diff --git a/home/secrets.nix b/home/secrets.nix index aec337e..7c08537 100644 --- a/home/secrets.nix +++ b/home/secrets.nix @@ -1,7 +1,22 @@ -{ config, pkgs, ... }: - { - sops = { + config, + pkgs, + lib, + ... +}: + +let + isDarwin = pkgs.stdenv.isDarwin; + + # On Darwin, sops secrets are managed by the home-manager module; + # on NixOS, they are managed by the system module → /run/secrets/. + secretPath = name: if isDarwin then config.sops.secrets.${name}.path else "/run/secrets/${name}"; +in +{ + # sops home-manager config — Darwin only + # NixOS uses the system-level module (modules/nixos/secrets.nix) + # to avoid systemd user service issues on WSL. + sops = lib.mkIf isDarwin { age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; defaultSopsFile = ../secrets/secrets.yaml; defaultSopsFormat = "yaml"; @@ -29,10 +44,10 @@ programs.fish.interactiveShellInit = '' # sops-nix secrets → env vars for pair in \ - AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \ - AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path} \ - EXA_API_KEY:${config.sops.secrets.exa_api_key.path} \ - CONTEXT7_API_KEY:${config.sops.secrets.context7_api_key.path} + AI_GATEWAY_BASE_URL:${secretPath "ai_gateway_base_url"} \ + AI_GATEWAY_API_KEY:${secretPath "ai_gateway_api_key"} \ + EXA_API_KEY:${secretPath "exa_api_key"} \ + CONTEXT7_API_KEY:${secretPath "context7_api_key"} set -l parts (string split : $pair) if test -r $parts[2] set -gx $parts[1] (cat $parts[2]) diff --git a/lib/default.nix b/lib/default.nix index bec5ce4..a876719 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -4,21 +4,27 @@ let inherit (inputs.nixpkgs) lib; # Shared home-manager configuration block - homeManagerConfig = username: { - home-manager = { - useGlobalPkgs = true; - useUserPackages = true; - backupFileExtension = "bak"; - sharedModules = [ - inputs.sops-nix.homeManagerModules.sops - inputs.lazyvim.homeManagerModules.default - ]; - extraSpecialArgs = { - inherit inputs username; + homeManagerConfig = + { + username, + sharedModules ? [ ], + }: + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + backupFileExtension = "bak"; + sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + inputs.lazyvim.homeManagerModules.default + ] + ++ sharedModules; + extraSpecialArgs = { + inherit inputs username; + }; + users.${username} = import ../home; }; - users.${username} = import ../home; }; - }; in { # ── NixOS host builder ────────────────────────────── @@ -39,7 +45,8 @@ in ../modules/nixos inputs.home-manager.nixosModules.home-manager inputs.catppuccin.nixosModules.catppuccin - (homeManagerConfig username) + inputs.sops-nix.nixosModules.sops + (homeManagerConfig { inherit username; }) { networking.hostName = hostname; } ] ++ extraModules; @@ -62,7 +69,7 @@ in ../modules/shared ../modules/darwin inputs.home-manager.darwinModules.home-manager - (homeManagerConfig username) + (homeManagerConfig { inherit username; }) { networking.hostName = hostname; } ] ++ extraModules; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 67ab0b0..0b3c32f 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,6 +5,7 @@ ./base.nix ./docker.nix ./locale.nix + ./secrets.nix ]; # ── Default shell ────────────────────────────────── diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix new file mode 100644 index 0000000..6e8162f --- /dev/null +++ b/modules/nixos/secrets.nix @@ -0,0 +1,28 @@ +{ username, ... }: + +{ + # ── sops (system-level) ───────────────────────────── + # Use NixOS module instead of home-manager module to avoid + # systemd user service issues on WSL. + # Secrets are placed in /run/secrets/. + sops = { + age.sshKeyPaths = [ "/home/${username}/.ssh/id_ed25519" ]; + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + secrets = { + ai_gateway_base_url = { + owner = username; + }; + ai_gateway_api_key = { + owner = username; + }; + exa_api_key = { + owner = username; + }; + context7_api_key = { + owner = username; + }; + }; + }; +}