feat: remove git-agecrypt / semi-secret-vars

2025-11-08 09:17:26 -06:00 · 2025-11-08 09:17:26 -06:00 · 2d3168d438
commit 2d3168d438
parent fa53235842
5 changed files with 19 additions and 22 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +0,0 @@
 hosts/lithium/semi-secret-vars.nix filter=git-agecrypt diff=git-agecrypt
--- a/git-agecrypt.toml
+++ b/git-agecrypt.toml
@ -1,2 +0,0 @@
 [config]
 "hosts/lithium/semi-secret-vars.nix" = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2SVmZ3iJF/rviKhTgkZOvu1fWr6G29K4u6yaxjZn4H jay@lithium"]
--- a/hosts/lithium/README.md
+++ b/hosts/lithium/README.md
@ -7,20 +7,29 @@ This is my primary homelab host/NAS, previously powered by TrueNAS Scale/k3s.
 Even with fully declarative Nix/Nixpkgs/NixOS at the end of the day there are
 still some actions that need to be taken manually.
- secrets configuration (both for SOPS and git-agecrypt semi-secrets)
+- secrets configuration for `sops-nix`
 - kanidm user management
 - tailscale auth key
 - jellyfin configuration via web-ui
-## Semi-Secrets
+## Secrets and "Private Information"
-`semi-secret-vars.nix` is using [git-agecrypt](https://github.com/vlaci/git-agecrypt)
+Originally I had used two providers of secrets, `sops-nix` and `git-agecrypt`,
-and following a pattern I discovered here:
+and the reasoning for that was, with `git-agecrypt` I could directly encrypt an
- - https://github.com/nyawox/arcanum/blob/4629dfba1bc6d4dd2f4cf45724df81289230b61a/var/README.md
+entire `.nix` file, and use it to conceal an arbitrary amount of my nix config.
- - https://github.com/vlaci/git-agecrypt
+The #1 thing I was using it for was hiding details about the domain names that
 power various services. I know that's not real security, and domains aren't
 really private, but server logs prove that not including a domain in a GH repo
 means you get dramatically fewer spurious requests.
-Essentially there are some details I won't want exposed in the repository, but
+The reason for using `git-agecrypt` against a whole nix file like that was most
-I do want them available to all my nix modules. The main one being the domain.
+importantly because it allowed me to *just use nix variables*. Compared to the
 invocationss SOPS & `sops-nix` require, it can be a lot more simple for setting
 values like a domain name.
-While it's not really a secret in the way a password is, consider this effort a
+Now I'm going all in on `sops-nix` as the exclusive manager of secrets, and
-mitigation against ddos attacks and automated requests and login attempts.
+maintaining a separate flake which contains private nix configuration details.
 There are still issues with this, and now my overall nix config is essentially
 fractured between "flake-A" and "flake-B", which gives me all the same issues
 that any other software project faces with that arrangement. But I dislike
 using `git-agecrypt` even more than I dislike those problems.
--- a/hosts/lithium/default.nix
+++ b/hosts/lithium/default.nix
@ -5,7 +5,6 @@
    inputs.sops-nix.nixosModules.sops
    ./hardware.nix
    ./configuration.nix
    ./semi-secret-vars.nix
    ./services/caddy.nix
    ./services/tailscale.nix
    ./services/kanidm.nix
--- a/hosts/lithium/semi-secret-vars.nix
+++ b/hosts/lithium/semi-secret-vars.nix
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 rhvgyQ 8V5ehsrqPR8s2joIfdpZRYDQpwH5BXI1GgQ/Qcb/Wg4
 ZKRZkXT0uPbXzuXLsteW31GsKzZy1deUl1GdWeQB+4U
 -> "f<f<DW--grease AQ] z5_)RUB7 2>&DjVar
 Lhe9DbPHOqqKQ9HDhJB2xbIkrsxFGm39Yzr1J+ZbJnWYx5FCdGCCIexmv3GJy94t
 --- qKkjS2aEWavCLldEwi4MUTlDoQuIu9tSRr5yoeZVQhs
 b¾Z~l…ŠU"Uãpµ¥ vÉñ¿³$?ƒ<EFBFBD>æ;:Z›ÖuÒ…^öËÅŠQ/MBÉ‰f]Îž)4PYáî-ß…äê«Ü» <EFBFBD>áØŸl¨Á¯&e‡âû2”©ÈOUqXóMD<EFBFBD>SÜä7ÁE¿ð”ÀÉæ&us–¿ð<EFBFBD>ÁU÷#Êdø#Ø‚ÿÀÂWõ9Øãó^k.ÜÝ0áü7«ðhŸ°©s4CRIwUÅa‚Ê¯MÀw‰i·‡U<EFBFBD>riÿkªb}yVÒÈÜüÏ>©¿rŽ°[ƒÝ8s
		`@ -1 +0,0 @@`
			`hosts/lithium/semi-secret-vars.nix filter=git-agecrypt diff=git-agecrypt`
		`@ -1,2 +0,0 @@`
			`[config]`
			`"hosts/lithium/semi-secret-vars.nix" = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2SVmZ3iJF/rviKhTgkZOvu1fWr6G29K4u6yaxjZn4H jay@lithium"]`