From: Preston Pan <ret2pop@gmail.com>
Date: Mon, 22 Sep 2025 03:34:58 +0000 (-0700)
Subject: add support for managing secrets with gnu stow
X-Git-Url: https://ret2pop.net/gitweb/%22../%22./%22https:/polyfill.io/v3/style.css?a=commitdiff_plain;h=11d99a0715cf201a660e33d911c953313fec3796;p=monorepo.git

add support for managing secrets with gnu stow
---

diff --git a/agenda.org b/agenda.org
index a584af1..5a6b26b 100644
--- a/agenda.org
+++ b/agenda.org
@@ -76,11 +76,12 @@ something.
 These are some habits I want to track. They are repeated according to a calendar schedule in
 general.
 ** TODO Supplements
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-16 Tue 03:13]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 18:33]
@@ -104,11 +105,12 @@ Current stack:
 - EPA/DHA
 - Creatine Monohydrate
 ** TODO Strength Training
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 02:26]
 - State "DONE"       from "TODO"       [2025-09-10 Wed 03:23]
@@ -128,11 +130,12 @@ SCHEDULED: <2025-08-26 Tue .+1d>
 - State "DONE"       from "TODO"       [2025-06-26 Thu 23:22]
 I want to be able to run or bike every day so that I get my exercise in.
 ** TODO Stretch
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-16 Tue 03:14]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 02:20]
diff --git a/config/nix.org b/config/nix.org
index da30b91..940c98f 100644
--- a/config/nix.org
+++ b/config/nix.org
@@ -1247,6 +1247,7 @@ This is my impermanence profile, which removes all files on reboot except for th
           ".mozilla"
           ".bitmonero"
           ".config"
+          ".crypto"
           { directory = ".gnupg"; mode = "0700"; }
           { directory = ".ssh"; mode = "0700"; }
           { directory = ".local/share/keyrings"; mode = "0700"; }
@@ -3509,6 +3510,7 @@ standard.
       };
 
       shellAliases = {
+        clone-secrets = "git clone ssh://\"$1\"/home/preston/secrets \"$HOME/secrets\"";
         get-channel-id = "yt-dlp --print \"%(channel_id)s\" --playlist-end 1 \"$1\"";
         se = "sops edit";
         f = "vim $(fzf)";
@@ -3616,7 +3618,8 @@ for these configurations.
         torsocks tor-browser
 
         # For transfering secrets onto new system
-        magic-wormhole
+        magic-wormhole stow
+
         # fonts
         nerd-fonts.iosevka noto-fonts noto-fonts-cjk-sans noto-fonts-emoji fira-code font-awesome_6 victor-mono
         (aspellWithDicts
@@ -3679,6 +3682,14 @@ for these configurations.
   #!/bin/bash
   nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config $HOME/monorepo/nix/systems/spontaneity/hardware-configuration.nix --flake $HOME/monorepo/nix#spontaneity --target-host "$1"
           '')
+        (writeShellScriptBin "secrets"
+          ''
+  #!/bin/bash
+  cd "$HOME/secrets"
+  git pull # repo is over LAN
+  stow */ # manage secrets with gnu stow
+  cd "$HOME"
+          '')
       ] else [
         pfetch
 
@@ -3763,7 +3774,10 @@ This is pretty understandable, if you understand all the above.
     ];
     config = {
       monorepo = {
-        profiles.impermanence.enable = true;
+        profiles = {
+          impermanence.enable = true;
+          secureBoot = true;
+        };
         vars = {
           device = "/dev/sda";
           fileSystem = "btrfs";
@@ -3976,10 +3990,6 @@ This contains the installation script I use to install my systems.
     exit 1
   fi
 
-  gum style --border normal --margin "1" --padding "1 2" "Notice: if using full disk encryption, write to /tmp/secret.key first with your password."
-
-  sleep 3
-
   cd "$HOME"
 
   ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui
diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 6602232..59a11bf 100644
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -53,7 +53,8 @@
       torsocks tor-browser
 
       # For transfering secrets onto new system
-      magic-wormhole
+      magic-wormhole stow
+
       # fonts
       nerd-fonts.iosevka noto-fonts noto-fonts-cjk-sans noto-fonts-emoji fira-code font-awesome_6 victor-mono
       (aspellWithDicts
@@ -116,6 +117,14 @@ nixos-rebuild --sudo --ask-sudo-password --target-host "$1" switch --flake $HOME
 #!/bin/bash
 nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config $HOME/monorepo/nix/systems/spontaneity/hardware-configuration.nix --flake $HOME/monorepo/nix#spontaneity --target-host "$1"
         '')
+      (writeShellScriptBin "secrets"
+        ''
+#!/bin/bash
+cd "$HOME/secrets"
+git pull # repo is over LAN
+stow */ # manage secrets with gnu stow
+cd "$HOME"
+        '')
     ] else [
       pfetch
 
diff --git a/nix/modules/home/zsh.nix b/nix/modules/home/zsh.nix
index 78f2cc6..6753547 100644
--- a/nix/modules/home/zsh.nix
+++ b/nix/modules/home/zsh.nix
@@ -21,6 +21,7 @@
     };
 
     shellAliases = {
+      clone-secrets = "git clone ssh://\"$1\"/home/preston/secrets \"$HOME/secrets\"";
       get-channel-id = "yt-dlp --print \"%(channel_id)s\" --playlist-end 1 \"$1\"";
       se = "sops edit";
       f = "vim $(fzf)";
diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix
index 6305bc5..5a74f6e 100644
--- a/nix/modules/impermanence.nix
+++ b/nix/modules/impermanence.nix
@@ -84,6 +84,7 @@
         ".mozilla"
         ".bitmonero"
         ".config"
+        ".crypto"
         { directory = ".gnupg"; mode = "0700"; }
         { directory = ".ssh"; mode = "0700"; }
         { directory = ".local/share/keyrings"; mode = "0700"; }
diff --git a/nix/systems/continuity/default.nix b/nix/systems/continuity/default.nix
index 2520712..ca3b5bc 100644
--- a/nix/systems/continuity/default.nix
+++ b/nix/systems/continuity/default.nix
@@ -6,7 +6,10 @@
   ];
   config = {
     monorepo = {
-      profiles.impermanence.enable = true;
+      profiles = {
+        impermanence.enable = true;
+        secureBoot = true;
+      };
       vars = {
         device = "/dev/sda";
         fileSystem = "btrfs";
diff --git a/nix/systems/installer/default.nix b/nix/systems/installer/default.nix
index 6b63984..0341b0d 100644
--- a/nix/systems/installer/default.nix
+++ b/nix/systems/installer/default.nix
@@ -50,10 +50,6 @@ if [ "$(id -u)" -eq 0 ]; then
   exit 1
 fi
 
-gum style --border normal --margin "1" --padding "1 2" "Notice: if using full disk encryption, write to /tmp/secret.key first with your password."
-
-sleep 3
-
 cd "$HOME"
 
 ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui