From 657986cf15beccd303e455512ab1afe6183d50a7 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Sun, 1 Feb 2026 20:48:17 -0600 Subject: [PATCH] sops patches --- config/base.nix | 2 +- config/derek.nix | 5 ++++- modules/shell/multimedia.nix | 2 +- specs/001-ai-docs/research.md | 5 +++++ 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/config/base.nix b/config/base.nix index a327672..98e8729 100644 --- a/config/base.nix +++ b/config/base.nix @@ -13,7 +13,7 @@ ../modules/modules.nix ]; system.stateVersion = "23.05"; - sops = { + sops = lib.mkIf config.my.secureHost { defaultSopsFormat = "yaml"; defaultSopsFile = ../secrets/secrets.yaml; age = { diff --git a/config/derek.nix b/config/derek.nix index 2c25fd2..dd68196 100644 --- a/config/derek.nix +++ b/config/derek.nix @@ -48,7 +48,10 @@ in users.users.bearded_dragonn = { isNormalUser = true; createHome = true; - hashedPasswordFile = config.sops.secrets.derek-password.path; + hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path; + hashedPassword = + lib.mkIf (!config.my.secureHost) + "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1"; packages = builtins.attrValues { inherit (pkgs) bottles diff --git a/modules/shell/multimedia.nix b/modules/shell/multimedia.nix index 7b2f665..4c3a391 100644 --- a/modules/shell/multimedia.nix +++ b/modules/shell/multimedia.nix @@ -14,7 +14,7 @@ description = "Users to install multimedia shell tools for"; }; }; - config = lib.mkIf config.my.shell.multimedia.enable { + config = lib.mkIf (config.my.shell.multimedia.enable && config.my.secureHost) { sops.secrets."gallery-dl/secrets" = let user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users; diff --git a/specs/001-ai-docs/research.md b/specs/001-ai-docs/research.md index b64fd38..2939c3e 100644 --- a/specs/001-ai-docs/research.md +++ b/specs/001-ai-docs/research.md @@ -24,3 +24,8 @@ - **Decision**: Treat the constitution as authoritative, update MCP docs to include explicit tool anchors, and align the tool catalog anchors to actual markdown headings; scope sync checks to MCP tool headings in `docs/reference/mcp-server.md`. - **Rationale**: Prevents false drift from unrelated docs while ensuring tool anchors remain accurate and navigable. - **Alternatives considered**: (a) Force every doc to map to a tool (rejected: inflates catalog and adds noise); (b) Keep loose anchors without validation (rejected: undermines navigation and sync intent). + +## Decision 6 (2026-02-02): secureHost gating for SOPS config +- **Decision**: Gate SOPS configuration behind `config.my.secureHost` so non-secure hosts skip secret loading. +- **Rationale**: Aligns `config/base.nix` behavior with the constitution’s secureHost rules and avoids secret dependency on non-secure hosts. +- **Alternatives considered**: (a) Leave SOPS enabled on all hosts (rejected: violates secureHost contract); (b) Duplicate SOPS logic per host (rejected: increases drift risk).