diff options
| author | David Morgan <djm_uk@protonmail.com> | 2022-11-24 16:37:10 +0000 |
|---|---|---|
| committer | David Morgan <djm_uk@protonmail.com> | 2022-11-24 16:37:10 +0000 |
| commit | ae42d530201accc7bccbba892f200e21d8607de0 (patch) | |
| tree | 09cd24b7a154b6b081f4e4fd96ea58b37cd46a26 | |
| parent | da3cff54f2be67d4ca64716959acf532a14e08a6 (diff) | |
| download | dotfiles-sops.tar.gz | |
Add experimental sops setup sops
| -rw-r--r-- | nix-conf/.sops.yaml | 7 | ||||
| -rw-r--r-- | nix-conf/home/includes/common.nix | 4 | ||||
| -rw-r--r-- | nix-conf/home/otm.nix | 10 | ||||
| -rw-r--r-- | nix-conf/secrets/home.json | 21 | ||||
| -rw-r--r-- | setup-home.sh | 3 |
5 files changed, 41 insertions, 4 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml new file mode 100644 index 0000000..87069e7 --- /dev/null +++ b/nix-conf/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv +creation_rules: + - path_regex: secrets/[^/]+\.json$ + key_groups: + - age: + - *admin_djm diff --git a/nix-conf/home/includes/common.nix b/nix-conf/home/includes/common.nix index 971aa7d..0adb529 100644 --- a/nix-conf/home/includes/common.nix +++ b/nix-conf/home/includes/common.nix @@ -2,9 +2,10 @@ let hcr = pkgs.callPackage ./scripts/hm-changes-report.nix { inherit config pkgs; }; scr = pkgs.callPackage ./scripts/system-changes-report.nix { inherit config pkgs; }; + secrets = "${config.home.homeDirectory}/dotfiles/nix-conf/secrets/home.json"; + email = builtins.exec [ "sops" "-d" "--extract" ''["email"]'' secrets ]; in { - imports = [ ./zsh.nix ]; @@ -172,6 +173,7 @@ in programs.git = { enable = true; userName = "David Morgan"; + userEmail = email; aliases = { # difftastic logt = "!sh -c 'GIT_EXTERNAL_DIFF=\"difft --background=dark\" git log -p --ext-diff'"; diff --git a/nix-conf/home/otm.nix b/nix-conf/home/otm.nix index 667493c..9c7d3f6 100644 --- a/nix-conf/home/otm.nix +++ b/nix-conf/home/otm.nix @@ -1,4 +1,9 @@ { config, lib, pkgs, ... }: +let + secrets = "${config.home.homeDirectory}/dotfiles/nix-conf/secrets/home.json"; + email = builtins.exec [ "sops" "-d" "--extract" ''["email"]'' secrets ]; + otmEmail = builtins.exec [ "sops" "-d" "--extract" ''["otm_email"]'' secrets ]; +in { imports = [ ./includes/darwin.nix @@ -14,9 +19,10 @@ programs.git = { signing.signByDefault = lib.mkForce false; + userEmail = lib.mkForce otmEmail; includes = [ - { path = "~/.gitconfig-personal"; condition = "gitdir:~/src/personal/"; } - { contents = { commit.gpgSign = true; }; condition = "gitdir:~/src/personal/"; } + #{ path = "~/.gitconfig-personal"; condition = "gitdir:~/src/personal/"; } + { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/src/personal/"; } ]; extraConfig = { github.user = "david-morgan-otm"; diff --git a/nix-conf/secrets/home.json b/nix-conf/secrets/home.json new file mode 100644 index 0000000..0f5d159 --- /dev/null +++ b/nix-conf/secrets/home.json @@ -0,0 +1,21 @@ +{ + "email": "ENC[AES256_GCM,data:JucGARLeoO/hyIMJ7lMkuBbOYwKEUOY=,iv:4BLS8UKliUMlaWiozcri/djggBusdKy7ndm6mAL+E40=,tag:/0qaF1ZN7rbxEF6c0doJlg==,type:str]", + "otm_email": "ENC[AES256_GCM,data:TtM2XS6qbZ7aJ/bDUWVmXtMLJ4X0BhVTahuIqrXf,iv:juQg3C7J/1rB70gO2JhaQn/LpNAd4sBxIB0X+HF9Wdg=,tag:FPkR1iFI+Xr+z124054Qvg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSREJ0d0ovTG1rNlc5UE1G\ncHRYQXRpVERpc1BRNkYrOE4wUUM3dythd2xJCjhxd1BNbFU3L1FKRlZ6T3Zkc0xp\nOWVGa01vaHU3OVgyNUNKMS8rTTJtd3cKLS0tIEVUbDgvSXNUem9RRks4bldTOTRN\nNUdMWlN5cVlGbUFzWjZMNDdUWStRZGMKcsIyTckmsm1Okuhve7Dyo+yYszKhlt4/\nFEjgvsGC7bffAlQKSWQnXjjXgXUYBipPTtsWJhuud0WW/HSVKoIQgw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-11-24T15:02:45Z", + "mac": "ENC[AES256_GCM,data:tQFuairIjOZR25cYW6iZrbEDZiwVqyp4zu5Dm5o83qY8jj4IXqrgzsIjdFjTfPBJzUhpX0JCRz4B/TKXEWX4C+2FL3b1qPQRzOG8zc+oBICmPQkLq9WNlcTzigEzKlcUVuO3wgi72CmSaLPFdiiGVj411v13XJHwmO/7gvRAVL8=,iv:pddUtAK5PdPEN8nx9ZucYQcDNxgGFpewaEWuK5KmBzc=,tag:M2N3daB0WKYQrN29bSl1/A==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/setup-home.sh b/setup-home.sh index 29c621d..a142021 100644 --- a/setup-home.sh +++ b/setup-home.sh @@ -14,7 +14,8 @@ ln -sf ~/dotfiles/.p10k.zsh ~/ ln -sf ~/dotfiles/.emacs.d ~/ mkdir ~/.config/nix -echo "extra-experimental-features = nix-command flakes" > ~/.config/nix/nix.conf +echo "extra-experimental-features = nix-command flakes +allow-unsafe-native-code-during-evaluation = true" > ~/.config/nix/nix.conf home-manager switch |