feat: switch to git-crypt

2023-05-13 13:20:47 +02:00 · 2023-05-13 13:20:47 +02:00 · 771896ffd9
commit 771896ffd9
parent a8eb075c5a
21 changed files with 17 additions and 24 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
--- a/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg
+++ b/.git-crypt/keys/default/0/A476C39610E53A689A57BD0D0B89BC45007EE9CC.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -1,4 +1,12 @@
+# noisy diffs
 flake.lock -diff
-home/secrets/**/*.json -diff
 lazy-lock.json -diff
+
+# git lfs
 *.png filter=lfs diff=lfs merge=lfs -text
+
+# git crypt
+home/secrets/fonts/*      filter=git-crypt diff=git-crypt
+home/secrets/*.nix        filter=git-crypt diff=git-crypt
+home/secrets/fallback.nix !filter !diff
+home/secrets/sops.nix     !filter !diff
--- a/.gitignore
+++ b/.gitignore
@ -1,11 +1,4 @@
-# secrets
-.gitsecret/keys/random_seed
-!*.secret
-home/secrets/default.nix
-home/secrets/fonts.tgz
-
 # Generated by nix-pre-commit-hooks
 /.pre-commit-config.yaml
-
 # generated nix files
 /result
--- a/.gitsecret/keys/pubring.kbx
+++ b/.gitsecret/keys/pubring.kbx
--- a/.gitsecret/keys/pubring.kbx~
+++ b/.gitsecret/keys/pubring.kbx~
--- a/.gitsecret/keys/trustdb.gpg
+++ b/.gitsecret/keys/trustdb.gpg
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@ -1 +0,0 @@
-home/secrets/default.nix:0e6b6e9c57743af34dd280dbafc83d5c27ca599e60c267f9eb63201ab7510856
--- a/home/secrets/default.nix
+++ b/home/secrets/default.nix
--- a/home/secrets/fonts.tgz.gpg
+++ b/home/secrets/fonts.tgz.gpg
--- a/home/secrets/fonts/Berkeley_Bold.otf
+++ b/home/secrets/fonts/Berkeley_Bold.otf
--- a/home/secrets/fonts/Berkeley_Bold_Italic.otf
+++ b/home/secrets/fonts/Berkeley_Bold_Italic.otf
--- a/home/secrets/fonts/Berkeley_Italic.otf
+++ b/home/secrets/fonts/Berkeley_Italic.otf
--- a/home/secrets/fonts/Berkeley_Regular.otf
+++ b/home/secrets/fonts/Berkeley_Regular.otf
--- a/home/secrets/fonts/Comic_Code_Bold.otf
+++ b/home/secrets/fonts/Comic_Code_Bold.otf
--- a/home/secrets/fonts/Comic_Code_Bold_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Bold_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Medium.otf
+++ b/home/secrets/fonts/Comic_Code_Medium.otf
--- a/home/secrets/fonts/Comic_Code_Medium_Italic.otf
+++ b/home/secrets/fonts/Comic_Code_Medium_Italic.otf
--- a/home/secrets/fonts/Comic_Code_Regular.otf
+++ b/home/secrets/fonts/Comic_Code_Regular.otf
--- a/19
+++ b/19
@ -22,7 +22,7 @@ check:

 # build {{{
 [macos]
-switch: secret-stage && secret-unstage
+switch:
  #!/usr/bin/env bash
  set -euxo pipefail
  if [[ -x "./result/sw/bin/darwin-rebuild" ]]; then
@ -33,29 +33,18 @@ switch: secret-stage && secret-unstage
  fi

 [linux]
-switch: secret-stage && secret-unstage
+switch:
  sudo nixos-rebuild switch --flake .
 [linux]
-boot: secret-stage && secret-unstage
+boot:
  sudo nixos-rebuild boot --flake .
 # }}}

-# secrets {{{
 secretExists := path_exists("./home/secrets/default.nix")

-secret-stage:
-  {{secretExists}} && git add -f home/secrets/default.nix || exit 0
-secret-unstage:
-  {{secretExists}} && git restore --staged home/secrets/default.nix || exit 0
-
 fontdir := if os() == "macos" {"$HOME/Library/Fonts"} else {"${XDG_DATA_HOME:-$HOME/.local/share}/fonts"}
-
 install-fonts:
-  #!/usr/bin/env bash
-  set -euxo pipefail
-  mkdir -p "{{fontdir}}"
-  gpg --decrypt home/secrets/fonts.tgz.gpg | tar -xz -C "{{fontdir}}" --strip-components=1
-# }}}
+  install -Dm644 home/secrets/fonts/* "{{fontdir}}"

 fetch:
  @nix run nixpkgs\#onefetch -- --true-color never --no-bots -d lines-of-code
				`@ -1 +0,0 @@`
				`home/secrets/default.nix:0e6b6e9c57743af34dd280dbafc83d5c27ca599e60c267f9eb63201ab7510856`