mdy/nix-config
1
0
Fork 0
Code Pull Requests Activity

Compare commits

base: mdy/nix-config:e77f56174742c19cbf7ffd7f0cf608f5adc0c0a0
Branches Tags
mdy/nix-config:main
...
compare: mdy/nix-config:09463d0dbb7da7c33499a35d562912b221fe72ca
Branches Tags
mdy/nix-config:main

9 Commits
e77f561747 ... 09463d0dbb

Author SHA1 Message Date
imbytecat 09463d0dbb refactor(fish): extract op-env into reloadable function and skip comment lines 2026-04-13 15:46:19 +08:00
imbytecat 82ab946ba1 fix: op path 2026-04-13 15:38:10 +08:00
imbytecat 50808a9ecf fix: use type -q and stdin for op inject to support WSL interop alias 2026-04-13 15:29:13 +08:00
imbytecat 024ea2c676 refactor(wsl): use Windows op.exe via interop instead of native 1password-cli 2026-04-13 15:21:34 +08:00
imbytecat 9e610b89b2 fix(wsl): enable interop to allow executing Windows executables 2026-04-13 15:14:47 +08:00
imbytecat 8f26433357 chore: update flake inputs (catppuccin/nix, home-manager) 2026-04-13 14:59:13 +08:00
imbytecat b9e8566cee refactor: replace sops-nix with 1Password CLI for secrets management 2026-04-13 14:57:11 +08:00
imbytecat 2f6e3aea89 fix(sops): use NixOS system module on WSL to avoid systemd user service failure 2026-04-13 13:49:27 +08:00
imbytecat 2a1fb40fd3 feat(wsl): enable nix-ld for VSCode Remote and auto-generate sops age key from ed25519 2026-04-13 13:37:06 +08:00
9 changed files with 92 additions and 138 deletions
Expand all files Collapse all files
.sops.yaml
-9
View File
@@ -1,9 +0,0 @@
keys:
# imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age
- &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env)$
key_groups:
- age:
- *imbytecat
flake.lock
Generated
+7 -28
View File
@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775938181, "lastModified": 1775994227,
"narHash": "sha256-3VRl7wTV2guWBI1kYT2OZEAMYU5nUZMo6um9UH+HYHE=", "narHash": "sha256-4VKeWtl9dEubrgpy9fSXkXbjBZlNXPNlQQM5l1ppHv4=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "8d8b4fd30aecbf30eef6b1d1977670a597d29494", "rev": "d0a9a21ed8e235956a768fc624242ec9a3e15575",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -61,11 +61,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775983377, "lastModified": 1776046499,
"narHash": "sha256-ZeRjipGQnVtQ/6batI+yVOrL853FZsL0m9A63OaSfgM=", "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e0ca734ffc85d25297715e98010b93303fa165c4", "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -173,28 +173,7 @@
"lazyvim": "lazyvim", "lazyvim": "lazyvim",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixos-wsl": "nixos-wsl", "nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1775971308,
"narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
}, },
"systems": { "systems": {
flake.nix
-5
View File
@@ -19,11 +19,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
catppuccin = { catppuccin = {
url = "github:catppuccin/nix"; url = "github:catppuccin/nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
home/default.nix
+36 -32
View File
@@ -1,5 +1,6 @@
{ {
inputs, inputs,
lib,
username, username,
pkgs, pkgs,
... ...
@@ -11,7 +12,6 @@
./shell ./shell
./dev ./dev
./theme.nix ./theme.nix
./secrets.nix
]; ];
home = { home = {
@@ -21,42 +21,46 @@
}; };
# ── User-level packages ──────────────────────────── # ── User-level packages ────────────────────────────
home.packages = with pkgs; [ home.packages =
# Modern CLI replacements with pkgs;
dust # du [
duf # df # Modern CLI replacements
procs # ps dust # du
sd # sed duf # df
xh # curl/httpie procs # ps
jq # JSON sd # sed
yq # YAML xh # curl/httpie
wget jq # JSON
yq # YAML
wget
# System info # System info
fastfetch fastfetch
tealdeer # tldr tealdeer # tldr
# File management # File management
gomi gomi
# Nix tools # Nix tools
nix-output-monitor # nom nix-output-monitor # nom
nvd # nix version diff nvd # nix version diff
nh # nix helper nh # nix helper
just just
# Secrets management # Secrets management (WSL uses Windows op.exe via interop)
sops ]
age ++ lib.optionals pkgs.stdenv.isDarwin [
_1password-cli
]
++ (with pkgs; [
# AI coding agent
opencode
comment-checker
# AI coding agent # Misc
opencode ffmpeg
comment-checker pandoc
]);
# Misc
ffmpeg
pandoc
];
# XDG directories # XDG directories
xdg.enable = true; xdg.enable = true;
home/secrets.nix
-30
View File
@@ -1,30 +0,0 @@
{ config, ... }:
{
sops = {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
defaultSopsFile = ../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
secrets = {
ai_gateway_base_url = { };
ai_gateway_api_key = { };
exa_api_key = { };
context7_api_key = { };
};
};
programs.fish.interactiveShellInit = ''
# sops-nix secrets env vars
for pair in \
AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path} \
EXA_API_KEY:${config.sops.secrets.exa_api_key.path} \
CONTEXT7_API_KEY:${config.sops.secrets.context7_api_key.path}
set -l parts (string split : $pair)
if test -r $parts[2]
set -gx $parts[1] (cat $parts[2])
end
end
'';
}
home/shell/fish.nix
+25
View File
@@ -1,6 +1,15 @@
{ ... }: { ... }:
{ {
# ── 1Password env template ──────────────────────────
# op:// references only — no real secrets, safe to commit
xdg.configFile."op/env.tpl".text = ''
AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
EXA_API_KEY={{ op://Private/Exa API/credential }}
CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
'';
programs.fish = { programs.fish = {
enable = true; enable = true;
@@ -43,12 +52,28 @@
if set -q WSL_DISTRO_NAME if set -q WSL_DISTRO_NAME
alias pbcopy clip.exe alias pbcopy clip.exe
alias pbpaste "powershell.exe -noprofile -c Get-Clipboard" alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
alias op op.exe
end end
# User-local overrides # User-local overrides
if test -f ~/.config/fish/local.fish if test -f ~/.config/fish/local.fish
source ~/.config/fish/local.fish source ~/.config/fish/local.fish
end end
# 1Password env vars (single op call, silent if locked)
function op-env --description "Load secrets from 1Password"
if not type -q op; or not test -f ~/.config/op/env.tpl
return 1
end
for line in (op inject < ~/.config/op/env.tpl 2>/dev/null)
string match -qr '^\s*(#|$)' -- $line; and continue
set -l kv (string split -m 1 '=' $line)
if test (count $kv) -ge 2
set -gx $kv[1] $kv[2]
end
end
end
op-env
''; '';
}; };
} }
hosts/wsl/default.nix
+4
View File
@@ -5,7 +5,11 @@
wsl = { wsl = {
enable = true; enable = true;
defaultUser = username; defaultUser = username;
interop.register = true;
}; };
# ── nix-ld (VSCode Remote, etc.) ────────────────────
programs.nix-ld.enable = true;
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }
lib/default.nix
+20 -15
View File
@@ -4,21 +4,26 @@ let
inherit (inputs.nixpkgs) lib; inherit (inputs.nixpkgs) lib;
# Shared home-manager configuration block # Shared home-manager configuration block
homeManagerConfig = username: { homeManagerConfig =
home-manager = { {
useGlobalPkgs = true; username,
useUserPackages = true; sharedModules ? [ ],
backupFileExtension = "bak"; }:
sharedModules = [ {
inputs.sops-nix.homeManagerModules.sops home-manager = {
inputs.lazyvim.homeManagerModules.default useGlobalPkgs = true;
]; useUserPackages = true;
extraSpecialArgs = { backupFileExtension = "bak";
inherit inputs username; sharedModules = [
inputs.lazyvim.homeManagerModules.default
]
++ sharedModules;
extraSpecialArgs = {
inherit inputs username;
};
users.${username} = import ../home;
}; };
users.${username} = import ../home;
}; };
};
in in
{ {
# ── NixOS host builder ────────────────────────────── # ── NixOS host builder ──────────────────────────────
@@ -39,7 +44,7 @@ in
../modules/nixos ../modules/nixos
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.catppuccin.nixosModules.catppuccin inputs.catppuccin.nixosModules.catppuccin
(homeManagerConfig username) (homeManagerConfig { inherit username; })
{ networking.hostName = hostname; } { networking.hostName = hostname; }
] ]
++ extraModules; ++ extraModules;
@@ -62,7 +67,7 @@ in
../modules/shared ../modules/shared
../modules/darwin ../modules/darwin
inputs.home-manager.darwinModules.home-manager inputs.home-manager.darwinModules.home-manager
(homeManagerConfig username) (homeManagerConfig { inherit username; })
{ networking.hostName = hostname; } { networking.hostName = hostname; }
] ]
++ extraModules; ++ extraModules;
secrets/secrets.yaml
-19
View File
@@ -1,19 +0,0 @@
ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str]
ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str]
exa_api_key: ENC[AES256_GCM,data:DqZXFCHP1wpzrvXzLtmtooqKV0ljLTmAARWnfyFjm+tDmqMl,iv:7cDwuVudmWkwoI77XX5azmuOUKrUL3akI53wDc5CJks=,tag:BJZl7M0C9EQAnELcrWYN4Q==,type:str]
context7_api_key: ENC[AES256_GCM,data:XjwUQSarEtvWA0wnbRDn8QqFxSpCQphpzgTSeK2NVcn7Z0GLTpUkalCcFg==,iv:ttULoAsJ/4PhuE/LIVok7CaekVWO3FHwKGhjUQiG0E0=,tag:Va7wdsz90LF4LWpeQYP6Iw==,type:str]
sops:
age:
- recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu
bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx
Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1
YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F
UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-11T15:51:24Z"
mac: ENC[AES256_GCM,data:x3Os/6i9jdmyIitD2dnz9Dl2GPLDVQlbPfVMRnebixFJ5fX6L0BqPRVVG20FvtCUQSzTMKp5eVZPRtti3wkr5TyQHz/0bz65B7Ucq3ssnpz0Hh/X8JyLRb6dKyRiiE3kIHf82nq+Do5oFUEG95LmRvhvbVdIzdMF/TJNVXOd4DQ=,iv:hIljr/1Y0Ra02Y4PwykNjhhxzxYFeMc1/waSCEy2skA=,tag:NoLozwKMPZVxKAg8g6R3UA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2