mdy/nix-config
1
0
Fork 0
Code Pull Requests Activity

feat: 集成 sops-nix 机密管理,声明式注入 Fish 环境变量

Browse Source
This commit is contained in:
imbytecat
2026-04-11 01:48:09 +08:00
parent cdc2bd0646
commit b28b172a01
8 changed files with 115 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+5
View File
@@ -1,2 +1,7 @@
result
.direnv
# Never commit plaintext secrets
*.dec.yaml
*.dec.json
*.plaintext
.sops.yaml
+9
View File
@@ -0,0 +1,9 @@
keys:
# imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age
- &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env)$
key_groups:
- age:
- *imbytecat
flake.lock
Generated
+22 -1
View File
@@ -119,7 +119,28 @@
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1775682595,
"narHash": "sha256-0E9PohY/VuESLq0LR4doaH7hTag513sDDW5n5qmHd1Q=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "d2e8438d5886e92bc5e7c40c035ab6cae0c41f76",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
flake.nix
+10 -4
View File
@@ -19,6 +19,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
catppuccin = {
url = "github:catppuccin/nix";
inputs.nixpkgs.follows = "nixpkgs";
@@ -67,10 +72,11 @@
# ── Packages ────────────────────────────────────────
packages = nixpkgs.lib.genAttrs [ "aarch64-darwin" "x86_64-linux" ] (system: {
comment-checker = (import nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
}).comment-checker;
comment-checker =
(import nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
}).comment-checker;
});
# ── Overlays ───────────────────────────────────────
home/default.nix
+6 -2
View File
@@ -12,12 +12,12 @@
./shell
./dev
./theme.nix
./secrets.nix
];
home = {
username = username;
homeDirectory =
if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
homeDirectory = if pkgs.stdenv.isDarwin then "/Users/${username}" else "/home/${username}";
stateVersion = "24.11";
};
@@ -45,6 +45,10 @@
nvd # nix version diff
nh # nix helper
# Secrets management
sops
age
# AI coding agent
opencode
comment-checker
home/secrets.nix
+26
View File
@@ -0,0 +1,26 @@
{ config, ... }:
{
sops = {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
defaultSopsFile = ../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets = {
ai_gateway_base_url = { };
ai_gateway_api_key = { };
};
};
programs.fish.interactiveShellInit = ''
# sops-nix secrets env vars
for pair in \
AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path}
set -l parts (string split : $pair)
if test -r $parts[2]
set -gx $parts[1] (cat $parts[2])
end
end
'';
}
lib/default.nix
+20 -19
View File
@@ -9,6 +9,9 @@ let
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "bak";
sharedModules = [
inputs.sops-nix.homeManagerModules.sops
];
extraSpecialArgs = {
inherit inputs username;
};
@@ -30,16 +33,15 @@ in
specialArgs = {
inherit inputs hostname username;
};
modules =
[
../modules/shared
../modules/nixos
inputs.home-manager.nixosModules.home-manager
inputs.catppuccin.nixosModules.catppuccin
(homeManagerConfig username)
{ networking.hostName = hostname; }
]
++ extraModules;
modules = [
../modules/shared
../modules/nixos
inputs.home-manager.nixosModules.home-manager
inputs.catppuccin.nixosModules.catppuccin
(homeManagerConfig username)
{ networking.hostName = hostname; }
]
++ extraModules;
};
# ── nix-darwin host builder ─────────────────────────
@@ -55,15 +57,14 @@ in
specialArgs = {
inherit inputs hostname username;
};
modules =
[
../modules/shared
../modules/darwin
inputs.home-manager.darwinModules.home-manager
(homeManagerConfig username)
{ networking.hostName = hostname; }
]
++ extraModules;
modules = [
../modules/shared
../modules/darwin
inputs.home-manager.darwinModules.home-manager
(homeManagerConfig username)
{ networking.hostName = hostname; }
]
++ extraModules;
};
# ── Standalone Home Manager (no NixOS / no Darwin) ──
secrets/secrets.yaml
+17
View File
@@ -0,0 +1,17 @@
ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str]
ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str]
sops:
age:
- recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu
bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx
Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1
YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F
UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-10T17:42:34Z"
mac: ENC[AES256_GCM,data:dVVNOi8k8mmw1aRr1AXUDoF1UdF48HOPfX69Fh/mY9+HzZrIYCukqI4548eL0KcqCrbo0yEtTOYfg6PzckxpGA5FQRVv7qrfimkpFntbWoUzY8dy0pXxKFUxUuHW43XXpqkq1ZmVX5B6/fzkNxiLu4YY9X2Qnf840O/1E0fYaWw=,iv:UFfdK6I2SeGrBz12OcCjAycq7dFPfsAxploBvk+4Zic=,tag:6qLU79NwlKLApErYAoJIVQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2