fix: update secrets approach to match 'nix-secrets'
This commit is contained in:
@@ -1,7 +1,9 @@
|
||||
{
|
||||
lib,
|
||||
inputs,
|
||||
pkgs,
|
||||
config,
|
||||
myUtils,
|
||||
...
|
||||
}:
|
||||
|
||||
@@ -9,13 +11,7 @@ let
|
||||
cfg = config.secrets;
|
||||
inherit (cfg) sopsDir;
|
||||
owner = config.users.users.${cfg.username}.name;
|
||||
|
||||
mkSecret = name: {
|
||||
${name} = {
|
||||
sopsFile = "${sopsDir}/${name}";
|
||||
inherit owner;
|
||||
};
|
||||
};
|
||||
mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
|
||||
in
|
||||
{
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
@@ -38,69 +34,42 @@ in
|
||||
default = "${config.host.name}-nix-signing-key";
|
||||
};
|
||||
};
|
||||
|
||||
yubikey = {
|
||||
enable = lib.mkEnableOption "set up Yubikey";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
sops = {
|
||||
# for yubikey, generate as follows:
|
||||
# ```
|
||||
# age-plugin-yubikey --identity > <keyfile-path>
|
||||
# ```
|
||||
age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
|
||||
|
||||
secrets = lib.mkMerge [
|
||||
(mkSecret "taskwarrior-sync-server-url")
|
||||
(mkSecret "taskwarrior-sync-server-client-id")
|
||||
(mkSecret "taskwarrior-sync-encryption-secret")
|
||||
(mkSecret "anki-sync-user")
|
||||
(mkSecret "anki-sync-key")
|
||||
(mkSecret "email-personal")
|
||||
(mkSecret "email-work")
|
||||
(mkSecret "opencode-api-key")
|
||||
(lib.mkIf cfg.nixSigningKey.enable (mkSecret cfg.nixSigningKey.name))
|
||||
(mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
|
||||
(lib.mkIf cfg.nixSigningKey.enable {
|
||||
${cfg.nixSigningKey.name} = {
|
||||
sopsFile = "${sopsDir}/${cfg.nixSigningKey.name}.yaml";
|
||||
inherit owner;
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
templates = {
|
||||
"taskrc.d/sync" = {
|
||||
inherit owner;
|
||||
content = ''
|
||||
sync.server.url=${config.sops.placeholder.taskwarrior-sync-server-url}
|
||||
sync.server.client_id=${config.sops.placeholder.taskwarrior-sync-server-client-id}
|
||||
sync.encryption_secret=${config.sops.placeholder.taskwarrior-sync-encryption-secret}
|
||||
'';
|
||||
};
|
||||
|
||||
".gitconfig.email" = {
|
||||
inherit owner;
|
||||
path = "/home/${cfg.username}/.gitconfig.email";
|
||||
content = ''
|
||||
[user]
|
||||
email = ${config.sops.placeholder.email-personal}
|
||||
'';
|
||||
};
|
||||
".gitconfig.work.email" = {
|
||||
inherit owner;
|
||||
path = "/home/${cfg.username}/.gitconfig.work.email";
|
||||
content = ''
|
||||
[user]
|
||||
email = ${config.sops.placeholder.email-work}
|
||||
'';
|
||||
};
|
||||
|
||||
"opencode/auth.json" = {
|
||||
inherit owner;
|
||||
path = "/home/${cfg.username}/.local/share/opencode/auth.json";
|
||||
content = ''
|
||||
{
|
||||
"zai-coding-plan": {
|
||||
"type": "api",
|
||||
"key": "${config.sops.placeholder.opencode-api-key}"
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
|
||||
config.sops.secrets.${cfg.nixSigningKey.name}.path
|
||||
];
|
||||
|
||||
services = {
|
||||
pcscd.enable = true; # needed for age-plugin-yubikey?
|
||||
udev.packages = lib.mkIf cfg.yubikey.enable [
|
||||
pkgs.yubikey-personalization
|
||||
pkgs.libfido2
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user