lnbits-sensei

aiolabs/lnbits-sensei

Archived

Fork 0

Commit graph

Author	SHA1	Message	Date
Padreug	773632562e	feat(dev-env): wire shared pre-commit secret scanner via core.hooksPath Ships `modules/dev-env/scripts/git-hooks/pre-commit` — the same secret-scanner pattern omnixy uses, lightly adapted (drops the omnixy-specific test_auth.py skip, generic header comment). New option `lnbits-sensei.devEnv.gitHooks.enable` (off by default). When on, modules/dev-env/config.nix installs the hook at `~/.local/share/lnbits-sensei/git-hooks/pre-commit` and sets the consumer's git `core.hooksPath` to that directory, so every repo on the machine picks it up without per-repo wiring. The hook refuses to commit obvious secrets (PRIVATE KEY blocks, `password=…`, `secret=…`, `api_key=…`, `admin_key=…`, AWS keys, non-placeholder POSTGRES_PASSWORD) and unencrypted sops files (checks for a top-level `sops:` block AND `mac: ENC[…]` — either signal alone is forgeable). False positives are handled via `# pragma: allowlist secret` line- or block-level markers (gitleaks convention). docs/secrets-management.md gets a new subsection covering what the hook does, when to enable it, and the false-positive escape hatches. The Pitfalls section's reference to "the pre-commit hook most consumers use" is replaced with a concrete pointer to this option. `nix flake check --no-build` stays green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-26 09:21:27 +02:00
Padreug	fc1d31244a	docs(secrets): add beginner walkthrough for sops-nix New docs/secrets-management.md walks through getting secrets out of .env and into sops-encrypted YAML, assuming zero familiarity with sops or age. Companion to the wiring landed in the prior commit. Sections: - Why bother — the .env failure modes (history leaks, plaintext on disk) and what sops/age fixes. - What's in the box — pointers to the existing scaffold (flake input, modules/secrets.nix, .sops.yaml, .gitignore guards), why it's inert until the first encrypted file lands. - Step-by-step — install tools, generate the age key (with a clear warning about back-ups + no recovery), paste the public key into .sops.yaml, create the first encrypted file via `sops`, declare secrets in NixOS, reference via config.sops.secrets.<name>.path, activate. - Common operations — edit / view / rotate / updatekeys. - Multi-host server deployment — per-host age keys at /var/lib/sops-nix/key.txt, path_regex-scoped recipients in .sops.yaml so each host only decrypts its own secrets. - Pitfalls — don't commit unencrypted YAML, don't lose the key, updatekeys ≠ rotation, sops -d outputs are sensitive, the pathExists gate fails-silently-on-delete trap. Linked from README "Further reading" with a one-liner noting the sops-nix wiring already ships with the scaffold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-26 08:47:19 +02:00

Author

SHA1

Message

Date

Padreug

773632562e

feat(dev-env): wire shared pre-commit secret scanner via core.hooksPath

Ships `modules/dev-env/scripts/git-hooks/pre-commit` — the same
secret-scanner pattern omnixy uses, lightly adapted (drops the
omnixy-specific test_auth.py skip, generic header comment).

New option `lnbits-sensei.devEnv.gitHooks.enable` (off by default).
When on, modules/dev-env/config.nix installs the hook at
`~/.local/share/lnbits-sensei/git-hooks/pre-commit` and sets the
consumer's git `core.hooksPath` to that directory, so every repo on
the machine picks it up without per-repo wiring.

The hook refuses to commit obvious secrets (PRIVATE KEY blocks,
`password=…`, `secret=…`, `api_key=…`, `admin_key=…`, AWS keys,
non-placeholder POSTGRES_PASSWORD) and unencrypted sops files
(checks for a top-level `sops:` block AND `mac: ENC[…]` — either
signal alone is forgeable). False positives are handled via
`# pragma: allowlist secret` line- or block-level markers (gitleaks
convention).

docs/secrets-management.md gets a new subsection covering what the
hook does, when to enable it, and the false-positive escape hatches.
The Pitfalls section's reference to "the pre-commit hook most
consumers use" is replaced with a concrete pointer to this option.

`nix flake check --no-build` stays green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 09:21:27 +02:00

Padreug

fc1d31244a

docs(secrets): add beginner walkthrough for sops-nix

New docs/secrets-management.md walks through getting secrets out of
.env and into sops-encrypted YAML, assuming zero familiarity with
sops or age. Companion to the wiring landed in the prior commit.

Sections:

- Why bother — the .env failure modes (history leaks, plaintext on
  disk) and what sops/age fixes.
- What's in the box — pointers to the existing scaffold (flake input,
  modules/secrets.nix, .sops.yaml, .gitignore guards), why it's inert
  until the first encrypted file lands.
- Step-by-step — install tools, generate the age key (with a clear
  warning about back-ups + no recovery), paste the public key into
  .sops.yaml, create the first encrypted file via `sops`, declare
  secrets in NixOS, reference via config.sops.secrets.<name>.path,
  activate.
- Common operations — edit / view / rotate / updatekeys.
- Multi-host server deployment — per-host age keys at
  /var/lib/sops-nix/key.txt, path_regex-scoped recipients in
  .sops.yaml so each host only decrypts its own secrets.
- Pitfalls — don't commit unencrypted YAML, don't lose the key,
  updatekeys ≠ rotation, sops -d outputs are sensitive, the
  pathExists gate fails-silently-on-delete trap.

Linked from README "Further reading" with a one-liner noting the
sops-nix wiring already ships with the scaffold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 08:47:19 +02:00

2 commits