hektor/nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: prevent 'opencode' from reading SSH private keys or 'sops' secret files

Browse Source
This commit is contained in:
Hektor Misplon
2026-03-13 20:27:08 +01:00
parent 804305abf9
commit b65735929c
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
home/modules/ai-tools/default.nix
View File

@@ -90,6 +90,17 @@ in
external_directory = {
"/run/secrets/" = "deny";
"~/.config/sops/age/keys.txt" = "deny";
"~/.ssh/id_rsa" = "deny";
"~/.ssh/id_ed25519" = "deny";
"~/.ssh/id_ecdsa" = "deny";
"~/.ssh/id_dsa" = "deny";
"/etc/ssh/ssh_host_rsa_key" = "deny";
"/etc/ssh/ssh_host_ed25519_key" = "deny";
"/etc/ssh/ssh_host_ecdsa_key" = "deny";
"/etc/ssh/ssh_host_dsa_key" = "deny";
};
command = {
sops = "deny";
};
};
plugin = [ "@mohak34/opencode-notifier@latest" ];