From c4f98ec9e7a99073b46514210bd88dc5f39f630b Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 25 Jun 2024 20:10:58 +0200
Subject: [PATCH] home/nix: add sops and github token

---
 flake.nix           |  5 +++++
 home/home.nix       | 16 +++++++++++++---
 secrets/common.yaml |  6 ++++--
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/flake.nix b/flake.nix
index f761b94..cee22e4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -192,9 +192,14 @@
                   inherit inputs;
                   inherit (self) extendedLib;
                   inherit (config) machineVars;
+                  hostname = name;
                   secrets = secrets.outputs.settings;
                 };
 
+                sharedModules = [
+                  inputs.sops-nix.homeManagerModules.sops
+                ];
+
                 users.h7x4 = {
                   imports = [ ./home/home.nix ];
                 };
diff --git a/home/home.nix b/home/home.nix
index bf73c57..6ea5007 100644
--- a/home/home.nix
+++ b/home/home.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, extendedLib, inputs, machineVars, ... } @ args: let
+{ config, pkgs, lib, extendedLib, inputs, machineVars, hostname, ... } @ args: let
   inherit (lib) mkForce mkIf optionals;
   graphics = !machineVars.headless;
 in {
@@ -51,8 +51,18 @@ in {
     ./services/copyq.nix
   ];
 
-  nix.settings = {
-    use-xdg-base-directories = true;
+  sops.defaultSopsFile = ./secrets/${hostname}.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  sops.secrets."nix/access-tokens" = {
+    sopsFile = ../secrets/common.yaml;
+  };
+
+  nix = {
+    settings.use-xdg-base-directories = true;
+    extraOptions = ''
+      !include ${config.sops.secrets."nix/access-tokens".path}
+    '';
   };
 
   home = {
diff --git a/secrets/common.yaml b/secrets/common.yaml
index 17e13df..8eb2f77 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -1,3 +1,5 @@
+nix:
+    access-tokens: ENC[AES256_GCM,data:K1V98nx+w0uoOY9ONDxbaZT9jbEbMqpzyYWaSrQIYfo2bm1HLeTHPqp2rqRFIPu5gD/5SqY2FW4Pak92it4S7o9liiI=,iv:/c6Mr3WQsbW7nBaa5NIG3pzatSyC9UE5zDpKjuD/FG0=,tag:8V344qvOVrgh5XHlinuFyw==,type:str]
 ssh:
     nix-builders:
         bob:
@@ -33,8 +35,8 @@ sops:
             cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX
             rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-25T17:16:57Z"
-    mac: ENC[AES256_GCM,data:vA8eGtD43gSWTXfuRmUcGXOn0UStfnDS8R6n3PNRWZFpMmtja96uGFvCwHM7rB3nWuz7LjHjxIqAEzjFuUy6SN2ta86ZQg+bdJZ+MsK+02o0senUgAHYx5Jxt5f0E+P9y4g5E9zgFkHMpTcGHGV+7sTjjqxjCF0jUVi20bh/T5g=,iv:FyivxwZQ7LDQUazdM03MdDTNWJWyp3nEQZk+TFGnUfQ=,tag:Z8q2aEqJeXcbCW/04N0rSQ==,type:str]
+    lastmodified: "2024-06-25T18:03:45Z"
+    mac: ENC[AES256_GCM,data:HLm8tiOhW4QtBbAVMen1g451S7cTYF+bN1/4eHZDd1U8UjkbU1yim7m5EZGgZnGw9o5+YvMt08BUXjVLfpIaW7oX9DbQrUr9pxiLpuUM+qtStzYfohnae8BzLF9naNg3oOMYAo3nOWWpcAtLVUoNBtBaD/VI5bvj3VnCbMWQ6pE=,iv:p1wgOGwcfdmvNgwmcSjKZ2c4zpL8138tZ0CD7lgwtZ4=,tag:QKMd/iUZcBrcW5iOsZ/Lbw==,type:str]
     pgp:
         - created_at: "2023-05-08T00:49:52Z"
           enc: |