jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sops patches
All checks were successful
Weekly NixOS Build & Cache / build-and-cache (push) Successful in 48m15s
Details

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-01 20:48:17 -06:00
parent da4ae90c11
commit 657986cf15
4 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/base.nix
View File

@@ -13,7 +13,7 @@
../modules/modules.nix
];
system.stateVersion = "23.05";
sops = {
sops = lib.mkIf config.my.secureHost {
defaultSopsFormat = "yaml";
defaultSopsFile = ../secrets/secrets.yaml;
age = {

5
config/derek.nix
View File

@@ -48,7 +48,10 @@ in
users.users.bearded_dragonn = {
isNormalUser = true;
createHome = true;
hashedPasswordFile = config.sops.secrets.derek-password.path;
hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path;
hashedPassword =
lib.mkIf (!config.my.secureHost)
"$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1";
packages = builtins.attrValues {
inherit (pkgs)
bottles

2
modules/shell/multimedia.nix
View File

@@ -14,7 +14,7 @@
description = "Users to install multimedia shell tools for";
};
};
config = lib.mkIf config.my.shell.multimedia.enable {
config = lib.mkIf (config.my.shell.multimedia.enable && config.my.secureHost) {
sops.secrets."gallery-dl/secrets" =
let
user = inputs.self.lib.getFirstUser config.my.shell.multimedia.users;

5
specs/001-ai-docs/research.md
View File

@@ -24,3 +24,8 @@
- **Decision**: Treat the constitution as authoritative, update MCP docs to include explicit tool anchors, and align the tool catalog anchors to actual markdown headings; scope sync checks to MCP tool headings in `docs/reference/mcp-server.md`.
- **Rationale**: Prevents false drift from unrelated docs while ensuring tool anchors remain accurate and navigable.
- **Alternatives considered**: (a) Force every doc to map to a tool (rejected: inflates catalog and adds noise); (b) Keep loose anchors without validation (rejected: undermines navigation and sync intent).
## Decision 6 (2026-02-02): secureHost gating for SOPS config
- **Decision**: Gate SOPS configuration behind `config.my.secureHost` so non-secure hosts skip secret loading.
- **Rationale**: Aligns `config/base.nix` behavior with the constitutions secureHost rules and avoids secret dependency on non-secure hosts.
- **Alternatives considered**: (a) Leave SOPS enabled on all hosts (rejected: violates secureHost contract); (b) Duplicate SOPS logic per host (rejected: increases drift risk).