refactor: replace sops-nix with 1Password CLI for secrets management
This commit is contained in:
+1
-3
@@ -11,7 +11,6 @@
|
||||
./shell
|
||||
./dev
|
||||
./theme.nix
|
||||
./secrets.nix
|
||||
];
|
||||
|
||||
home = {
|
||||
@@ -46,8 +45,7 @@
|
||||
just
|
||||
|
||||
# Secrets management
|
||||
sops
|
||||
age
|
||||
_1password-cli
|
||||
|
||||
# AI coding agent
|
||||
opencode
|
||||
|
||||
@@ -1,57 +0,0 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
isDarwin = pkgs.stdenv.isDarwin;
|
||||
|
||||
# On Darwin, sops secrets are managed by the home-manager module;
|
||||
# on NixOS, they are managed by the system module → /run/secrets/<name>.
|
||||
secretPath = name: if isDarwin then config.sops.secrets.${name}.path else "/run/secrets/${name}";
|
||||
in
|
||||
{
|
||||
# sops home-manager config — Darwin only
|
||||
# NixOS uses the system-level module (modules/nixos/secrets.nix)
|
||||
# to avoid systemd user service issues on WSL.
|
||||
sops = lib.mkIf isDarwin {
|
||||
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
|
||||
defaultSopsFile = ../secrets/secrets.yaml;
|
||||
defaultSopsFormat = "yaml";
|
||||
|
||||
secrets = {
|
||||
ai_gateway_base_url = { };
|
||||
ai_gateway_api_key = { };
|
||||
exa_api_key = { };
|
||||
context7_api_key = { };
|
||||
};
|
||||
};
|
||||
|
||||
# Generate age key from ed25519 SSH key for sops CLI
|
||||
home.activation.sopsAgeKey = config.lib.dag.entryAfter [ "writeBoundary" ] ''
|
||||
KEY_DIR="${config.home.homeDirectory}/.config/sops/age"
|
||||
KEY_FILE="$KEY_DIR/keys.txt"
|
||||
SSH_KEY="${config.home.homeDirectory}/.ssh/id_ed25519"
|
||||
if [ -f "$SSH_KEY" ] && [ ! -f "$KEY_FILE" ]; then
|
||||
mkdir -p "$KEY_DIR"
|
||||
${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i "$SSH_KEY" > "$KEY_FILE"
|
||||
chmod 600 "$KEY_FILE"
|
||||
fi
|
||||
'';
|
||||
|
||||
programs.fish.interactiveShellInit = ''
|
||||
# sops-nix secrets → env vars
|
||||
for pair in \
|
||||
AI_GATEWAY_BASE_URL:${secretPath "ai_gateway_base_url"} \
|
||||
AI_GATEWAY_API_KEY:${secretPath "ai_gateway_api_key"} \
|
||||
EXA_API_KEY:${secretPath "exa_api_key"} \
|
||||
CONTEXT7_API_KEY:${secretPath "context7_api_key"}
|
||||
set -l parts (string split : $pair)
|
||||
if test -r $parts[2]
|
||||
set -gx $parts[1] (cat $parts[2])
|
||||
end
|
||||
end
|
||||
'';
|
||||
}
|
||||
@@ -1,6 +1,15 @@
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
# ── 1Password env template ──────────────────────────
|
||||
# op:// references only — no real secrets, safe to commit
|
||||
xdg.configFile."op/env.tpl".text = ''
|
||||
AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
|
||||
AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/凭据 }}
|
||||
EXA_API_KEY={{ op://Private/Exa API/凭据 }}
|
||||
CONTEXT7_API_KEY={{ op://Private/Context7 API/凭据 }}
|
||||
'';
|
||||
|
||||
programs.fish = {
|
||||
enable = true;
|
||||
|
||||
@@ -49,6 +58,16 @@
|
||||
if test -f ~/.config/fish/local.fish
|
||||
source ~/.config/fish/local.fish
|
||||
end
|
||||
|
||||
# 1Password → env vars (single op call, silent if locked)
|
||||
if command -q op
|
||||
for line in (op inject -i ~/.config/op/env.tpl 2>/dev/null)
|
||||
set -l kv (string split -m 1 '=' $line)
|
||||
if test (count $kv) -ge 2
|
||||
set -gx $kv[1] $kv[2]
|
||||
end
|
||||
end
|
||||
end
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user