phase 5: git-crypt re-init + re-encrypt secrets/ under new unified key
- .gitattributes declares secrets/** covered by git-crypt filter - New symmetric key at $HOME/.nixos-git-crypt.key (chmod 400, not committed) - All 36 files under secrets/ re-encrypted via the clean filter on 'git add': - 5 files in secrets/desktop/ (wifi, secureboot, disk pw, cache netrc, hash) - 3 files in secrets/home/ (hm api keys + steam id) - 26 files in secrets/server/ (.age + .nix + .tar + livekit_keys) - 2 files in secrets/usb-secrets/ (agenix identity) 'git-crypt status' confirms 36 encrypted, 150 non-encrypted. Old git-crypt keys from the two subtree-merged repos are in the historical subtree commits (pre-Phase 2). To decrypt pre-unify history one still needs the old GPG-encrypted keys, which survive at: ~/nixos-migration-aux-*.tar.gz
This commit is contained in:
primary
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
@@ -0,0 +1 @@
|
||||
secrets/** filter=git-crypt diff=git-crypt
|
||||
Reference in New Issue
Block a user