Include Submodules with relative paths in Root Repository

Nixfox · April 3, 2025, 9:02pm

This is my config structure:

/home/nixfox/nixos-conig/
├── .git/
├── flake.nix
├── nixos/
│   ├── submodule-private/
│   │   ├── .git
│   │   ├── .gitattributes
│   │   └──  secrets.nix
│   └── laptop/
│        ├── default.nix
│        └── hardware-configuration.nix
└── README.md

E.g. I would like to achieve the following behavior in my default.nix:

imports = [
  ../../submodule-private/secret.nix
];

But instead, currently the only way is to use an absolute path:

import = [
  /home/nixfox/nixos-config/submodule-private/secret.nix
];

Is this possible in a nixos-config?
Is there a way to store the submodule directory inside the /nix/store but not in the git history?
Would there be a better way to achieve this behavior?

My main problem why I don’t just encrypt everything with sops is the following
Harvest-Now-Decrypt-Later-Thread Model.

TLATER · April 4, 2025, 8:16am

Only if you don’t use a git repository. You could e.g. use the path: prefix when evaluating your flake to ignore git.

Don’t use a submodule, use a separate flake which you just add to your inputs.

From the sops-nix readme:

  # This will add secrets.yml to the nix store
  # You can avoid this by adding a string to the full path instead, i.e.
  # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";

So… Just use sops-nix and don’t include the secrets file in your git repo.

Your current approach is almost certainly vulnerable to much more realistic attacks than someone breaking encryption and specifically stealing your secrets, which should realistically have been rotated by then.

Nixfox · April 4, 2025, 10:15am

Thanks for your reply.

Unfortunately, I can’t encrypt/decrypt every files in my config using sops.

E.g. I would like to encrypt my bookmarks.json file for my browser.nix via sops.

Is there a good-practice approach to achieve this rather than storing the bookmarks.json outside the nixos-config and using an absolute path to reference it?

TLATER · April 4, 2025, 10:33am

Right, for things that are not secrets, create a second flake and use the flake inputs to import it. Then you can publish the rest of your repository however you like.

FWIW, you can also just not publish your repository in public if you’re worried about this kind of thing, then you can stop worrying altogether.

Nixfox · April 4, 2025, 1:55pm

Yes, I thought about publishing my whole config with just private read access.
But on the other side, I also want to share the 98% of non-private stuff with the community.

This is also the point for this post. My idea was to extract every private information into the submodule-private repo and store it separate in a private repository. The rest should have been uploaded to a public repository online. And from there, I struggled with the subject of the absolute/relative path.