diff --git a/.gitignore b/.gitignore index 726d2d6..e4f3285 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,7 @@ result .direnv + +# Never commit plaintext secrets +*.dec.yaml +*.dec.json +*.plaintext diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..663d888 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + # imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age + - &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64 + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env)$ + key_groups: + - age: + - *imbytecat diff --git a/flake.lock b/flake.lock index 493221d..d004fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -119,7 +119,28 @@ "home-manager": "home-manager", "nix-darwin": "nix-darwin", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1775682595, + "narHash": "sha256-0E9PohY/VuESLq0LR4doaH7hTag513sDDW5n5qmHd1Q=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d2e8438d5886e92bc5e7c40c035ab6cae0c41f76", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 3f4f10a..23abb5f 100644 --- a/flake.nix +++ b/flake.nix @@ -19,6 +19,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -67,10 +72,11 @@ # ── Packages ──────────────────────────────────────── packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (system: { - comment-checker = (import nixpkgs { - inherit system; - overlays = [ self.overlays.default ]; - }).comment-checker; + comment-checker = + (import nixpkgs { + inherit system; + overlays = [ self.overlays.default ]; + }).comment-checker; }); # ── Overlays ─────────────────────────────────────── diff --git a/home/default.nix b/home/default.nix index 888876e..ef8ef7e 100644 --- a/home/default.nix +++ b/home/default.nix @@ -12,12 +12,12 @@ ./shell ./dev ./theme.nix + ./secrets.nix ]; home = { username = username; - homeDirectory = - if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}"; + homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}"; stateVersion = "24.11"; }; @@ -45,6 +45,10 @@ nvd # nix version diff nh # nix helper + # Secrets management + sops + age + # AI coding agent opencode comment-checker diff --git a/home/secrets.nix b/home/secrets.nix new file mode 100644 index 0000000..d905f60 --- /dev/null +++ b/home/secrets.nix @@ -0,0 +1,26 @@ +{ config, ... }: + +{ + sops = { + age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; + defaultSopsFile = ../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + secrets = { + ai_gateway_base_url = { }; + ai_gateway_api_key = { }; + }; + }; + + programs.fish.interactiveShellInit = '' + # sops-nix secrets → env vars + for pair in \ + AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \ + AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path} + set -l parts (string split : $pair) + if test -r $parts[2] + set -gx $parts[1] (cat $parts[2]) + end + end + ''; +} diff --git a/lib/default.nix b/lib/default.nix index 09c10ed..4969333 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -9,6 +9,9 @@ let useGlobalPkgs = true; useUserPackages = true; backupFileExtension = "bak"; + sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; extraSpecialArgs = { inherit inputs username; }; @@ -30,16 +33,15 @@ in specialArgs = { inherit inputs hostname username; }; - modules = - [ - ../modules/shared - ../modules/nixos - inputs.home-manager.nixosModules.home-manager - inputs.catppuccin.nixosModules.catppuccin - (homeManagerConfig username) - { networking.hostName = hostname; } - ] - ++ extraModules; + modules = [ + ../modules/shared + ../modules/nixos + inputs.home-manager.nixosModules.home-manager + inputs.catppuccin.nixosModules.catppuccin + (homeManagerConfig username) + { networking.hostName = hostname; } + ] + ++ extraModules; }; # ── nix-darwin host builder ───────────────────────── @@ -55,15 +57,14 @@ in specialArgs = { inherit inputs hostname username; }; - modules = - [ - ../modules/shared - ../modules/darwin - inputs.home-manager.darwinModules.home-manager - (homeManagerConfig username) - { networking.hostName = hostname; } - ] - ++ extraModules; + modules = [ + ../modules/shared + ../modules/darwin + inputs.home-manager.darwinModules.home-manager + (homeManagerConfig username) + { networking.hostName = hostname; } + ] + ++ extraModules; }; # ── Standalone Home Manager (no NixOS / no Darwin) ── diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..aed142d --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,17 @@ +ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str] +ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str] +sops: + age: + - recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu + bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx + Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1 + YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F + UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-10T17:42:34Z" + mac: ENC[AES256_GCM,data:dVVNOi8k8mmw1aRr1AXUDoF1UdF48HOPfX69Fh/mY9+HzZrIYCukqI4548eL0KcqCrbo0yEtTOYfg6PzckxpGA5FQRVv7qrfimkpFntbWoUzY8dy0pXxKFUxUuHW43XXpqkq1ZmVX5B6/fzkNxiLu4YY9X2Qnf840O/1E0fYaWw=,iv:UFfdK6I2SeGrBz12OcCjAycq7dFPfsAxploBvk+4Zic=,tag:6qLU79NwlKLApErYAoJIVQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.2