire `.nix` file, and use it to conceal an arbitrary amount of my nix config.
+The #1 thing I was using it for was hiding details about the domain names that
+power various services. I know that's not real security, and domains aren't
+really private, but server logs prove that not including a domain in a GH repo
+means you get dramatically fewer spurious requests.
 
-Essentially there are some details I won't want exposed in the repository, but
-I do want them available to all my nix modules. The main one being the domain.
+The reason for using `git-agecrypt` against a whole nix file like that was most
+importantly because it allowed me to *just use nix variables*. Compared to the
+invocationss SOPS & `sops-nix` require, it can be a lot more simple for setting
+values like a domain name.
 
-While it's not really a secret in the way a password is, consider this effort a
-mitigation against ddos attacks and automated requests and login attempts.
+Now I'm going all in on `sops-nix` as the exclusive manager of secrets, and
+maintaining a separate flake which contains private nix configuration details.
+There are still issues with this, and now my overall nix config is essentially
+fractured between "flake-A" and "flake-B", which gives me all the same issues
+that any other software project faces with that arrangement. But I dislike
+using `git-agecrypt` even more than I dislike those problems.
diff --git a/hosts/lithium/default.nix b/hosts/lithium/default.nix
index 4a02b76..61582b1 100644
--- a/hosts/lithium/default.nix
+++ b/hosts/lithium/default.nix
@@ -5,7 +5,6 @@
     inputs.sops-nix.nixosModules.sops
     ./hardware.nix
     ./configuration.nix
-    ./semi-secret-vars.nix
     ./services/caddy.nix
     ./services/tailscale.nix
     ./services/kanidm.nix
diff --git a/hosts/lithium/semi-secret-vars.nix b/hosts/lithium/semi-secret-vars.nix
deleted file mode 100644
index 1598e07..0000000
--- a/hosts/lithium/semi-secret-vars.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 rhvgyQ 8V5ehsrqPR8s2joIfdpZRYDQpwH5BXI1GgQ/Qcb/Wg4
-ZKRZkXT0uPbXzuXLsteW31GsKzZy1deUl1GdWeQB+4U
--> "f<f<DW--grease AQ] z5_)RUB7 2>&DjVar
-Lhe9DbPHOqqKQ9HDhJB2xbIkrsxFGm39Yzr1J+ZbJnWYx5FCdGCCIexmv3GJy94t
-
---- qKkjS2aEWavCLldEwi4MUTlDoQuIu9tSRr5yoeZVQhs
-b�Z~l��U"U�p��� v���$?���;:Z��u҅^��ŊQ/MBɉf]Ξ)4PY��-߅��ܻ ��؟l���&e���2���OUqX�MD�S��7�E�����&us����U�#�d�#؂���W�9���^k.��0��7��h���s4CRIwU�a�ʯM�w�i��U�ri�k�b}yV�����>��r��[��8s
\ No newline at end of file