add support for managing secrets with gnu stow

diff --git a/agenda.org b/agenda.org
index a584af11ede402046e702350b9908d7b8b949cdf..5a6b26b9e1012b3cb6f1eb88f864e76b5e0bd04c 100644 (file)
--- a/agenda.org
+++ b/agenda.org
@@ -76,11 +76,12 @@ something.
 These are some habits I want to track. They are repeated according to a calendar schedule in
 general.
 ** TODO Supplements
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-16 Tue 03:13]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 18:33]
@@ -104,11 +105,12 @@ Current stack:
 - EPA/DHA
 - Creatine Monohydrate
 ** TODO Strength Training
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 02:26]
 - State "DONE"       from "TODO"       [2025-09-10 Wed 03:23]
@@ -128,11 +130,12 @@ SCHEDULED: <2025-08-26 Tue .+1d>
 - State "DONE"       from "TODO"       [2025-06-26 Thu 23:22]
 I want to be able to run or bike every day so that I get my exercise in.
 ** TODO Stretch
-SCHEDULED: <2025-09-18 Thu .+1d>
+SCHEDULED: <2025-09-22 Mon .+1d>
 :PROPERTIES:
-:LAST_REPEAT: [2025-09-17 Wed 03:40]
+:LAST_REPEAT: [2025-09-21 Sun 06:57]
 :STYLE: habit
 :END:
+- State "DONE"       from "TODO"       [2025-09-21 Sun 06:57]
 - State "DONE"       from "TODO"       [2025-09-17 Wed 03:40]
 - State "DONE"       from "TODO"       [2025-09-16 Tue 03:14]
 - State "DONE"       from "TODO"       [2025-09-14 Sun 02:20]

diff --git a/config/nix.org b/config/nix.org
index da30b916652c11ad0d63db99aff7f1a7b3010a31..940c98f607b7507e9b66f0f97175eff1335b1048 100644 (file)
--- a/config/nix.org
+++ b/config/nix.org
@@ -1247,6 +1247,7 @@ This is my impermanence profile, which removes all files on reboot except for th
           ".mozilla"
           ".bitmonero"
           ".config"
+          ".crypto"
           { directory = ".gnupg"; mode = "0700"; }
           { directory = ".ssh"; mode = "0700"; }
           { directory = ".local/share/keyrings"; mode = "0700"; }
@@ -3509,6 +3510,7 @@ standard.
       };
 
       shellAliases = {
+        clone-secrets = "git clone ssh://\"$1\"/home/preston/secrets \"$HOME/secrets\"";
         get-channel-id = "yt-dlp --print \"%(channel_id)s\" --playlist-end 1 \"$1\"";
         se = "sops edit";
         f = "vim $(fzf)";
@@ -3616,7 +3618,8 @@ for these configurations.
         torsocks tor-browser
 
         # For transfering secrets onto new system
-        magic-wormhole
+        magic-wormhole stow
+
         # fonts
         nerd-fonts.iosevka noto-fonts noto-fonts-cjk-sans noto-fonts-emoji fira-code font-awesome_6 victor-mono
         (aspellWithDicts
@@ -3679,6 +3682,14 @@ for these configurations.
   #!/bin/bash
   nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config $HOME/monorepo/nix/systems/spontaneity/hardware-configuration.nix --flake $HOME/monorepo/nix#spontaneity --target-host "$1"
           '')
+        (writeShellScriptBin "secrets"
+          ''
+  #!/bin/bash
+  cd "$HOME/secrets"
+  git pull # repo is over LAN
+  stow */ # manage secrets with gnu stow
+  cd "$HOME"
+          '')
       ] else [
         pfetch
 
@@ -3763,7 +3774,10 @@ This is pretty understandable, if you understand all the above.
     ];
     config = {
       monorepo = {
-        profiles.impermanence.enable = true;
+        profiles = {
+          impermanence.enable = true;
+          secureBoot = true;
+        };
         vars = {
           device = "/dev/sda";
           fileSystem = "btrfs";
@@ -3976,10 +3990,6 @@ This contains the installation script I use to install my systems.
     exit 1
   fi
 
-  gum style --border normal --margin "1" --padding "1 2" "Notice: if using full disk encryption, write to /tmp/secret.key first with your password."
-
-  sleep 3
-
   cd "$HOME"
 
   ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui

diff --git a/nix/modules/home/user.nix b/nix/modules/home/user.nix
index 6602232de3defc699e6ef3a4716f14d7592874f9..59a11bf5160299132a4d3ae4183eb05f58712678 100644 (file)
--- a/nix/modules/home/user.nix
+++ b/nix/modules/home/user.nix
@@ -53,7 +53,8 @@
       torsocks tor-browser
 
       # For transfering secrets onto new system
-      magic-wormhole
+      magic-wormhole stow
+
       # fonts
       nerd-fonts.iosevka noto-fonts noto-fonts-cjk-sans noto-fonts-emoji fira-code font-awesome_6 victor-mono
       (aspellWithDicts
@@ -116,6 +117,14 @@ nixos-rebuild --sudo --ask-sudo-password --target-host "$1" switch --flake $HOME
 #!/bin/bash
 nix run github:nix-community/nixos-anywhere -- --generate-hardware-config nixos-generate-config $HOME/monorepo/nix/systems/spontaneity/hardware-configuration.nix --flake $HOME/monorepo/nix#spontaneity --target-host "$1"
         '')
+      (writeShellScriptBin "secrets"
+        ''
+#!/bin/bash
+cd "$HOME/secrets"
+git pull # repo is over LAN
+stow */ # manage secrets with gnu stow
+cd "$HOME"
+        '')
     ] else [
       pfetch
 

diff --git a/nix/modules/home/zsh.nix b/nix/modules/home/zsh.nix
index 78f2cc66e0c6b5a7a8230f03e9108489cf65bfb6..6753547d01bf5de43c94089c5327b1ced793382d 100644 (file)
--- a/nix/modules/home/zsh.nix
+++ b/nix/modules/home/zsh.nix
@@ -21,6 +21,7 @@
     };
 
     shellAliases = {
+      clone-secrets = "git clone ssh://\"$1\"/home/preston/secrets \"$HOME/secrets\"";
       get-channel-id = "yt-dlp --print \"%(channel_id)s\" --playlist-end 1 \"$1\"";
       se = "sops edit";
       f = "vim $(fzf)";

diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix
index 6305bc538cc7cdacc62eea7c324fb17856235f8a..5a74f6e6c7aa7bfc9ea157117ccf7fb7f64f8380 100644 (file)
--- a/nix/modules/impermanence.nix
+++ b/nix/modules/impermanence.nix
@@ -84,6 +84,7 @@
         ".mozilla"
         ".bitmonero"
         ".config"
+        ".crypto"
         { directory = ".gnupg"; mode = "0700"; }
         { directory = ".ssh"; mode = "0700"; }
         { directory = ".local/share/keyrings"; mode = "0700"; }

diff --git a/nix/systems/continuity/default.nix b/nix/systems/continuity/default.nix
index 2520712a474e026c587a21bfe27657614bc8dc6b..ca3b5bce0d090661ffbe4648ab40915968bf1f7c 100644 (file)
--- a/nix/systems/continuity/default.nix
+++ b/nix/systems/continuity/default.nix
@@ -6,7 +6,10 @@
   ];
   config = {
     monorepo = {
-      profiles.impermanence.enable = true;
+      profiles = {
+        impermanence.enable = true;
+        secureBoot = true;
+      };
       vars = {
         device = "/dev/sda";
         fileSystem = "btrfs";

diff --git a/nix/systems/installer/default.nix b/nix/systems/installer/default.nix
index 6b63984829e795d3c0db35bacf20691938ed31f8..0341b0d120849e4c3a13907c3b246125d933769e 100644 (file)
--- a/nix/systems/installer/default.nix
+++ b/nix/systems/installer/default.nix
@@ -50,10 +50,6 @@ if [ "$(id -u)" -eq 0 ]; then
   exit 1
 fi
 
-gum style --border normal --margin "1" --padding "1 2" "Notice: if using full disk encryption, write to /tmp/secret.key first with your password."
-
-sleep 3
-
 cd "$HOME"
 
 ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui