This file provides security and development guidance for the nixpkgs-config project.
THIS IS A PUBLIC REPOSITORY - All content is visible to the world on GitHub.
- API keys, tokens, or secrets of any kind
- Passwords or private keys
- Personal email addresses or sensitive personal information
- Private file paths that reveal system structure
- SSH keys or certificates
- Company-specific configuration that shouldn't be public
- General nix configuration patterns
- Application preferences and keybindings
- Development environment setups
- Public package configurations
- Non-sensitive system preferences
- ✅ GOOD:
passwordeval "pass Migrate/math.nagoya-u.ac.jp"(references password manager) - ❌ BAD:
password = "actual-password-here" - ✅ GOOD:
passwordCommand = "security find-generic-password -s myservice" - ❌ BAD: Any hardcoded credentials
- ✅ GOOD:
~/Documents/notesor${config.home.homeDirectory}/notes ⚠️ NEUTRAL:/Users/username/specific-path(acceptable but not ideal)- ❌ BAD: Paths that reveal sensitive company or personal information
⚠️ ACCEPTABLE: Git configuration emails (required for git to function)⚠️ ACCEPTABLE: Mail client configuration for personal use- ❌ BAD: Corporate/work email addresses that shouldn't be public
- 💡 TIP: Consider using environment variables for sensitive email configs
- ✅ GOOD: Reference external secret management tools
- ✅ GOOD: Use environment variables for sensitive data
- ✅ GOOD: Use nix's
lib.mkIffor conditional inclusion - ❌ BAD: Inline secrets or credentials
Before committing ANY changes:
-
Secret Scan: Search for common secret patterns
rg -i "password|secret|key|token|api" --type nix -
Personal Info Check: Look for personal email addresses, private paths
rg "@.*\.(com|org|net)" --type nix -
Review Diff: Always review
git diffbefore committing -
Test Configuration: Ensure nix configurations build without secrets
nix build --dry-run
- Store secrets in macOS Keychain, pass, or similar tools
- Reference secrets via command execution (
passwordeval,passwordCommand) - Use environment variables for CI/CD systems
- Document secret requirements in README without exposing values
- Keep public configurations in this repo
- Store sensitive overrides in local files (gitignored)
- Use nix's import system for optional local configurations
- DO NOT just delete the file and commit - secrets remain in git history
- IMMEDIATELY rotate any exposed credentials
- CONTACT repository owner for history rewriting
- CONSIDER using tools like
git-filter-repoto remove from history - AUDIT all related systems for potential compromise
*.nix- All nix configuration files*.json- Application configurations*.conf- Configuration files*.plist- macOS preference files- Any dotfiles or configuration templates
- docs/agents/index.md
Remember: When in doubt, DON'T commit. Ask for review if unsure about content safety.