Use sops-nix for private-ish data

author: David Morgan <djm_uk@protonmail.com> 2024-08-29 19:12:32 +0100
committer: David Morgan <djm_uk@protonmail.com> 2024-08-29 19:12:32 +0100
commit: 921200a6490cc87af4e5e1ad955ef3cce75fa3d3 (patch)
tree: 31070c386c8ec8b7f360eea22eb5d9cb066a1aed /nix-conf/home
parent: 88cbe57395dbd30948231d39af7ef7cc450ca28d (diff)
download: dotfiles-921200a6490cc87af4e5e1ad955ef3cce75fa3d3.tar.gz
2 files changed, 38 insertions, 29 deletions
diff --git a/nix-conf/home/includes/common.nix b/nix-conf/home/includes/common.nix
index 6e77bfa..630dc7b 100644
--- a/nix-conf/home/includes/common.nix
+++ b/nix-conf/home/includes/common.nix
@@ -2,18 +2,25 @@
 let
   hcr = pkgs.callPackage ./scripts/hm-changes-report.nix { inherit config pkgs; };
   scr = pkgs.callPackage ./scripts/system-changes-report.nix { inherit config pkgs; };
-  email = builtins.readFile "${config.home.homeDirectory}/email.txt";
   unstable = import <unstable> { };
 in
 {
   imports = [
     ./zsh.nix
+    <sops-nix/modules/home-manager/sops.nix>
   ];
 
   nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
     "aspell-dict-en-science"
   ];
 
+  sops = {
+    age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
+    defaultSopsFile = ./../../secrets/home.yaml;
+    secrets."ssh_config/oci" = { };
+    secrets."git_email_config/default" = { };
+  };
+
   home.packages = with pkgs; [
     hcr
     scr
@@ -56,9 +63,11 @@ in
     nixpkgs-review
     nvd
     pass
+    rage
     ripgrep
     rlwrap
     sd
+    sops
     tealdeer
     tre-command
     ugrep
@@ -148,7 +157,7 @@ in
         UseKeychain yes
         User djm
     '';
-    includes = [ "~/.ssh/config_local" ];
+    includes = [ "~/.ssh/config_local" config.sops.secrets."ssh_config/oci".path ];
     matchBlocks = {
       "djm.ovh" = {
         hostname = "v.djm.ovh";
@@ -178,12 +187,6 @@ in
       "hashbang" = {
         hostname = "de1.hashbang.sh";
       };
-      "o1" = {
-        hostname = "130.162.163.108";
-      };
-      "o2" = {
-        hostname = "152.67.142.10";
-      };
       "tilde.institute" = {
         hostname = "tilde.institute";
       };
@@ -205,7 +208,7 @@ in
   programs.git = {
     enable = true;
     userName = "David Morgan";
-    userEmail = email;
+    includes = [ { path = config.sops.secrets."git_email_config/default".path; } ];
     aliases = {
       # difftastic
       logt = "!sh -c 'GIT_EXTERNAL_DIFF=\"difft --background=dark\" git log -p --ext-diff'";
diff --git a/nix-conf/home/otm.nix b/nix-conf/home/otm.nix
index cf9a219..167bac1 100644
--- a/nix-conf/home/otm.nix
+++ b/nix-conf/home/otm.nix
@@ -1,8 +1,4 @@
 { config, lib, pkgs, ... }:
-let
-  email = builtins.readFile "${config.home.homeDirectory}/email.txt";
-  otmEmail = builtins.readFile "${config.home.homeDirectory}/otm_email.txt";
-in
 {
   imports = [ 
     ./includes/darwin.nix
@@ -16,12 +12,19 @@ in
   home.username = "dmorgan";
   home.homeDirectory = "/Users/dmorgan";
 
+  sops.secrets = {
+    "git_email_config/otm" = { };
+    "ssh_config/otm" = { };
+  };
+
   programs.git = {
     signing.signByDefault = lib.mkForce false;
-    userEmail = lib.mkForce otmEmail;
-    includes = [
-      { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/src/personal/"; }
-      { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/dotfiles/"; }
+    includes = lib.mkForce [
+      { path = config.sops.secrets."git_email_config/otm".path; }
+      { path = config.sops.secrets."git_email_config/default".path; condition = "gitdir:~/src/personal/"; }
+      { path = config.sops.secrets."git_email_config/default".path; condition = "gitdir:~/dotfiles/"; }
+      { contents = { commit.gpgSign = true; tag.gpgSign = true; }; condition = "gitdir:~/src/personal/"; }
+      { contents = { commit.gpgSign = true; tag.gpgSign = true; }; condition = "gitdir:~/dotfiles/"; }
     ];
     extraConfig = {
       github.user = "david-morgan-otm";
@@ -37,18 +40,21 @@ in
       "resources/next/package-lock.json"
     ];
   };
-  programs.ssh.matchBlocks = {
-    "github.com" = lib.mkForce {
-      hostname = "github.com";
-      user = "git";
-      identityFile = "~/.ssh/id_rsa";
-      identitiesOnly = true;
-    };
-    "github.com-personal" = {
-      hostname = "github.com";
-      user = "git";
-      identityFile = "~/.ssh/id_ed25519";
-      identitiesOnly = true;
+  programs.ssh = {
+    includes = [ config.sops.secrets."ssh_config/otm".path ];
+    matchBlocks = {
+      "github.com" = lib.mkForce {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "~/.ssh/id_rsa";
+        identitiesOnly = true;
+      };
+      "github.com-personal" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "~/.ssh/id_ed25519";
+        identitiesOnly = true;
+      };
     };
   };
author	David Morgan <djm_uk@protonmail.com>	2024-08-29 19:12:32 +0100
committer	David Morgan <djm_uk@protonmail.com>	2024-08-29 19:12:32 +0100
commit	921200a6490cc87af4e5e1ad955ef3cce75fa3d3 (patch)
tree	31070c386c8ec8b7f360eea22eb5d9cb066a1aed /nix-conf/home
parent	88cbe57395dbd30948231d39af7ef7cc450ca28d (diff)
download	dotfiles-921200a6490cc87af4e5e1ad955ef3cce75fa3d3.tar.gz