From bcf29eb442fa3b6dfb6a331d28f85f66e52ce9a5 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 13 Mar 2025 15:13:59 +0100
Subject: [PATCH] {common,home}/nix: use sops templates for access tokens

---
 home/home.nix        | 14 +++++++++++---
 hosts/common/nix.nix | 14 +++++++++++---
 secrets/common.yaml  | 10 ++++++----
 3 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/home/home.nix b/home/home.nix
index aa6a901..4bad59d 100644
--- a/home/home.nix
+++ b/home/home.nix
@@ -94,14 +94,22 @@ in {
   sops.defaultSopsFile = ../secrets/home.yaml;
   sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519_home_sops" ];
 
-  sops.secrets."nix/access-tokens" = {
-    sopsFile = ../secrets/common.yaml;
+  sops = {
+    secrets = {
+      "nix/access-tokens/github" = { sopsFile = ../secrets/common.yaml; };
+      "nix/access-tokens/pvv-git" = { sopsFile = ../secrets/common.yaml; };
+    };
+    templates."nix-access-tokens.conf".content = let
+      inherit (config.sops) placeholder;
+    in ''
+      access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
+    '';
   };
 
   nix = {
     settings.use-xdg-base-directories = true;
     extraOptions = ''
-      !include ${config.sops.secrets."nix/access-tokens".path}
+      !include ${config.sops.templates."nix-access-tokens.conf".path}
     '';
   };
 
diff --git a/hosts/common/nix.nix b/hosts/common/nix.nix
index eb1c876..fbb037b 100644
--- a/hosts/common/nix.nix
+++ b/hosts/common/nix.nix
@@ -6,8 +6,16 @@
     ./nix-builders/tsuki.nix
   ];
 
-  sops.secrets = {
-    "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; };
+  sops = {
+    secrets = {
+      "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; };
+      "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; };
+    };
+    templates."nix-access-tokens.conf".content = let
+      inherit (config.sops) placeholder;
+    in ''
+      access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"}
+    '';
   };
 
   nix = {
@@ -28,7 +36,7 @@
     };
 
     extraOptions = ''
-      !include ${config.sops.secrets."nix/access-tokens".path}
+      !include ${config.sops.templates."nix-access-tokens.conf".path}
     '';
 
     optimise.automatic = true;
diff --git a/secrets/common.yaml b/secrets/common.yaml
index 92a727e..80139fb 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -1,5 +1,7 @@
 nix:
-    access-tokens: ENC[AES256_GCM,data:I2wXlh6XQL89k3Fko4uNvgxU26qKvRjTwq6dQXytW8tId51WRaHGs1qqEyxiVnwtpjXWcD4/5iAip/oSEyQzlR1zhTu01QwgeHYI6kxzyJDFGg4IbYZ6ReWy5RYIh8jji0+hfVzuLenmZLY365DjGAwg+z5KXDy2tKm4zEL8c+Pbv4Wt6LGQdYS74/xrc0KqPGNRMz/T/EALradx9T9+gdgnLBAPGfJV130fBbQijDuaCw==,iv:enw8eyh0yuqTyVucXCrQ+zSbNEaOrlTPqec8brUNA6M=,tag:pL4vYTE6lLKLjD10mVeAXw==,type:str]
+    access-tokens:
+        github: ENC[AES256_GCM,data:reARhNXlxTugP0dRS+PjMUOIYUDzlD7CW7If4F26uM9PEO+6N+KvT0MyuI/eSMaX+bEKWfi+HaZ/SyLw1Pjvretzot9lVqFWG7OrLE4iT+1WCccmwtvbc5Ppl+i2,iv:9pCveUmjl4nKCaLzo+Ybfi6rpzKCxGNRbyRUWUpTNkg=,tag:LT9zUc5C4hqcsVQE+Bfnjw==,type:str]
+        pvv-git: ENC[AES256_GCM,data:fp8utMv7PLrz8LkDvvG7GVY4SiDFOgX8YF1M/hpZyGj9H6pDDvtOTw==,iv:FJmw6Tq81IECxQaJZc9u5gxIWse3OvCF7x7dmJ+m4pg=,tag:hdrsJtFhaj5W5PYTUDRx+g==,type:str]
 wstunnel:
     http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str]
 ssh:
@@ -74,8 +76,8 @@ sops:
             blkrc0locjd0eENvcnVmVW8zaStSODQK5icytb3Ae6BmoU3Sz6yp7aAj/CtmHIS0
             27xAjcGnnDmpVwo1NgjOgF1wZfmVA6II393E3KNNVs4pGeesS5C0VA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-25T09:09:38Z"
-    mac: ENC[AES256_GCM,data:virqHg0KoyhLVP9yynReVwSGhTBWz2mO5uBRXqzae7plALvRS+mzErfR+h63bX4TF/iLxQ/pJZb+KqQugweWEon9cycIyoKfRaIqaIZ4t8SnVWmDt6xEebkZC4JT7FD9xf27YTzxnamyINRdiCirTfJOeF4PKEow0EjH0WoS1DQ=,iv:giJ6JOXJQInavkdZbkDABG66B45ciNTetGHcwcz73dA=,tag:rvCbdxNFwoYjGuFi/YwI2Q==,type:str]
+    lastmodified: "2025-03-13T14:05:53Z"
+    mac: ENC[AES256_GCM,data:ftoKk3mBVdRn16HGEq5kklw0/RTWpyjneBT2PJUUaGy4u0fWJy8ZfcIcoG+2WekiSFwWBab4kcFHr5KfXX+XEn1Y2brdcirCXr2PdrmccGxyvSiEy/C6OUrB9KiFqpf4tmx3IbYimlxBSE5uQStQATdGWu7cM+hsrW9j5wzWlUU=,iv:jmJHVMZqyf7xTFry76ywN2Yt++2sG/mWsBvaLONGoM4=,tag:19C+PS8tTRVUaqrlQnoDeQ==,type:str]
     pgp:
         - created_at: "2024-12-04T17:04:12Z"
           enc: |-
@@ -98,4 +100,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4