Refactor secrets

.git-crypt/.gitattributes

@@ -1,3 +0,0 @@
-# Do not edit this file.  To specify the files to encrypt, create your own
-# .gitattributes file in the directory where your files are.
-* !filter !diff

common/default.nix

@@ -4,8 +4,6 @@ with lib;
 
 {
 
-  imports = [ ./secret ];
-
   config = {
     m-0.monitoring = [{
       host = "apollo:9100";

common/secret/.gitattributes

@@ -1,2 +0,0 @@
-* filter=git-crypt diff=git-crypt
-.gitattributes !filter !diff

common/wireguard.nix

@@ -0,0 +1,7 @@
+{
+  port = 51318;
+  pub = {
+    hera = "npDW4BUiXcxPXQ/MObP6PlK8/PcMlz/Bwo5FlCCUx3E=";
+    apollo = "hYziEwk74g7v7GpIafLvC95dje2BI4saoEtJXXu2txs=";
+  };
+}

home-manager/roles/accounting.nix

@@ -1,4 +1,4 @@
 { pkgs, ... }: {
-  home.file.".config/jali/config.py".source = ../../common/secret/jaliconfig.py;
+  home.file.".config/jali/config.py".source = pkgs.privateFile "jaliconfig.py";
   home.packages = builtins.attrValues pkgs.accounting-pkgs;
 }

home-manager/roles/games.nix

@@ -48,7 +48,7 @@ in
   home.packages = builtins.attrValues {
     factorio = pkgs.factorio.override {
       username = "maralorn";
-      token = import ../../nixos/machines/apollo/secret/factory.nix;
+      token = pkgs.privateValue "" "factorio";
       experimental = true;
     };
     inherit (pkgs) steam minetest;

home-manager/roles/mail.nix

@@ -1,7 +1,10 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (config.m-0.private) sendmail me;
-  inherit (config.m-0.private.mail_filters) sortLists stupidLists notifications;
+  gpg = "6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9";
+  name = "Malte Brandy";
+  mail = "malte.brandy@maralorn.de";
+  alternates = pkgs.privateValue [] "mail/alternates";
+  lists = pkgs.privateValue { sortList = []; stupidLists = []; notifications = []; } "mail/filters";
   maildir = config.accounts.email.maildirBasePath;
   # mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort
   # To find candidates
@@ -114,7 +117,7 @@ in {
   };
   systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m";
 
-  accounts.email.accounts = config.m-0.private.mail_accounts;
+  accounts.email.accounts = pkgs.privateValue {} "mail/accounts";
   systemd.user.services = let
     mkService = name: account:
       let
@@ -180,7 +183,7 @@ in {
     packages = [ sortMail ];
     file = let
       mutt_alternates = "@maralorn.de "
-        + (builtins.concatStringsSep " " me.alternates);
+        + (builtins.concatStringsSep " " alternates);
       show-sidebar = pkgs.writeText "show-sidebar" ''
         set sidebar_visible=yes
         bind index <up> sidebar-prev
@@ -229,9 +232,9 @@ in {
         set pgp_replyencrypt = yes
         set crypt_replysignencrypted = yes
         set crypt_verify_sig = yes
-        set pgp_sign_as="${me.gpg}"
+        set pgp_sign_as="${gpg}"
         set pgp_use_gpg_agent = yes
-        set pgp_default_key="${me.gpg}"
+        set pgp_default_key="${gpg}"
         set timeout = 5
 
         set abort_noattach = ask-yes
@@ -244,7 +247,7 @@ in {
         set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from"
         set sort=threads
         set sort_aux=date-sent
-        set realname="${me.name}"
+        set realname="${name}"
         set from=fill-later
         set use_from=yes
         set fast_reply=yes
@@ -277,11 +280,11 @@ in {
         color sidebar_highlight white blue
         set sidebar_format = "%B%* %?N?%N/?%S"
 
-        alias f__0 ${me.name} <${me.mail}>
+        alias f__0 ${name} <${mail}>
         ${builtins.concatStringsSep "\n"
-        (lib.imap1 (n: x: "alias f__${toString n} ${me.name} <${x}>")
-          me.alternates)}
-        send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${me.mail}<enter>"
+        (lib.imap1 (n: x: "alias f__${toString n} ${name} <${x}>")
+          alternates)}
+        send2-hook '~f fill-later' "push <edit-from><kill-line>f__<complete><search>${mail}<enter>"
       '';
     };
   };

home-manager/roles/taskwarrior.nix

@@ -118,10 +118,10 @@
     dataLocation = "${config.home.homeDirectory}/.task";
     config = {
       taskd = {
-        certificate = builtins.toFile "public.cert" cfg.publicCert;
-        credentials = cfg.credentials;
-        ca = builtins.toFile "ca.cert" cfg.caCert;
-        key = builtins.toFile "private.key" cfg.privateKey;
+        certificate = pkgs.privatePath "taskwarrior/public.cert";
+        credentials = pkgs.privateValue "" "taskwarrior/credentials";
+        ca = pkgs.privatePath "taskwarrior/ca.cert";
+        key = pkgs.privatePath "taskwarrior/private.key";
         server = "hera.m-0.eu:53589";
       };
     };

home-manager/roles/weechat/default.nix

@@ -87,7 +87,7 @@ in {
             ${server}.autoconnect = on
             ${server}.username = "${serverConfig.user}"
             ${server}.password = "${serverConfig.password}"
-          '') weechatConfig.matrix)}
+          '') pkgs.privateValue { } "weechat/matrix")}
       '';
     };
     irc = {
@@ -107,7 +107,7 @@ in {
             ${server}.autoconnect = on
             ${server}.username = "${serverConfig.user}"
             ${server}.autojoin = "${serverConfig.channels}"
-          '') weechatConfig.irc)}
+          '') pkgs.privateValue { } "weechat/irc")}
       '';
     };
   };

home-manager/roles/zsh/zshrc

@@ -3,6 +3,7 @@ mkdir -p /var/run/user/$UID/tmp/downloads
 setopt prompt_subst
 autoload -U colors && colors # Enable colors in prompt
 
+alias nix-build-remote="nix-build --builders '@/etc/nix/machines' --max-jobs 0"
 alias cat=bat
 alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E'
 alias o=xdg-open

nixos/machines/apollo/configuration.nix

@@ -3,8 +3,8 @@
 # You need pw-files for every configured user in ./secret/pw-useralias for login to work.
 
 let
-  inherit (config.m-0) hosts prefix private;
-  inherit (private) me wireguard;
+  wireguard = import ../../../common/wireguard.nix;
+  inherit (config.m-0) hosts prefix;
   nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware;
   inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing;
 in {
@@ -12,7 +12,6 @@ in {
   imports = [
     "${nixos-hardware}/lenovo/thinkpad"
     "${nixos-hardware}/common/pc/ssd"
-    "${(builtins.fetchGit "ssh://git@git.darmstadt.ccc.de/cdark.net/nixdark")}"
     ./hardware-configuration.nix
     ../../roles
     ../../roles/fonts.nix
@@ -28,15 +27,15 @@ in {
       m0wire = {
         allowedIPsAsRoutes = false;
         ips = [ "${hosts.apollo-wg}/112" ];
-        privateKeyFile =
-          "/etc/nixos/nixos/machines/apollo/secret/wireguard-private";
+        privateKeyFile = pkgs.privatePath "wireguard/apollo-private";
         peers = [{
           publicKey = wireguard.pub.hera;
           allowedIPs = [ "::/0" ];
-          endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
+          endpoint =
+            "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
           # If v6 is not available:
           # endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
-          presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
+          presharedKeyFile = pkgs.privatePath "wireguard/psk";
           persistentKeepalive = 25;
         }];
         postSetup =
@@ -80,9 +79,8 @@ in {
       openDefaultPorts = true;
       declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media"
         // {
-          cert = "/etc/nixos/nixos/machines/apollo/secret/syncthing/cert.pem";
-          key = "/etc/nixos/nixos/machines/apollo/secret/syncthing/key.pem";
-        };
+        cert = pkgs.privatePath "syncthing/apollo/cert.pem";
+        key = pkgs.privatePath "syncthing/apollo/key.pem";
     };
     gnome3.chrome-gnome-shell.enable = true;
     xserver = {
@@ -94,14 +92,14 @@ in {
   boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
 
   #cdark_net = {
-    #enable = true;
-    #hostName = "${me.user}_${config.networking.hostName}";
-    #ed25519PrivateKeyFile = /etc/nixos/nixos/machines
-      #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv;
-    #hostsDirectory =
-      #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; };
-    #ip6address = "fd23:42:cda:4342::2";
-    #ip4address = "172.20.71.2";
+  #enable = true;
+  #hostName = "${me.user}_${config.networking.hostName}";
+  #ed25519PrivateKeyFile = /etc/nixos/nixos/machines
+  #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv;
+  #hostsDirectory =
+  #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; };
+  #ip6address = "fd23:42:cda:4342::2";
+  #ip4address = "172.20.71.2";
   #};
   system.stateVersion = "19.09";
 }

nixos/machines/apollo/secret/.gitattributes

@@ -1,2 +0,0 @@
-* filter=git-crypt-apollo diff=git-crypt-apollo
-.gitattributes !filter !diff

nixos/machines/hera/boot.nix

@@ -1,6 +1,6 @@
-{ ... }: {
+{ pkgs, ... }: {
 
-  m-0.server.initSSHKey = "/etc/nixos/nixos/machines/hera/secret/ssh_boot_rsa";
+  m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
 
   boot = {
     loader.grub = {

nixos/machines/hera/cloud.nix

@@ -66,8 +66,11 @@ let
             dbname = "nextcloud";
             dbuser = "nextcloud";
             dbhost = "localhost";
-            inherit (cloud) adminpass dbpass adminuser;
-          };
+          } // pkgs.privateValue {
+            adminpass = "";
+            dbpass = "";
+            adminuser = "";
+          } "nextcloud-admin";
           autoUpdateApps = {
             enable = true;
             startAt = "20:30";

nixos/machines/hera/configuration.nix

@@ -55,41 +55,7 @@ in {
     startAt = "23:00";
   };
   services = {
-    borgbackup.jobs = let
-      passphrases = (import secret/secrets.nix).borgbackup;
-      defaultBackup = {
-        doInit = false;
-        compression = "zstd,5";
-        exclude = [ "/var/lib/containers/*/var/lib/nextcloud/data/appdata_*" ];
-        paths = [
-          "/media"
-          "/var/lib/containers/mail/var/vmail"
-          "/var/lib/containers/chor-cloud/var/lib/nextcloud/data"
-          "/var/lib/containers/cloud/var/lib/nextcloud/data"
-          "/var/lib/matrix-synapse"
-          "/var/lib/db-backup-dumps/cur"
-          "/var/lib/gitolite"
-          "/var/lib/taskserver"
-        ];
-      };
-    in {
-      fb04217 = defaultBackup // {
-        encryption = {
-          mode = "keyfile-blake2";
-          passphrase = passphrases.fb04217;
-        };
-        extraArgs = "--remote-path=bin/borg";
-        repo =
-          "brandy@fb04217.mathematik.tu-darmstadt.de:/media/maralorn-backup/hera-borg-repo";
-      };
-      cysec = defaultBackup // {
-        encryption = {
-          mode = "keyfile-blake2";
-          passphrase = passphrases.cysec;
-        };
-        repo = "maralorn@borg.cysec.de:/srv/cube/maralorn/hera-borg-repo";
-      };
-    };
+    borgbackup.jobs = pkgs.privateValue {} "borgbackup";
     taskserver = {
       enable = true;
       fqdn = "hera.m-0.eu";
@@ -102,8 +68,8 @@ in {
       user = "maralorn";
       openDefaultPorts = true;
       declarative = syncthing.declarativeWith [ "apollo" ] "/media" // {
-        cert = "/etc/nixos/nixos/machines/hera/secret/syncthing/cert.pem";
-        key = "/etc/nixos/nixos/machines/hera/secret/syncthing/key.pem";
+        cert = pkgs.privatePath "syncthing/hera/cert.pem";
+        key = pkgs.privatePath "syncthing/hera/key.pem";
       };
     };
   };
@@ -116,7 +82,7 @@ in {
     isNormalUser = true;
     uid = 1001;
     extraGroups = [ "wheel" "systemd-journal" ];
-    passwordFile = "/etc/nixos/nixos/machines/hera/secret/pw-choreutes";
+    passwordFile = pkgs.privatePath "pam-login-password-choreutes";
   };
 
   # This value determines the NixOS release with which your system is to be

nixos/machines/hera/mail.nix

@@ -80,11 +80,8 @@ in {
         postfix = {
           networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ];
           transport = "email2matrix.maralorn.de smtp:[::1]:2525";
-          virtual = attrsToAliasList (config.m-0.private.lists // {
-            "weather-channel@maralorn.de" = "weather@email2matrix.maralorn.de";
-            "subjects-channel@maralorn.de" =
-              "subjects@email2matrix.maralorn.de";
-            "notify-channel@maralorn.de" = "notify@email2matrix.maralorn.de";
+          virtual = attrsToAliasList (pkgs.privateValue {} "mailing-lists"
+          // {
           });
         };
         opendkim.keyPath = "/var/dkim";
@@ -94,7 +91,7 @@ in {
         enableImapSsl = true;
         fqdn = "hera.m-0.eu";
         domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ];
-        loginAccounts = config.m-0.private.mailUsers;
+        loginAccounts = pkgs.privateValue {} "mail-users";
         hierarchySeparator = "/";
         certificateScheme = 1;
         certificateFile = "${certPath}/fullchain.pem";

nixos/machines/hera/network.nix

@@ -1,7 +1,7 @@
 { pkgs, config, ... }:
 let
+  wireguard = import ../../../common/wireguard.nix;
   inherit (config.m-0) hosts;
-  inherit (config.m-0.private) wireguard;
 in {
   networking = {
     hostName = "hera";
@@ -54,15 +54,16 @@ in {
     nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ];
     firewall.allowedTCPPorts = [ 8666 ];
     firewall.allowedUDPPorts = [ wireguard.port ];
-    wireguard.interfaces = {
+    wireguard.interfaces = let
+      {
       m0wire = {
         ips = [ "${hosts.hera-wg}/112" ];
-        privateKeyFile = "/etc/nixos/nixos/machines/hera/secret/wireguard-private";
+        privateKeyFile = pkgs.privatePath "wireguard/hera-private";
         listenPort = wireguard.port;
         peers = [{
           publicKey = wireguard.pub.apollo;
           allowedIPs = [ "${hosts.apollo-wg}/128" ];
-          presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk";
+          presharedKeyFile = pkgs.privatePath "wireguard-psk";
         }];
       };
     };

nixos/machines/hera/secret/.gitattributes

@@ -1,2 +0,0 @@
-* filter=git-crypt-hera diff=git-crypt-hera
-.gitattributes !filter !diff

nixos/machines/hera/web.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   locations = {
     "/" = {
@@ -18,7 +18,7 @@ in {
     nginx = {
       enable = true;
       virtualHosts."tasks.maralorn.de" = {
-        basicAuth.kassandra = (import secret/kassandra.nix).password;
+        basicAuthFile = pkgs.privatePath "basic-auth/kassandra";
         forceSSL = true;
         enableACME = true;
         locations = {

nixos/roles/default.nix

@@ -1,11 +1,5 @@
-{ pkgs, config, lib, ... }:
-let me = config.m-0.private.me;
-in {
-  imports = [
-    ../../common
-    ./modules/laptop.nix
-    ./modules/loginctl-linger.nix
-  ];
+{ pkgs, config, lib, ... }: {
+  imports = [ ../../common ./modules/laptop.nix ./modules/loginctl-linger.nix ];
 
   i18n = { defaultLocale = "en_US.UTF-8"; };
 
@@ -27,10 +21,7 @@ in {
     acceptTerms = true;
   };
 
-  users = {
-    mutableUsers = false;
-    users.root.openssh.authorizedKeys = { inherit (me) keys; };
-  };
+  users.mutableUsers = false;
 
   environment = {
     etc = lib.mapAttrs'
@@ -43,15 +34,22 @@ in {
       (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt");
   };
 
+  system.activationScripts =
+    lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; };
+
   nix = {
     binaryCaches =
       [ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ];
     binaryCachePublicKeys =
       [ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ];
     nixPath = [ "/etc/nix-path" ];
+    trustedUsers = [ "maralorn" ];
+    buildMachines = pkgs.privateValue [ ] "remote-builders";
     extraOptions = ''
       fallback = true
       keep-outputs = true
+      auto-optimise-store = true
+      builders-use-substitutes = true
     '';
   };
 

nixos/roles/git.nix

@@ -54,7 +54,7 @@ in {
   services.gitolite = {
     enable = true;
     user = "git";
-    adminPubkey = builtins.elemAt me.keys 0;
+    adminPubkey = builtins.elemAt (pkgs.privateValue [""] "ssh-keys" )0;
     commonHooks = [ "${post-update}/bin/post-update" ];
   };
 }

nixos/roles/mathechor.de.nix

@@ -1,6 +1,5 @@
 { config, pkgs, lib, ... }:
-let inherit (config.m-0.private) mathechor-pw me;
-in {
+{
   services = {
     nginx = {
       enable = true;
@@ -20,15 +19,14 @@ in {
       virtualHosts."intern.mathechor.de" = {
         forceSSL = true;
         enableACME = true;
-        basicAuth.mathechor = mathechor-pw;
+        basicAuthFile = pkgs.privatePath "basic-auth/mathechor.de";
         locations = {
           "/" = {
             root = "/var/www/mathechor/intern";
             index = "index.html";
           };
           "/mathechor.ics" = {
-            proxyPass =
-              "https://cloud.mathechor.de/remote.php/dav/public-calendars/nebsfFTzQKGSSsDc?export";
+            proxyPass = pkgs.privateValue "" "mathechor-ics";
             extraConfig = ''
               proxy_ssl_name cloud.mathechor.de;
               proxy_ssl_server_name on;

nixos/roles/matrix-synapse.nix

@@ -19,11 +19,8 @@ in {
             return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }";
           '';
         };
-        extraConfig = "
-          add_header 'Access-Control-Allow-Origin' '*';
-          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
-          add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
-        ";
+        extraConfig =
+          "\n          add_header 'Access-Control-Allow-Origin' '*';\n          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';\n          add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';\n        ";
       };
       virtualHosts."${hostName}" = {
         forceSSL = true;
@@ -41,7 +38,13 @@ in {
     postgresql.enable = true;
 
     # Synapse
-    matrix-synapse = {
+    matrix-synapse = let
+      server-secrets = pkgs.privateValue {
+        registration_shared_secret = "";
+        macaroon_secret_key = "";
+        turn_shared_secret = "";
+      } "matrix/server-secrets";
+    in server-secrets // {
       enable = true;
       package = pkgs.matrix-synapse;
       enable_metrics = true;
@@ -51,11 +54,7 @@ in {
       database_type = "psycopg2";
       max_upload_size = "30M";
       dynamic_thumbnails = true;
-      registration_shared_secret =
-        config.m-0.private.matrix_registration_secret;
-      macaroon_secret_key = config.m-0.private.macaroon_secret;
       turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ];
-      turn_shared_secret = config.m-0.private.turn_secret;
       turn_user_lifetime = "5h";
       allow_guest_access = true;
       logConfig = ''

nixos/roles/modules/laptop.nix

@@ -32,6 +32,7 @@ in {
     };
     programs.dconf.enable = true;
 
+    virtualisation.docker.enable = true;
     services = {
       upower.enable = true;
       printing = {

nixos/roles/monitoring/alertmanager.nix

@@ -12,7 +12,7 @@
             smtp_smarthost = "hera.m-0.eu:587";
             smtp_from = "alertmanager@m-0.eu";
             smtp_auth_username = "alertmanager@m-0.eu";
-            smtp_auth_password = config.m-0.private.alertmanager-mail-pw;
+            smtp_auth_password = pkgs.privateValue "" "alertmanager/mail-pw";
           };
           route = {
             group_by = [ "alert_type" ];

nixos/roles/monitoring/default.nix

@@ -1,6 +1,5 @@
 { config, ... }:
 let
-  inherit (config.m-0.private) monitoring-guest-pw monitoring-pw;
   commonOptions = {
     enableACME = true;
     forceSSL = true;
@@ -9,10 +8,7 @@ let
       allow ${config.m-0.prefix}::/64;
       deny all;
     '';
-    basicAuth = {
-      guest = monitoring-guest-pw;
-      maralorn = monitoring-pw;
-    };
+    basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
   };
 in {
   imports = [

nixos/roles/standalone/admin.nix

@@ -1,18 +1,18 @@
-{ config, lib, ... }:
-with lib;
-let me = config.m-0.private.me;
+{ config, pkgs, lib, ... }:
+let
+  passwordFile = pkgs.privatePath "pam-login-password";
+  openssh.authorizedKeys.keys = pkgs.privateValue [ ] "ssh-keys";
 in {
   users.users = {
-    "${me.user}" = {
+    maralorn = {
       linger = true;
-      description = me.name;
+      description = "maralorn";
       isNormalUser = true;
       uid = 1000;
       extraGroups =
         [ "wheel" "systemd-journal" "networkmanager" "docker" "video" ];
-      openssh.authorizedKeys.keys = me.keys;
-      passwordFile = me.pw-file;
+      inherit openssh passwordFile;
     };
-    root = { passwordFile = me.pw-file; };
+    root = { inherit openssh passwordFile; };
   };
 }

overlays/private.nix

@@ -0,0 +1,16 @@
+final: prec: {
+  withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out;
+  in builtins.trace
+  (if val then "Building _with_ secrets!" else "Building _without_ secrets!")
+  val;
+  privatePath = name:
+    let path = "/etc/nixos/private/${name}";
+    in if final.withSecrets then
+      assert builtins.pathExists path; path
+    else
+      path;
+  privateValue = default: name:
+    if final.withSecrets then import (../private + "/${name}.nix") else default;
+  privateFile = name:
+    if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" "";
+}

overlays/testing.nix

@@ -5,7 +5,6 @@ let
   configPath = "/etc/nixos";
   systems = [ "apollo" "hera" ];
   homes = self.lib.attrNames (import ../home-manager/machines.nix);
-  keys = [ "default" "apollo" "hera" ];
   imports = [ "Control.Exception (onException)" ];
   haskellBody = name: commandline: ''
     main = do
@@ -55,9 +54,6 @@ in {
       bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs
       bracket checkout (rm "-rf") $ \repoDir -> do
         withCurrentDirectory repoDir $ do
-          mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${
-            self.haskellList keys
-          }
           when bump $ ignoreFailure $ niv "update"
         changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim)
         when changed $ do