Wires sops-nix as a flake input and bakes the NixOS module into
configuration.nix via modules/secrets.nix. Per-host defaults live in
modules/secrets.nix:
- defaultSopsFile = ../secrets/${settings.hostName}.yaml
- defaultSopsFormat = yaml
- age.keyFile = /home/${settings.user}/.config/sops/age/keys.txt
The whole sops block is gated on `builtins.pathExists` so flake eval
succeeds before the encrypted file is created — important during the
scaffold-bootstrap phase where the consumer hasn't yet generated an
age key.
Adds .sops.yaml with a placeholder admin recipient (overwrite with
your real age public key before encrypting anything) and a
creation_rules block matching `secrets/*.yaml`.
.gitignore loosened so `secrets/*.yaml` and `secrets/README.md` can
be checked in while plaintext key material (`*.key`, `*.pem`) and
anything else under `secrets/` stays ignored. The pre-commit secret
scanner most consumers use is the second line of defense.
secrets/README.md documents the workflow at the directory level.
The substantive beginner walkthrough lands in a follow-up commit at
docs/secrets-management.md.
`nix flake check --no-build` stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three blockers off the path so the skeleton evaluates cleanly:
1. flake.lock generated (no inputs were pinned before).
2. hardware-configuration.nix shipped as a placeholder — unbootable
/dev/null root + grub on nodev — so `system.build.toplevel` resolves
without complaining about missing fileSystems / boot.loader. The
file carries a big "overwrite with nixos-generate-config" warning;
the consumer regenerates it before any real switch.
3. Primary user + group declared in configuration.nix (was tripping
the assertion about implicit nogroup defaults and isNormalUser
missing).
Also: `home.homeDirectory` now uses `lib.mkForce` to override
home-manager's nixos-module default of /var/empty, and the deprecated
`programs.git.user{Name,Email}` options migrated to the new
`programs.git.settings.user.{name,email}` shape.
`nix flake check --no-build` now finishes with `all checks passed!`
and no warnings, giving every subsequent change a cheap signal.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replaces the two parallel scripts (fakewallet.sh, regtest.sh) with one
modules/dev-env/scripts/dev.sh — `dev up [--fakewallet|--regtest]`,
plus `down|logs|shell`. Default mode is fakewallet (no docker, no
chains, instant), matching what the prior scaffold did with two scripts
but giving consumers one command and one verb-set to learn.
Drops the now-redundant `lnbits.backend` enum and `features.fakewallet`
option from core.nix. Backend selection is the dev CLI's runtime
concern; a NixOS-level option would be a second knob that can disagree
with the CLI flag at runtime. `lnbits.{host,port}` stay (bind addr,
useful to docs and any later service path). `features.regtest` stays
(gates docker engine installation — consumers who'll never use the
regtest mode shouldn't pay for the container engine).
Strips modules/lnbits.nix entirely. The dev CLI runs lnbits ad-hoc; if
a NixOS-managed lnbits service becomes a real ask later, re-add a
focused module then.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Single-source-of-truth pattern: settings.nix threads identity, host,
and remote topology into every module via specialArgs. configuration.nix
and home.nix stay thin import-lists so module composition is obvious.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
