feat: 集成 sops-nix 机密管理，声明式注入 Fish 环境变量

2026-04-11 01:48:09 +08:00
parent cdc2bd0646
commit b28b172a01
8 changed files with 115 additions and 26 deletions
@@ -0,0 +1,26 @@
+{ config, ... }:
+
+{
+  sops = {
+    age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+    defaultSopsFile = ../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+
+    secrets = {
+      ai_gateway_base_url = { };
+      ai_gateway_api_key = { };
+    };
+  };
+
+  programs.fish.interactiveShellInit = ''
+    # sops-nix secrets → env vars
+    for pair in \
+      AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
+      AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path}
+      set -l parts (string split : $pair)
+      if test -r $parts[2]
+        set -gx $parts[1] (cat $parts[2])
+      end
+    end
+  '';
+}