From bcf29eb442fa3b6dfb6a331d28f85f66e52ce9a5 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Thu, 13 Mar 2025 15:13:59 +0100 Subject: [PATCH] {common,home}/nix: use sops templates for access tokens --- home/home.nix | 14 +++++++++++--- hosts/common/nix.nix | 14 +++++++++++--- secrets/common.yaml | 10 ++++++---- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/home/home.nix b/home/home.nix index aa6a901..4bad59d 100644 --- a/home/home.nix +++ b/home/home.nix @@ -94,14 +94,22 @@ in { sops.defaultSopsFile = ../secrets/home.yaml; sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519_home_sops" ]; - sops.secrets."nix/access-tokens" = { - sopsFile = ../secrets/common.yaml; + sops = { + secrets = { + "nix/access-tokens/github" = { sopsFile = ../secrets/common.yaml; }; + "nix/access-tokens/pvv-git" = { sopsFile = ../secrets/common.yaml; }; + }; + templates."nix-access-tokens.conf".content = let + inherit (config.sops) placeholder; + in '' + access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"} + ''; }; nix = { settings.use-xdg-base-directories = true; extraOptions = '' - !include ${config.sops.secrets."nix/access-tokens".path} + !include ${config.sops.templates."nix-access-tokens.conf".path} ''; }; diff --git a/hosts/common/nix.nix b/hosts/common/nix.nix index eb1c876..fbb037b 100644 --- a/hosts/common/nix.nix +++ b/hosts/common/nix.nix @@ -6,8 +6,16 @@ ./nix-builders/tsuki.nix ]; - sops.secrets = { - "nix/access-tokens" = { sopsFile = ./../../secrets/common.yaml; }; + sops = { + secrets = { + "nix/access-tokens/github" = { sopsFile = ./../../secrets/common.yaml; }; + "nix/access-tokens/pvv-git" = { sopsFile = ./../../secrets/common.yaml; }; + }; + templates."nix-access-tokens.conf".content = let + inherit (config.sops) placeholder; + in '' + access-tokens = github.com=${placeholder."nix/access-tokens/github"} git.pvv.ntnu.no=${placeholder."nix/access-tokens/pvv-git"} + ''; }; nix = { @@ -28,7 +36,7 @@ }; extraOptions = '' - !include ${config.sops.secrets."nix/access-tokens".path} + !include ${config.sops.templates."nix-access-tokens.conf".path} ''; optimise.automatic = true; diff --git a/secrets/common.yaml b/secrets/common.yaml index 92a727e..80139fb 100644 --- a/secrets/common.yaml +++ b/secrets/common.yaml @@ -1,5 +1,7 @@ nix: - access-tokens: ENC[AES256_GCM,data:I2wXlh6XQL89k3Fko4uNvgxU26qKvRjTwq6dQXytW8tId51WRaHGs1qqEyxiVnwtpjXWcD4/5iAip/oSEyQzlR1zhTu01QwgeHYI6kxzyJDFGg4IbYZ6ReWy5RYIh8jji0+hfVzuLenmZLY365DjGAwg+z5KXDy2tKm4zEL8c+Pbv4Wt6LGQdYS74/xrc0KqPGNRMz/T/EALradx9T9+gdgnLBAPGfJV130fBbQijDuaCw==,iv:enw8eyh0yuqTyVucXCrQ+zSbNEaOrlTPqec8brUNA6M=,tag:pL4vYTE6lLKLjD10mVeAXw==,type:str] + access-tokens: + github: ENC[AES256_GCM,data:reARhNXlxTugP0dRS+PjMUOIYUDzlD7CW7If4F26uM9PEO+6N+KvT0MyuI/eSMaX+bEKWfi+HaZ/SyLw1Pjvretzot9lVqFWG7OrLE4iT+1WCccmwtvbc5Ppl+i2,iv:9pCveUmjl4nKCaLzo+Ybfi6rpzKCxGNRbyRUWUpTNkg=,tag:LT9zUc5C4hqcsVQE+Bfnjw==,type:str] + pvv-git: ENC[AES256_GCM,data:fp8utMv7PLrz8LkDvvG7GVY4SiDFOgX8YF1M/hpZyGj9H6pDDvtOTw==,iv:FJmw6Tq81IECxQaJZc9u5gxIWse3OvCF7x7dmJ+m4pg=,tag:hdrsJtFhaj5W5PYTUDRx+g==,type:str] wstunnel: http-upgrade-path-prefix: ENC[AES256_GCM,data:3WG+fu+XXFDgHuEEosWtZKMj51Ks1QIdgWRRsX6RVre8+0t7/4bICoVYtaMSWwMAjH03tt5i1Af1orlKT72gvQ==,iv:syXhMVHwWf9H+HHBhNDq1Y1df9t6VitqhPEqruTnBRA=,tag:1RNmL50z6v4X/cVxkAAvew==,type:str] ssh: @@ -74,8 +76,8 @@ sops: blkrc0locjd0eENvcnVmVW8zaStSODQK5icytb3Ae6BmoU3Sz6yp7aAj/CtmHIS0 27xAjcGnnDmpVwo1NgjOgF1wZfmVA6II393E3KNNVs4pGeesS5C0VA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-25T09:09:38Z" - mac: ENC[AES256_GCM,data:virqHg0KoyhLVP9yynReVwSGhTBWz2mO5uBRXqzae7plALvRS+mzErfR+h63bX4TF/iLxQ/pJZb+KqQugweWEon9cycIyoKfRaIqaIZ4t8SnVWmDt6xEebkZC4JT7FD9xf27YTzxnamyINRdiCirTfJOeF4PKEow0EjH0WoS1DQ=,iv:giJ6JOXJQInavkdZbkDABG66B45ciNTetGHcwcz73dA=,tag:rvCbdxNFwoYjGuFi/YwI2Q==,type:str] + lastmodified: "2025-03-13T14:05:53Z" + mac: ENC[AES256_GCM,data:ftoKk3mBVdRn16HGEq5kklw0/RTWpyjneBT2PJUUaGy4u0fWJy8ZfcIcoG+2WekiSFwWBab4kcFHr5KfXX+XEn1Y2brdcirCXr2PdrmccGxyvSiEy/C6OUrB9KiFqpf4tmx3IbYimlxBSE5uQStQATdGWu7cM+hsrW9j5wzWlUU=,iv:jmJHVMZqyf7xTFry76ywN2Yt++2sG/mWsBvaLONGoM4=,tag:19C+PS8tTRVUaqrlQnoDeQ==,type:str] pgp: - created_at: "2024-12-04T17:04:12Z" enc: |- @@ -98,4 +100,4 @@ sops: -----END PGP MESSAGE----- fp: F7D37890228A907440E1FD4846B9228E814A2AAC unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.4