mdy/nix-config
1
0
Fork 0
Code Pull Requests Activity

refactor(op): switch to service account auth and simplify env injection

Browse Source
This commit is contained in:
imbytecat
2026-04-14 13:11:16 +08:00
parent 8714184fbd
commit fbb83ff013
3 changed files with 8 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
home/shell/fish.nix
+7 -15
View File
@@ -8,10 +8,10 @@ in
# op:// references only — no real secrets, safe to commit # op:// references only — no real secrets, safe to commit
# Kept outside ~/.config/op — that dir must be 700 and owned by op CLI # Kept outside ~/.config/op — that dir must be 700 and owned by op CLI
xdg.configFile."op-env/env.tpl".text = '' xdg.configFile."op-env/env.tpl".text = ''
AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }} set -gx AI_GATEWAY_BASE_URL "{{ op://Developer/AI Gateway API/URL }}"
AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }} set -gx AI_GATEWAY_API_KEY "{{ op://Developer/AI Gateway API/credential }}"
EXA_API_KEY={{ op://Private/Exa API/credential }} set -gx EXA_API_KEY "{{ op://Developer/Exa API/credential }}"
CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }} set -gx CONTEXT7_API_KEY "{{ op://Developer/Context7 API/credential }}"
''; '';
programs.fish = { programs.fish = {
@@ -49,7 +49,6 @@ in
if set -q WSL_DISTRO_NAME if set -q WSL_DISTRO_NAME
alias pbcopy clip.exe alias pbcopy clip.exe
alias pbpaste "powershell.exe -noprofile -c Get-Clipboard" alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
alias op op.exe
end end
# User-local overrides # User-local overrides
@@ -58,19 +57,12 @@ in
end end
# 1Password env vars (single op call, silent on failure) # 1Password env vars (single op call, silent on failure)
# Auth via OP_SERVICE_ACCOUNT_TOKEN (set it in ~/.config/fish/local.fish)
function op-env --description "Load secrets from 1Password" function op-env --description "Load secrets from 1Password"
if not type -q op; or not test -f ${envTpl} if not type -q op; or not set -q OP_SERVICE_ACCOUNT_TOKEN; or not test -f ${envTpl}
return 1 return 1
end end
set -l output (op inject --in-file ${envTpl} 2>/dev/null) op inject --in-file ${envTpl} 2>/dev/null | source
or return 1
for line in $output
string match -qr '^\s*(#|$)' -- $line; and continue
set -l kv (string split -m 1 '=' $line)
if test (count $kv) -ge 2
set -gx $kv[1] $kv[2]
end
end
end end
op-env op-env
''; '';
modules/darwin/default.nix
-3
View File
@@ -9,9 +9,6 @@
# ── Primary user (required by nix-darwin) ────────── # ── Primary user (required by nix-darwin) ──────────
system.primaryUser = username; system.primaryUser = username;
# ── 1Password CLI ───────────────────────────────────
programs._1password.enable = true;
# ── User ─────────────────────────────────────────── # ── User ───────────────────────────────────────────
users.knownUsers = [ username ]; users.knownUsers = [ username ];
users.users.${username} = { users.users.${username} = {
modules/shared/default.nix
+1
View File
@@ -5,5 +5,6 @@
]; ];
programs.fish.enable = true; programs.fish.enable = true;
programs._1password.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
} }