refactor: replace sops-nix with 1Password CLI for secrets management
This commit is contained in:
@@ -1,9 +0,0 @@
|
||||
keys:
|
||||
# imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age
|
||||
- &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
|
||||
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *imbytecat
|
||||
Generated
+1
-22
@@ -173,28 +173,7 @@
|
||||
"lazyvim": "lazyvim",
|
||||
"nix-darwin": "nix-darwin",
|
||||
"nixos-wsl": "nixos-wsl",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1775971308,
|
||||
"narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
||||
@@ -19,11 +19,6 @@
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
catppuccin = {
|
||||
url = "github:catppuccin/nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
+1
-3
@@ -11,7 +11,6 @@
|
||||
./shell
|
||||
./dev
|
||||
./theme.nix
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
home = {
|
||||
@@ -46,8 +45,7 @@
|
||||
just
|
||||
|
||||
# Secrets management
|
||||
sops
|
||||
age
|
||||
_1password-cli
|
||||
|
||||
# AI coding agent
|
||||
opencode
|
||||
|
||||
@@ -1,57 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
isDarwin = pkgs.stdenv.isDarwin;
|
||||
|
||||
# On Darwin, sops secrets are managed by the home-manager module;
|
||||
# on NixOS, they are managed by the system module → /run/secrets/<name>.
|
||||
secretPath = name: if isDarwin then config.sops.secrets.${name}.path else "/run/secrets/${name}";
|
||||
in
|
||||
{
|
||||
# sops home-manager config — Darwin only
|
||||
# NixOS uses the system-level module (modules/nixos/secrets.nix)
|
||||
# to avoid systemd user service issues on WSL.
|
||||
sops = lib.mkIf isDarwin {
|
||||
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
|
||||
defaultSopsFile = ../secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
secrets = {
|
||||
ai_gateway_base_url = { };
|
||||
ai_gateway_api_key = { };
|
||||
exa_api_key = { };
|
||||
context7_api_key = { };
|
||||
};
|
||||
};
|
||||
|
||||
# Generate age key from ed25519 SSH key for sops CLI
|
||||
home.activation.sopsAgeKey = config.lib.dag.entryAfter [ "writeBoundary" ] ''
|
||||
KEY_DIR="${config.home.homeDirectory}/.config/sops/age"
|
||||
KEY_FILE="$KEY_DIR/keys.txt"
|
||||
SSH_KEY="${config.home.homeDirectory}/.ssh/id_ed25519"
|
||||
if [ -f "$SSH_KEY" ] && [ ! -f "$KEY_FILE" ]; then
|
||||
mkdir -p "$KEY_DIR"
|
||||
${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i "$SSH_KEY" > "$KEY_FILE"
|
||||
chmod 600 "$KEY_FILE"
|
||||
fi
|
||||
'';
|
||||
|
||||
programs.fish.interactiveShellInit = ''
|
||||
# sops-nix secrets → env vars
|
||||
for pair in \
|
||||
AI_GATEWAY_BASE_URL:${secretPath "ai_gateway_base_url"} \
|
||||
AI_GATEWAY_API_KEY:${secretPath "ai_gateway_api_key"} \
|
||||
EXA_API_KEY:${secretPath "exa_api_key"} \
|
||||
CONTEXT7_API_KEY:${secretPath "context7_api_key"}
|
||||
set -l parts (string split : $pair)
|
||||
if test -r $parts[2]
|
||||
set -gx $parts[1] (cat $parts[2])
|
||||
end
|
||||
end
|
||||
'';
|
||||
}
|
||||
@@ -1,6 +1,15 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
# ── 1Password env template ──────────────────────────
|
||||
# op:// references only — no real secrets, safe to commit
|
||||
xdg.configFile."op/env.tpl".text = ''
|
||||
AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
|
||||
AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/凭据 }}
|
||||
EXA_API_KEY={{ op://Private/Exa API/凭据 }}
|
||||
CONTEXT7_API_KEY={{ op://Private/Context7 API/凭据 }}
|
||||
'';
|
||||
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
|
||||
@@ -49,6 +58,16 @@
|
||||
if test -f ~/.config/fish/local.fish
|
||||
source ~/.config/fish/local.fish
|
||||
end
|
||||
|
||||
# 1Password → env vars (single op call, silent if locked)
|
||||
if command -q op
|
||||
for line in (op inject -i ~/.config/op/env.tpl 2>/dev/null)
|
||||
set -l kv (string split -m 1 '=' $line)
|
||||
if test (count $kv) -ge 2
|
||||
set -gx $kv[1] $kv[2]
|
||||
end
|
||||
end
|
||||
end
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
@@ -15,7 +15,6 @@ let
|
||||
useUserPackages = true;
|
||||
backupFileExtension = "bak";
|
||||
sharedModules = [
|
||||
inputs.sops-nix.homeManagerModules.sops
|
||||
inputs.lazyvim.homeManagerModules.default
|
||||
]
|
||||
++ sharedModules;
|
||||
@@ -45,7 +44,6 @@ in
|
||||
../modules/nixos
|
||||
inputs.home-manager.nixosModules.home-manager
|
||||
inputs.catppuccin.nixosModules.catppuccin
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
(homeManagerConfig { inherit username; })
|
||||
{ networking.hostName = hostname; }
|
||||
]
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
./base.nix
|
||||
./docker.nix
|
||||
./locale.nix
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
# ── Default shell ──────────────────────────────────
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
{ username, ... }:
|
||||
|
||||
{
|
||||
# ── sops (system-level) ─────────────────────────────
|
||||
# Use NixOS module instead of home-manager module to avoid
|
||||
# systemd user service issues on WSL.
|
||||
# Secrets are placed in /run/secrets/<name>.
|
||||
sops = {
|
||||
age.sshKeyPaths = [ "/home/${username}/.ssh/id_ed25519" ];
|
||||
defaultSopsFile = ../../secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
secrets = {
|
||||
ai_gateway_base_url = {
|
||||
owner = username;
|
||||
};
|
||||
ai_gateway_api_key = {
|
||||
owner = username;
|
||||
};
|
||||
exa_api_key = {
|
||||
owner = username;
|
||||
};
|
||||
context7_api_key = {
|
||||
owner = username;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,19 +0,0 @@
|
||||
ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str]
|
||||
ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str]
|
||||
exa_api_key: ENC[AES256_GCM,data:DqZXFCHP1wpzrvXzLtmtooqKV0ljLTmAARWnfyFjm+tDmqMl,iv:7cDwuVudmWkwoI77XX5azmuOUKrUL3akI53wDc5CJks=,tag:BJZl7M0C9EQAnELcrWYN4Q==,type:str]
|
||||
context7_api_key: ENC[AES256_GCM,data:XjwUQSarEtvWA0wnbRDn8QqFxSpCQphpzgTSeK2NVcn7Z0GLTpUkalCcFg==,iv:ttULoAsJ/4PhuE/LIVok7CaekVWO3FHwKGhjUQiG0E0=,tag:Va7wdsz90LF4LWpeQYP6Iw==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu
|
||||
bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx
|
||||
Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1
|
||||
YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F
|
||||
UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-04-11T15:51:24Z"
|
||||
mac: ENC[AES256_GCM,data:x3Os/6i9jdmyIitD2dnz9Dl2GPLDVQlbPfVMRnebixFJ5fX6L0BqPRVVG20FvtCUQSzTMKp5eVZPRtti3wkr5TyQHz/0bz65B7Ucq3ssnpz0Hh/X8JyLRb6dKyRiiE3kIHf82nq+Do5oFUEG95LmRvhvbVdIzdMF/TJNVXOd4DQ=,iv:hIljr/1Y0Ra02Y4PwykNjhhxzxYFeMc1/waSCEy2skA=,tag:NoLozwKMPZVxKAg8g6R3UA==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.12.2
|
||||
Reference in New Issue
Block a user