oysteikt/nix-dotfiles
oysteikt/nix-dotfiles
2
1
Fork 0
Code Issues Pull Requests Activity

{common,home}/nix: use sops templates for access tokens

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit 2025-03-13 15:13:59 +01:00
parent f8a11ae4fb
commit bcf29eb442
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 28 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
home/home.nix
View File

@ -94,14 +94,22 @@ in {
sops.defaultSopsFile = ../secrets/home.yaml;
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519_home_sops" ];
sops.secrets."nix/access-tokens" = {
sopsFile = ../secrets/common.yaml;
sops = {
secrets = {
"nix/access-tokens/github" = { sopsFile = ../secrets/common.yaml; };
"nix/access-tokens/pvv-git" = { sopsFile = ../secrets/common.yaml; };
};
templates."nix-access-tokens.conf".content = let
inherit (config.sops) placeholder;
in ''
access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
'';
};
nix = {
settings.use-xdg-base-directories = true;
extraOptions = ''
!include ${config.sops.secrets."nix/access-tokens".path}
!include ${config.sops.templates."nix-access-tokens.conf".path}
'';
};

14
hosts/common/nix.nix
View File

@ -6,8 +6,16 @@
./nix-builders/tsuki.nix
];
sops.secrets = {
"nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
sops = {
secrets = {
"nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; };
"nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; };
};
templates."nix-access-tokens.conf".content = let
inherit (config.sops) placeholder;
in ''
access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
'';
};
nix = {
@ -28,7 +36,7 @@
};
extraOptions = ''
!include ${config.sops.secrets."nix/access-tokens".path}
!include ${config.sops.templates."nix-access-tokens.conf".path}
'';
optimise.automatic = true;

10
secrets/common.yaml
View File

@ -1,5 +1,7 @@
nix:
access-tokens: ENC[AES256_GCM,data:I2wXlh6XQL89k3Fko4uNvgxU26qKvRjTwq6dQXytW8tId51WRaHGs1qqEyxiVnwtpjXWcD4/5iAip/oSEyQzlR1zhTu01QwgeHYI6kxzyJDFGg4IbYZ6ReWy5RYIh8jji0+hfVzuLenmZLY365DjGAwg+z5KXDy2tKm4zEL8c+Pbv4Wt6LGQdYS74/xrc0KqPGNRMz/T/EALradx9T9+gdgnLBAPGfJV130fBbQijDuaCw==,iv:enw8eyh0yuqTyVucXCrQ+zSbNEaOrlTPqec8brUNA6M=,tag:pL4vYTE6lLKLjD10mVeAXw==,type:str]
access-tokens:
github: ENC[AES256_GCM,data:reARhNXlxTugP0dRS+PjMUOIYUDzlD7CW7If4F26uM9PEO+6N+KvT0MyuI/eSMaX+bEKWfi+HaZ/SyLw1Pjvretzot9lVqFWG7OrLE4iT+1WCccmwtvbc5Ppl+i2,iv:9pCveUmjl4nKCaLzo+Ybfi6rpzKCxGNRbyRUWUpTNkg=,tag:LT9zUc5C4hqcsVQE+Bfnjw==,type:str]
pvv-git: ENC[AES256_GCM,data:fp8utMv7PLrz8LkDvvG7GVY4SiDFOgX8YF1M/hpZyGj9H6pDDvtOTw==,iv:FJmw6Tq81IECxQaJZc9u5gxIWse3OvCF7x7dmJ+m4pg=,tag:hdrsJtFhaj5W5PYTUDRx+g==,type:str]
wstunnel:
http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str]
ssh:
@ -74,8 +76,8 @@ sops:
blkrc0locjd0eENvcnVmVW8zaStSODQK5icytb3Ae6BmoU3Sz6yp7aAj/CtmHIS0
27xAjcGnnDmpVwo1NgjOgF1wZfmVA6II393E3KNNVs4pGeesS5C0VA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-25T09:09:38Z"
mac: ENC[AES256_GCM,data:virqHg0KoyhLVP9yynReVwSGhTBWz2mO5uBRXqzae7plALvRS+mzErfR+h63bX4TF/iLxQ/pJZb+KqQugweWEon9cycIyoKfRaIqaIZ4t8SnVWmDt6xEebkZC4JT7FD9xf27YTzxnamyINRdiCirTfJOeF4PKEow0EjH0WoS1DQ=,iv:giJ6JOXJQInavkdZbkDABG66B45ciNTetGHcwcz73dA=,tag:rvCbdxNFwoYjGuFi/YwI2Q==,type:str]
lastmodified: "2025-03-13T14:05:53Z"
mac: ENC[AES256_GCM,data:ftoKk3mBVdRn16HGEq5kklw0/RTWpyjneBT2PJUUaGy4u0fWJy8ZfcIcoG+2WekiSFwWBab4kcFHr5KfXX+XEn1Y2brdcirCXr2PdrmccGxyvSiEy/C6OUrB9KiFqpf4tmx3IbYimlxBSE5uQStQATdGWu7cM+hsrW9j5wzWlUU=,iv:jmJHVMZqyf7xTFry76ywN2Yt++2sG/mWsBvaLONGoM4=,tag:19C+PS8tTRVUaqrlQnoDeQ==,type:str]
pgp:
- created_at: "2024-12-04T17:04:12Z"
enc: |-
@ -98,4 +100,4 @@ sops:
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.9.1
version: 3.9.4