more hm sops

secrets/user-pbsds.yaml

@@ -1,5 +1,4 @@
-age:
-    pvv-infra: ENC[AES256_GCM,data:3LpXJ9k8RQpo1FhzvFqnY2Zr5DS/uyD57/EQhjZ+8rL5pcseHxefl+dCOSzcK8XBhYj8Uh0SriLy9xG6vvLv6fVsFVAu7kyHmjjc/g9J9R3h/B0b7kEluJAxGIdZX5qVZLJl6rp5l2b9tLMj31SCN3kr4iZOI86Y/NDfVMzijYuslmIM7rBR5ESJSOPvjLqXjVTGWZ78RQd/i6h26iC57AaQnR3K+ECrRgiWCbEARN3METzTXu2K70ml9oPv,iv:mNBvaInfI49MP5mlk9vL81oV7bF4mpC132MzNLArkQI=,tag:nMDyldfhHflKdp+yjzdLmw==,type:str]
+hm-age-keys: ENC[AES256_GCM,data:UhPj72P1NVuD8Y4h8+UyCR5nEq4n76+E1ltA0v8Q3FmEB0vKkMDj2yQvA2r7ILgvlS1wKe5TyQ1tNa+lilCCBdHg7KG/yQNpxfQcngfOqwUkH6SI1KxekZyRisyznvseuGGqMYsBXliyCUnfjokJjdPdYthBgo1un0sKgKJn4wdviVTDzDKGcxqZI9euJBuV7aXqMG8WbIAl6l0Uqph5X/3QDvg54b68t3+6gZ6P9DXFI4BgLsaesiCHHVB+TioVNc6c2PoK7ReJ,iv:gvdoNoFQ3GJEjlCQ+BMqCOYVWazQC9Kf10fGcyTGeXo=,tag:Ao64r0iIotaEkn15K+oBlw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +32,8 @@ sops:
             eElYaFdHRnJCL1B6TDRBdHFlY1hzS2MKYJ0ShoOUFK991Sva/SKkQQrCsYRf1TWA
             j6RddniZt7A4y8mt4g3bhWyf+7OLLNx0BjuW6c2aVoMi7B7ZLBz+gg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-27T17:16:46Z"
-    mac: ENC[AES256_GCM,data:0I5IhUaaXWXaEj3TKtLhlDN7SkhCQouUcpb6bwnsoWVibWvMX9ZrqVO35wDrU/vmY45RTuIJ0AdXlDCL0fyGIOpw4bRoizxaIH9Im8sxh47Fgh+wY4LTEa3y6rES2opuaPrPUqEQeBtS9e1WU0Vt1Wdjv1nxq+pxKKL7p51CW6s=,iv:HZn7Ehqc0fpSDx32OgwzQZ3r8ebhoE4Dy+qUeDXJgj8=,tag:uj4lX4CESO041rLgRXko7Q==,type:str]
+    lastmodified: "2024-02-18T01:45:49Z"
+    mac: ENC[AES256_GCM,data:ue8Ro6nUtZ2mXez76jtA9Rje2kVvc2vRG3YaEArID/zBrDwR8NJsWU17jvuwr92OtqSVVO2JAps6RuLIrjpLmO6SgcAvRj9rqWrpQQ4Qb9zYCZ2RUlov9yMBk0phsMtkzcHDFsk6EGyS8b6N1eP7iSu7W+riaM8zR9BajuDUuTE=,iv:ke1K1+Uo0jjJjztjCHYmlDMUCFSJWchQz7GoCm5l1aY=,tag:iLiYHS6hiZHNJQlp05yNmQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1

users/pbsds/home/profiles/sops.nix

@@ -1,4 +1,8 @@
-{ pkgs, config, ... }:
+{ lib, pkgs, config, ... }:
+
+let
+  keyFile = lib.escapeShellArg config.sops.age.keyFile;
+in
 
 {
 
@@ -6,8 +10,30 @@
   sops.age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
   sops.defaultSopsFile = ../../../../secrets/user-pbsds.yaml;
 
-  sops.secrets."age/pvv-infra".path = "%r/sops/age/pvv-infra.txt";
+  sops.secrets."hm-age-keys".path = "%r/sops/age/keys-hm.txt";
 
+  /**/
+  home.activation.append-hm-sops-keys = lib.hm.dag.entryAfter ["writeBoundary"] ''
+    if ! test -f ${keyFile}; then
+      $DRY_RUN_CMD mkdir -p "$(dirname ${keyFile})"
+      $DRY_RUN_CMD ${lib.getBin pkgs.age}/bin/age-keygen -o ${keyFile} >/dev/null
+    fi
+
+    if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
+      if test -w ${keyFile}; then
+        for pubkey in $(age-keygen -y "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt); do
+          if ! grep -q "$pubkey" <(${lib.getBin pkgs.age}/bin/age-keygen -y ${keyFile}); then
+            # TODO: deduplicate
+            cat "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt | $DRY_RUN_CMD tee --append ${keyFile} > /dev/null
+            break
+          fi
+        done
+      fi
+    fi
+  '';
+  /**/
+
+  /** /
   home.sessionVariables = {
     #SOPS_AGE_KEY_FILE = config.sops.age.keyFile;
     SOPS_AGE_KEY_FILE = "$XDG_RUNTIME_DIR/sops/age/keys.txt";
@@ -25,12 +51,14 @@
         test -f ${config.sops.age.keyFile}
         install -Dm600 -t "$XDG_RUNTIME_DIR/sops/age/keys.txt" <(
            cat ${config.sops.age.keyFile}
-           if test -s "$XDG_RUNTIME_DIR"/sops/age/pvv-infra.txt; then
-             cat "$XDG_RUNTIME_DIR"/pvv-infra.txt
+           if test -s "$XDG_RUNTIME_DIR"/sops/age/keys-hm.txt; then
+             cat "$XDG_RUNTIME_DIR"/hm-keys.txt
            fi
         )
       '';
     };
   };
+  /**/
+
 
 }