feat: switch to git-crypt

2023-05-13 13:20:47 +02:00 · 2023-05-13 13:20:47 +02:00 · 771896ffd9
commit 771896ffd9
parent a8eb075c5a
21 changed files with 17 additions and 24 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
 # Do not edit this file.  To specify the files to encrypt, create your own
 # .gitattributes file in the directory where your files are.
 * !filter !diff
 *.gpg binary
--- a/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg
+++ b/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1,4 +1,12 @@
 # noisy diffs
 flake.lock -diff
 home/secrets/**/*.json -diff
 lazy-lock.json -diff
 # git lfs
 *.png filter=lfs diff=lfs merge=lfs -text
 # git crypt
 home/secrets/fonts/*      filter=git-crypt diff=git-crypt
 home/secrets/*.nix        filter=git-crypt diff=git-crypt
 home/secrets/fallback.nix !filter !diff
 home/secrets/sops.nix     !filter !diff
--- a/.gitignore
+++ b/.gitignore
@ -1,11 +1,4 @@
 # secrets
 .gitsecret/keys/random_seed
 !*.secret
 home/secrets/default.nix
 home/secrets/fonts.tgz
 # Generated by nix-pre-commit-hooks
 /.pre-commit-config.yaml
 # generated nix files
 /result
--- a/.gitsecret/keys/pubring.kbx
+++ b/.gitsecret/keys/pubring.kbx
--- a/.gitsecret/keys/pubring.kbx~
+++ b/.gitsecret/keys/pubring.kbx~
--- a/.gitsecret/keys/trustdb.gpg
+++ b/.gitsecret/keys/trustdb.gpg
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@ -1 +0,0 @@
 home/secrets/default.nix:0e6b6e9c57743af34dd280dbafc83d5c27ca599e60c267f9eb63201ab7510856
--- a/home/secrets/default.nix
+++ b/home/secrets/default.nix
--- a/home/secrets/fonts.tgz.gpg
+++ b/home/secrets/fonts.tgz.gpg
--- a/home/secrets/fonts/Berkeley_Bold.otf
+++ b/home/secrets/fonts/Berkeley_Bold.otf
--- a/home/secrets/fonts/Berkeley_Bold_Italic.otf
+++ b/home/secrets/fonts/Berkeley_Bold_Italic.otf
--- a/home/secrets/fonts/Berkeley_Italic.otf
+++ b/home/secrets/fonts/Berkeley_Italic.otf
--- a/home/secrets/fonts/Berkeley_Regular.otf
+++ b/home/secrets/fonts/Berkeley_Regular.otf
--- a/home/secrets/fonts/Comic_Code_Bold.otf
+++ b/home/secrets/fonts/Comic_Code_Bold.otf
--- a/home/secrets/fonts/Comic_Code_Bold_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Bold_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Medium.otf
+++ b/home/secrets/fonts/Comic_Code_Medium.otf
--- a/home/secrets/fonts/Comic_Code_Medium_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Medium_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Regular.otf
+++ b/home/secrets/fonts/Comic_Code_Regular.otf
--- a/19
+++ b/19
@ -22,7 +22,7 @@ check:
 # build {{{
 [macos]
-switch: secret-stage && secret-unstage
+switch:
  #!/usr/bin/env bash
  set -euxo pipefail
  if [[ -x "./result/sw/bin/darwin-rebuild" ]]; then
@ -33,29 +33,18 @@ switch: secret-stage && secret-unstage
  fi
 [linux]
-switch: secret-stage && secret-unstage
+switch:
  sudo nixos-rebuild switch --flake .
 [linux]
-boot: secret-stage && secret-unstage
+boot:
  sudo nixos-rebuild boot --flake .
 # }}}
 # secrets {{{
 secretExists := path_exists("./home/secrets/default.nix")
 secret-stage:
  {{secretExists}} && git add -f home/secrets/default.nix || exit 0
 secret-unstage:
  {{secretExists}} && git restore --staged home/secrets/default.nix || exit 0
 fontdir := if os() == "macos" {"$HOME/Library/Fonts"} else {"${XDG_DATA_HOME:-$HOME/.local/share}/fonts"}
 install-fonts:
-  #!/usr/bin/env bash
+  install -Dm644 home/secrets/fonts/* "{{fontdir}}"
  set -euxo pipefail
  mkdir -p "{{fontdir}}"
  gpg --decrypt home/secrets/fonts.tgz.gpg | tar -xz -C "{{fontdir}}" --strip-components=1
 # }}}
 fetch:
  @nix run nixpkgs\#onefetch -- --true-color never --no-bots -d lines-of-code
		`@ -1 +0,0 @@`
			`home/secrets/default.nix:0e6b6e9c57743af34dd280dbafc83d5c27ca599e60c267f9eb63201ab7510856`