Keeping secrets safe as submodules
Closed this issue · 2 comments
Hello,
is it possible to keep the secrets safe in a private Git submodule? Trying it with this approach but it does seem to work:
inputs.secrets.flake = false;
inputs.secrets.url = "git+file:secrets?ref=main&submodule=1";
I get an error during deploying the configuration:
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: path '/nix/store/yy2rn3wln4ysvqh7w27xih82frfbzqb8-source/secrets' does not exist
Folder is there with a default.nix and secrets.nix, submodule is inited and properly working gitwise.
Resolving the does not exist error with this
´inputs.secrets.url = "git+file:///secrets?ref=main&submodules=1";´
which brought up new errors :)
´´´
🚀 ℹ️ [deploy] [INFO] Evaluating flake in .
warning: Git tree '/home/pl/Code/nix-configuration' is dirty
fatal: '/secrets' does not appear to be a git repository
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
warning: could not update mtime for file '/home/pl/.cache/nix/gitv3/0il30q0n0kmqg5jxd4svmklp4ir8n1sds53g2y2wnmg4w7p5smy9/refs/heads/main': No such file or directory
error:
… while updating the lock file of flake 'git+file:///home/pl/Code/nix-configuration'
… while updating the flake input 'secrets'
… while fetching the input 'git+file:///secrets?ref=main&submodules=1'
error: resolving Git reference 'main': revspec 'main' not found
🚀 ❌ [deploy] [ERROR] Failed to evaluate deployment data: Evaluation resulted in a bad exit code: Some(1)
´´´
Replaced the submodule approach (git+file) with loading the credentials from remote
inputs.secrets.url = "git+ssh://git@github.com/.../...git?ref=main";
inputs.secrets.flake = false
Adding it to the modules worked with:
inputs.secrets.outPath