feat: 集成 sops-nix 机密管理，声明式注入 Fish 环境变量

home/default.nix

@@ -12,12 +12,12 @@
     ./shell
     ./dev
     ./theme.nix
+    ./secrets.nix
   ];
 
   home = {
     username = username;
-    homeDirectory =
-      if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
+    homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
     stateVersion = "24.11";
   };
 
@@ -45,6 +45,10 @@
     nvd # nix version diff
     nh # nix helper
 
+    # Secrets management
+    sops
+    age
+
     # AI coding agent
     opencode
     comment-checker

home/secrets.nix

@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  sops = {
+    age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+    defaultSopsFile = ../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+
+    secrets = {
+      ai_gateway_base_url = { };
+      ai_gateway_api_key = { };
+    };
+  };
+
+  programs.fish.interactiveShellInit = ''
+    # sops-nix secrets → env vars
+    for pair in \
+      AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
+      AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path}
+      set -l parts (string split : $pair)
+      if test -r $parts[2]
+        set -gx $parts[1] (cat $parts[2])
+      end
+    end
+  '';
+}