My nixos system configuration
Be sure to enable the hooks with
git config --local core.hooksPath $(git rev-parse --show-toplevel)/hooks/
I protect some variables I want to keep private using a file that is not in this repo named secrets.nix
These two files help me avoid accidentally committing it, or any of its contents.
The hook is just a pair of simple checks: that you're not committing any files you shouldn't be, and that you're not committing any strings that are present in your secrets.nix file. The secrets_management.sh is a setup for preventing secrets.nix from appearing where it might get accidentally committed, while still working with the flake features that require all files to be added to the git repo index. --intent-to-add
and --assume-unchanged
let you have a file in the git index, while ensuring that git won't try to track its contents.
secret_management.sh
can be run as secret_management.sh set
, which adds secrets.nix
to the index withoug adding its contents, or secret_management.sh unset
which removes it from the index.
The hook is designed to be automatically run by git when you have core.hooksPath
configured, but also can be run as pre_commit all
in order to check every file in your git repo (except excluded ones like secrets.nix) for the forbidden strings.