home/nix: add sops and github token

2024-06-25 20:10:58 +02:00 · 2024-06-25 20:10:58 +02:00 · c4f98ec9e7
parent f74c1f7aa8
commit c4f98ec9e7
3 changed files with 22 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -192,9 +192,14 @@
                  inherit inputs;
                  inherit (self) extendedLib;
                  inherit (config) machineVars;
+                  hostname = name;
                  secrets = secrets.outputs.settings;
                };

+                sharedModules = [
+                  inputs.sops-nix.homeManagerModules.sops
+                ];
+
                users.h7x4 = {
                  imports = [ ./home/home.nix ];
                };
--- a/home/home.nix
+++ b/home/home.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, extendedLib, inputs, machineVars, ... } @ args: let
+{ config, pkgs, lib, extendedLib, inputs, machineVars, hostname, ... } @ args: let
  inherit (lib) mkForce mkIf optionals;
  graphics = !machineVars.headless;
 in {
@ -51,8 +51,18 @@ in {
    ./services/copyq.nix
  ];

-  nix.settings = {
-    use-xdg-base-directories = true;
+  sops.defaultSopsFile = ./secrets/${hostname}.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets."nix/access-tokens" = {
+    sopsFile = ../secrets/common.yaml;
+  };
+
+  nix = {
+    settings.use-xdg-base-directories = true;
+    extraOptions = ''
+      !include ${config.sops.secrets."nix/access-tokens".path}
+    '';
  };

  home = {
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@ -1,3 +1,5 @@
+nix:
+    access-tokens: ENC[AES256_GCM,data:K1V98nx+w0uoOY9ONDxbaZT9jbEbMqpzyYWaSrQIYfo2bm1HLeTHPqp2rqRFIPu5gD/5SqY2FW4Pak92it4S7o9liiI=,iv:/c6Mr3WQsbW7nBaa5NIG3pzatSyC9UE5zDpKjuD/FG0=,tag:8V344qvOVrgh5XHlinuFyw==,type:str]
 ssh:
    nix-builders:
        bob:
@ -33,8 +35,8 @@ sops:
            cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
            rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-25T17:16:57Z"
-    mac: ENC[AES256_GCM,data:vA8eGtD43gSWTXfuRmUcGXOn0UStfnDS8R6n3PNRWZFpMmtja96uGFvCwHM7rB3nWuz7LjHjxIqAEzjFuUy6SN2ta86ZQg+bdJZ+MsK+02o0senUgAHYx5Jxt5f0E+P9y4g5E9zgFkHMpTcGHGV+7sTjjqxjCF0jUVi20bh/T5g=,iv:FyivxwZQ7LDQUazdM03MdDTNWJWyp3nEQZk+TFGnUfQ=,tag:Z8q2aEqJeXcbCW/04N0rSQ==,type:str]
+    lastmodified: "2024-06-25T18:03:45Z"
+    mac: ENC[AES256_GCM,data:HLm8tiOhW4QtBbAVMen1g451S7cTYF+bN1/4eHZDd1U8UjkbU1yim7m5EZGgZnGw9o5+YvMt08BUXjVLfpIaW7oX9DbQrUr9pxiLpuUM+qtStzYfohnae8BzLF9naNg3oOMYAo3nOWWpcAtLVUoNBtBaD/VI5bvj3VnCbMWQ6pE=,iv:p1wgOGwcfdmvNgwmcSjKZ2c4zpL8138tZ0CD7lgwtZ4=,tag:QKMd/iUZcBrcW5iOsZ/Lbw==,type:str]
    pgp:
        - created_at: "2023-05-08T00:49:52Z"
          enc: |