sops patches
All checks were successful
Weekly NixOS Build & Cache / build-and-cache (push) Successful in 48m15s
All checks were successful
Weekly NixOS Build & Cache / build-and-cache (push) Successful in 48m15s
This commit is contained in:
Danilo Reyes
@@ -13,7 +13,7 @@
|
|||||||
../modules/modules.nix
|
../modules/modules.nix
|
||||||
];
|
];
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "23.05";
|
||||||
sops = {
|
sops = lib.mkIf config.my.secureHost {
|
||||||
defaultSopsFormat = "yaml";
|
defaultSopsFormat = "yaml";
|
||||||
defaultSopsFile = ../secrets/secrets.yaml;
|
defaultSopsFile = ../secrets/secrets.yaml;
|
||||||
age = {
|
age = {
|
||||||
|
|||||||
@@ -48,7 +48,10 @@ in
|
|||||||
users.users.bearded_dragonn = {
|
users.users.bearded_dragonn = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
hashedPasswordFile = config.sops.secrets.derek-password.path;
|
hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path;
|
||||||
|
hashedPassword =
|
||||||
|
lib.mkIf (!config.my.secureHost)
|
||||||
|
"$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1";
|
||||||
packages = builtins.attrValues {
|
packages = builtins.attrValues {
|
||||||
inherit (pkgs)
|
inherit (pkgs)
|
||||||
bottles
|
bottles
|
||||||
|
|||||||
@@ -14,7 +14,7 @@
|
|||||||
description = "Users to install multimedia shell tools for";
|
description = "Users to install multimedia shell tools for";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf config.my.shell.multimedia.enable {
|
config = lib.mkIf (config.my.shell.multimedia.enable && config.my.secureHost) {
|
||||||
sops.secrets."gallery-dl/secrets" =
|
sops.secrets."gallery-dl/secrets" =
|
||||||
let
|
let
|
||||||
user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;
|
user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;
|
||||||
|
|||||||
@@ -24,3 +24,8 @@
|
|||||||
- **Decision**: Treat the constitution as authoritative, update MCP docs to include explicit tool anchors, and align the tool catalog anchors to actual markdown headings; scope sync checks to MCP tool headings in `docs/reference/mcp-server.md`.
|
- **Decision**: Treat the constitution as authoritative, update MCP docs to include explicit tool anchors, and align the tool catalog anchors to actual markdown headings; scope sync checks to MCP tool headings in `docs/reference/mcp-server.md`.
|
||||||
- **Rationale**: Prevents false drift from unrelated docs while ensuring tool anchors remain accurate and navigable.
|
- **Rationale**: Prevents false drift from unrelated docs while ensuring tool anchors remain accurate and navigable.
|
||||||
- **Alternatives considered**: (a) Force every doc to map to a tool (rejected: inflates catalog and adds noise); (b) Keep loose anchors without validation (rejected: undermines navigation and sync intent).
|
- **Alternatives considered**: (a) Force every doc to map to a tool (rejected: inflates catalog and adds noise); (b) Keep loose anchors without validation (rejected: undermines navigation and sync intent).
|
||||||
|
|
||||||
|
## Decision 6 (2026-02-02): secureHost gating for SOPS config
|
||||||
|
- **Decision**: Gate SOPS configuration behind `config.my.secureHost` so non-secure hosts skip secret loading.
|
||||||
|
- **Rationale**: Aligns `config/base.nix` behavior with the constitution’s secureHost rules and avoids secret dependency on non-secure hosts.
|
||||||
|
- **Alternatives considered**: (a) Leave SOPS enabled on all hosts (rejected: violates secureHost contract); (b) Duplicate SOPS logic per host (rejected: increases drift risk).
|
||||||
|
|||||||
Reference in New Issue
Block a user