fix(sops): use NixOS system module on WSL to avoid systemd user service failure
This commit is contained in:
+22
-7
@@ -1,7 +1,22 @@
|
|||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
{
|
||||||
sops = {
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
isDarwin = pkgs.stdenv.isDarwin;
|
||||||
|
|
||||||
|
# On Darwin, sops secrets are managed by the home-manager module;
|
||||||
|
# on NixOS, they are managed by the system module → /run/secrets/<name>.
|
||||||
|
secretPath = name: if isDarwin then config.sops.secrets.${name}.path else "/run/secrets/${name}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# sops home-manager config — Darwin only
|
||||||
|
# NixOS uses the system-level module (modules/nixos/secrets.nix)
|
||||||
|
# to avoid systemd user service issues on WSL.
|
||||||
|
sops = lib.mkIf isDarwin {
|
||||||
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
|
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
|
||||||
defaultSopsFile = ../secrets/secrets.yaml;
|
defaultSopsFile = ../secrets/secrets.yaml;
|
||||||
defaultSopsFormat = "yaml";
|
defaultSopsFormat = "yaml";
|
||||||
@@ -29,10 +44,10 @@
|
|||||||
programs.fish.interactiveShellInit = ''
|
programs.fish.interactiveShellInit = ''
|
||||||
# sops-nix secrets → env vars
|
# sops-nix secrets → env vars
|
||||||
for pair in \
|
for pair in \
|
||||||
AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
|
AI_GATEWAY_BASE_URL:${secretPath "ai_gateway_base_url"} \
|
||||||
AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path} \
|
AI_GATEWAY_API_KEY:${secretPath "ai_gateway_api_key"} \
|
||||||
EXA_API_KEY:${config.sops.secrets.exa_api_key.path} \
|
EXA_API_KEY:${secretPath "exa_api_key"} \
|
||||||
CONTEXT7_API_KEY:${config.sops.secrets.context7_api_key.path}
|
CONTEXT7_API_KEY:${secretPath "context7_api_key"}
|
||||||
set -l parts (string split : $pair)
|
set -l parts (string split : $pair)
|
||||||
if test -r $parts[2]
|
if test -r $parts[2]
|
||||||
set -gx $parts[1] (cat $parts[2])
|
set -gx $parts[1] (cat $parts[2])
|
||||||
|
|||||||
+22
-15
@@ -4,21 +4,27 @@ let
|
|||||||
inherit (inputs.nixpkgs) lib;
|
inherit (inputs.nixpkgs) lib;
|
||||||
|
|
||||||
# Shared home-manager configuration block
|
# Shared home-manager configuration block
|
||||||
homeManagerConfig = username: {
|
homeManagerConfig =
|
||||||
home-manager = {
|
{
|
||||||
useGlobalPkgs = true;
|
username,
|
||||||
useUserPackages = true;
|
sharedModules ? [ ],
|
||||||
backupFileExtension = "bak";
|
}:
|
||||||
sharedModules = [
|
{
|
||||||
inputs.sops-nix.homeManagerModules.sops
|
home-manager = {
|
||||||
inputs.lazyvim.homeManagerModules.default
|
useGlobalPkgs = true;
|
||||||
];
|
useUserPackages = true;
|
||||||
extraSpecialArgs = {
|
backupFileExtension = "bak";
|
||||||
inherit inputs username;
|
sharedModules = [
|
||||||
|
inputs.sops-nix.homeManagerModules.sops
|
||||||
|
inputs.lazyvim.homeManagerModules.default
|
||||||
|
]
|
||||||
|
++ sharedModules;
|
||||||
|
extraSpecialArgs = {
|
||||||
|
inherit inputs username;
|
||||||
|
};
|
||||||
|
users.${username} = import ../home;
|
||||||
};
|
};
|
||||||
users.${username} = import ../home;
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
# ── NixOS host builder ──────────────────────────────
|
# ── NixOS host builder ──────────────────────────────
|
||||||
@@ -39,7 +45,8 @@ in
|
|||||||
../modules/nixos
|
../modules/nixos
|
||||||
inputs.home-manager.nixosModules.home-manager
|
inputs.home-manager.nixosModules.home-manager
|
||||||
inputs.catppuccin.nixosModules.catppuccin
|
inputs.catppuccin.nixosModules.catppuccin
|
||||||
(homeManagerConfig username)
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
(homeManagerConfig { inherit username; })
|
||||||
{ networking.hostName = hostname; }
|
{ networking.hostName = hostname; }
|
||||||
]
|
]
|
||||||
++ extraModules;
|
++ extraModules;
|
||||||
@@ -62,7 +69,7 @@ in
|
|||||||
../modules/shared
|
../modules/shared
|
||||||
../modules/darwin
|
../modules/darwin
|
||||||
inputs.home-manager.darwinModules.home-manager
|
inputs.home-manager.darwinModules.home-manager
|
||||||
(homeManagerConfig username)
|
(homeManagerConfig { inherit username; })
|
||||||
{ networking.hostName = hostname; }
|
{ networking.hostName = hostname; }
|
||||||
]
|
]
|
||||||
++ extraModules;
|
++ extraModules;
|
||||||
|
|||||||
@@ -5,6 +5,7 @@
|
|||||||
./base.nix
|
./base.nix
|
||||||
./docker.nix
|
./docker.nix
|
||||||
./locale.nix
|
./locale.nix
|
||||||
|
./secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# ── Default shell ──────────────────────────────────
|
# ── Default shell ──────────────────────────────────
|
||||||
|
|||||||
@@ -0,0 +1,28 @@
|
|||||||
|
{ username, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# ── sops (system-level) ─────────────────────────────
|
||||||
|
# Use NixOS module instead of home-manager module to avoid
|
||||||
|
# systemd user service issues on WSL.
|
||||||
|
# Secrets are placed in /run/secrets/<name>.
|
||||||
|
sops = {
|
||||||
|
age.sshKeyPaths = [ "/home/${username}/.ssh/id_ed25519" ];
|
||||||
|
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||||
|
defaultSopsFormat = "yaml";
|
||||||
|
|
||||||
|
secrets = {
|
||||||
|
ai_gateway_base_url = {
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
ai_gateway_api_key = {
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
exa_api_key = {
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
context7_api_key = {
|
||||||
|
owner = username;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user