diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 663d888..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,9 +0,0 @@ -keys: - # imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age - - &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64 - -creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env)$ - key_groups: - - age: - - *imbytecat diff --git a/flake.lock b/flake.lock index 6852c75..dda1924 100644 --- a/flake.lock +++ b/flake.lock @@ -173,28 +173,7 @@ "lazyvim": "lazyvim", "nix-darwin": "nix-darwin", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_2", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1775971308, - "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs": "nixpkgs_2" } }, "systems": { diff --git a/flake.nix b/flake.nix index d2ac833..9e28b8a 100644 --- a/flake.nix +++ b/flake.nix @@ -19,11 +19,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/home/default.nix b/home/default.nix index 31874d3..7c3acb9 100644 --- a/home/default.nix +++ b/home/default.nix @@ -11,7 +11,6 @@ ./shell ./dev ./theme.nix - ./secrets.nix ]; home = { @@ -46,8 +45,7 @@ just # Secrets management - sops - age + _1password-cli # AI coding agent opencode diff --git a/home/secrets.nix b/home/secrets.nix deleted file mode 100644 index 7c08537..0000000 --- a/home/secrets.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: - -let - isDarwin = pkgs.stdenv.isDarwin; - - # On Darwin, sops secrets are managed by the home-manager module; - # on NixOS, they are managed by the system module → /run/secrets/. - secretPath = name: if isDarwin then config.sops.secrets.${name}.path else "/run/secrets/${name}"; -in -{ - # sops home-manager config — Darwin only - # NixOS uses the system-level module (modules/nixos/secrets.nix) - # to avoid systemd user service issues on WSL. - sops = lib.mkIf isDarwin { - age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ]; - defaultSopsFile = ../secrets/secrets.yaml; - defaultSopsFormat = "yaml"; - - secrets = { - ai_gateway_base_url = { }; - ai_gateway_api_key = { }; - exa_api_key = { }; - context7_api_key = { }; - }; - }; - - # Generate age key from ed25519 SSH key for sops CLI - home.activation.sopsAgeKey = config.lib.dag.entryAfter [ "writeBoundary" ] '' - KEY_DIR="${config.home.homeDirectory}/.config/sops/age" - KEY_FILE="$KEY_DIR/keys.txt" - SSH_KEY="${config.home.homeDirectory}/.ssh/id_ed25519" - if [ -f "$SSH_KEY" ] && [ ! -f "$KEY_FILE" ]; then - mkdir -p "$KEY_DIR" - ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i "$SSH_KEY" > "$KEY_FILE" - chmod 600 "$KEY_FILE" - fi - ''; - - programs.fish.interactiveShellInit = '' - # sops-nix secrets → env vars - for pair in \ - AI_GATEWAY_BASE_URL:${secretPath "ai_gateway_base_url"} \ - AI_GATEWAY_API_KEY:${secretPath "ai_gateway_api_key"} \ - EXA_API_KEY:${secretPath "exa_api_key"} \ - CONTEXT7_API_KEY:${secretPath "context7_api_key"} - set -l parts (string split : $pair) - if test -r $parts[2] - set -gx $parts[1] (cat $parts[2]) - end - end - ''; -} diff --git a/home/shell/fish.nix b/home/shell/fish.nix index 39a5d0a..a1813bf 100644 --- a/home/shell/fish.nix +++ b/home/shell/fish.nix @@ -1,6 +1,15 @@ { ... }: { + # ── 1Password env template ────────────────────────── + # op:// references only — no real secrets, safe to commit + xdg.configFile."op/env.tpl".text = '' + AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }} + AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/凭据 }} + EXA_API_KEY={{ op://Private/Exa API/凭据 }} + CONTEXT7_API_KEY={{ op://Private/Context7 API/凭据 }} + ''; + programs.fish = { enable = true; @@ -49,6 +58,16 @@ if test -f ~/.config/fish/local.fish source ~/.config/fish/local.fish end + + # 1Password → env vars (single op call, silent if locked) + if command -q op + for line in (op inject -i ~/.config/op/env.tpl 2>/dev/null) + set -l kv (string split -m 1 '=' $line) + if test (count $kv) -ge 2 + set -gx $kv[1] $kv[2] + end + end + end ''; }; } diff --git a/lib/default.nix b/lib/default.nix index a876719..4e71282 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -15,7 +15,6 @@ let useUserPackages = true; backupFileExtension = "bak"; sharedModules = [ - inputs.sops-nix.homeManagerModules.sops inputs.lazyvim.homeManagerModules.default ] ++ sharedModules; @@ -45,7 +44,6 @@ in ../modules/nixos inputs.home-manager.nixosModules.home-manager inputs.catppuccin.nixosModules.catppuccin - inputs.sops-nix.nixosModules.sops (homeManagerConfig { inherit username; }) { networking.hostName = hostname; } ] diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0b3c32f..67ab0b0 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -5,7 +5,6 @@ ./base.nix ./docker.nix ./locale.nix - ./secrets.nix ]; # ── Default shell ────────────────────────────────── diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix deleted file mode 100644 index 6e8162f..0000000 --- a/modules/nixos/secrets.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ username, ... }: - -{ - # ── sops (system-level) ───────────────────────────── - # Use NixOS module instead of home-manager module to avoid - # systemd user service issues on WSL. - # Secrets are placed in /run/secrets/. - sops = { - age.sshKeyPaths = [ "/home/${username}/.ssh/id_ed25519" ]; - defaultSopsFile = ../../secrets/secrets.yaml; - defaultSopsFormat = "yaml"; - - secrets = { - ai_gateway_base_url = { - owner = username; - }; - ai_gateway_api_key = { - owner = username; - }; - exa_api_key = { - owner = username; - }; - context7_api_key = { - owner = username; - }; - }; - }; -} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml deleted file mode 100644 index 49505db..0000000 --- a/secrets/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str] -ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str] -exa_api_key: ENC[AES256_GCM,data:DqZXFCHP1wpzrvXzLtmtooqKV0ljLTmAARWnfyFjm+tDmqMl,iv:7cDwuVudmWkwoI77XX5azmuOUKrUL3akI53wDc5CJks=,tag:BJZl7M0C9EQAnELcrWYN4Q==,type:str] -context7_api_key: ENC[AES256_GCM,data:XjwUQSarEtvWA0wnbRDn8QqFxSpCQphpzgTSeK2NVcn7Z0GLTpUkalCcFg==,iv:ttULoAsJ/4PhuE/LIVok7CaekVWO3FHwKGhjUQiG0E0=,tag:Va7wdsz90LF4LWpeQYP6Iw==,type:str] -sops: - age: - - recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu - bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx - Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1 - YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F - UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-11T15:51:24Z" - mac: ENC[AES256_GCM,data:x3Os/6i9jdmyIitD2dnz9Dl2GPLDVQlbPfVMRnebixFJ5fX6L0BqPRVVG20FvtCUQSzTMKp5eVZPRtti3wkr5TyQHz/0bz65B7Ucq3ssnpz0Hh/X8JyLRb6dKyRiiE3kIHf82nq+Do5oFUEG95LmRvhvbVdIzdMF/TJNVXOd4DQ=,iv:hIljr/1Y0Ra02Y4PwykNjhhxzxYFeMc1/waSCEy2skA=,tag:NoLozwKMPZVxKAg8g6R3UA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.12.2