refactor(fish): extract op-env into reloadable function and skip comment lines

fix: op path
fix: use type -q and stdin for op inject to support WSL interop alias
2026-04-13 15:46:19 +08:00 · 2026-04-13 15:38:10 +08:00 · 2026-04-13 15:29:13 +08:00 · 2026-04-13 15:21:34 +08:00 · 2026-04-13 15:14:47 +08:00 · 2026-04-13 14:59:13 +08:00
9 changed files with 92 additions and 138 deletions
@@ -1,9 +0,0 @@
 keys:
  # imbytecat — derived from ~/.ssh/id_ed25519 via ssh-to-age
  - &imbytecat age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env)$
    key_groups:
      - age:
          - *imbytecat
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775938181,
+        "lastModified": 1775994227,
-        "narHash": "sha256-3VRl7wTV2guWBI1kYT2OZEAMYU5nUZMo6um9UH+HYHE=",
+        "narHash": "sha256-4VKeWtl9dEubrgpy9fSXkXbjBZlNXPNlQQM5l1ppHv4=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "8d8b4fd30aecbf30eef6b1d1977670a597d29494",
+        "rev": "d0a9a21ed8e235956a768fc624242ec9a3e15575",
        "type": "github"
      },
      "original": {
@@ -61,11 +61,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775983377,
+        "lastModified": 1776046499,
-        "narHash": "sha256-ZeRjipGQnVtQ/6batI+yVOrL853FZsL0m9A63OaSfgM=",
+        "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e0ca734ffc85d25297715e98010b93303fa165c4",
+        "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d",
        "type": "github"
      },
      "original": {
@@ -173,28 +173,7 @@
        "lazyvim": "lazyvim",
        "nix-darwin": "nix-darwin",
        "nixos-wsl": "nixos-wsl",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_2"
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1775971308,
        "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "systems": {
@@ -19,11 +19,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    sops-nix = {
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    catppuccin = {
      url = "github:catppuccin/nix";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -1,5 +1,6 @@
 {
  inputs,
  lib,
  username,
  pkgs,
  ...
@@ -11,7 +12,6 @@
    ./shell
    ./dev
    ./theme.nix
    ./secrets.nix
  ];
  home = {
@@ -21,7 +21,9 @@
  };
  # ── User-level packages ────────────────────────────
-  home.packages = with pkgs; [
+  home.packages =
    with pkgs;
    [
      # Modern CLI replacements
      dust # du
      duf # df
@@ -45,10 +47,12 @@
      nh # nix helper
      just
-    # Secrets management
+      # Secrets management (WSL uses Windows op.exe via interop)
-    sops
+    ]
-    age
+    ++ lib.optionals pkgs.stdenv.isDarwin [
-
+      _1password-cli
    ]
    ++ (with pkgs; [
      # AI coding agent
      opencode
      comment-checker
@@ -56,7 +60,7 @@
      # Misc
      ffmpeg
      pandoc
-  ];
+    ]);
  # XDG directories
  xdg.enable = true;
@@ -1,30 +0,0 @@
 { config, ... }:
 {
  sops = {
    age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
    defaultSopsFile = ../secrets/secrets.yaml;
    defaultSopsFormat = "yaml";
    secrets = {
      ai_gateway_base_url = { };
      ai_gateway_api_key = { };
      exa_api_key = { };
      context7_api_key = { };
    };
  };
  programs.fish.interactiveShellInit = ''
    # sops-nix secrets → env vars
    for pair in \
      AI_GATEWAY_BASE_URL:${config.sops.secrets.ai_gateway_base_url.path} \
      AI_GATEWAY_API_KEY:${config.sops.secrets.ai_gateway_api_key.path} \
      EXA_API_KEY:${config.sops.secrets.exa_api_key.path} \
      CONTEXT7_API_KEY:${config.sops.secrets.context7_api_key.path}
      set -l parts (string split : $pair)
      if test -r $parts[2]
        set -gx $parts[1] (cat $parts[2])
      end
    end
  '';
 }
@@ -1,6 +1,15 @@
 { ... }:
 {
  # ── 1Password env template ──────────────────────────
  # op:// references only — no real secrets, safe to commit
  xdg.configFile."op/env.tpl".text = ''
    AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
    AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
    EXA_API_KEY={{ op://Private/Exa API/credential }}
    CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
  '';
  programs.fish = {
    enable = true;
@@ -43,12 +52,28 @@
      if set -q WSL_DISTRO_NAME
        alias pbcopy clip.exe
        alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
        alias op op.exe
      end
      # User-local overrides
      if test -f ~/.config/fish/local.fish
        source ~/.config/fish/local.fish
      end
      # 1Password → env vars (single op call, silent if locked)
      function op-env --description "Load secrets from 1Password"
        if not type -q op; or not test -f ~/.config/op/env.tpl
          return 1
        end
        for line in (op inject < ~/.config/op/env.tpl 2>/dev/null)
          string match -qr '^\s*(#|$)' -- $line; and continue
          set -l kv (string split -m 1 '=' $line)
          if test (count $kv) -ge 2
            set -gx $kv[1] $kv[2]
          end
        end
      end
      op-env
    '';
  };
 }
@@ -5,7 +5,11 @@
  wsl = {
    enable = true;
    defaultUser = username;
    interop.register = true;
  };
  # ── nix-ld (VSCode Remote, etc.) ────────────────────
  programs.nix-ld.enable = true;
  system.stateVersion = "24.11";
 }
@@ -4,15 +4,20 @@ let
  inherit (inputs.nixpkgs) lib;
  # Shared home-manager configuration block
-  homeManagerConfig = username: {
+  homeManagerConfig =
    {
      username,
      sharedModules ? [ ],
    }:
    {
      home-manager = {
        useGlobalPkgs = true;
        useUserPackages = true;
        backupFileExtension = "bak";
        sharedModules = [
        inputs.sops-nix.homeManagerModules.sops
          inputs.lazyvim.homeManagerModules.default
-      ];
+        ]
        ++ sharedModules;
        extraSpecialArgs = {
          inherit inputs username;
        };
@@ -39,7 +44,7 @@ in
        ../modules/nixos
        inputs.home-manager.nixosModules.home-manager
        inputs.catppuccin.nixosModules.catppuccin
-        (homeManagerConfig username)
+        (homeManagerConfig { inherit username; })
        { networking.hostName = hostname; }
      ]
      ++ extraModules;
@@ -62,7 +67,7 @@ in
        ../modules/shared
        ../modules/darwin
        inputs.home-manager.darwinModules.home-manager
-        (homeManagerConfig username)
+        (homeManagerConfig { inherit username; })
        { networking.hostName = hostname; }
      ]
      ++ extraModules;
@@ -1,19 +0,0 @@
 ai_gateway_base_url: ENC[AES256_GCM,data:5/F4Tp6O4cYcpV6j00WOk2kXRd9iUorvD2Fl5LWKy9yJgfA=,iv:f09QoozjEEvblSOlDutw3CODju6DlTOKSjgPS5ypfJQ=,tag:ojD9CbG6ZiL3qlUzTcp4/w==,type:str]
 ai_gateway_api_key: ENC[AES256_GCM,data:bGr4RGGOANmUNY8fZzhdq4/0hdc+3g9adFaNoXTOAF823iZAbtLi6jC7EXVrDJYuTjBH,iv:YLMecyk3yIAcSY63gmEJm7NJcFD9vE0D8zqb1vNJd98=,tag:w1GThmuY3aBNr15VPOtuNg==,type:str]
 exa_api_key: ENC[AES256_GCM,data:DqZXFCHP1wpzrvXzLtmtooqKV0ljLTmAARWnfyFjm+tDmqMl,iv:7cDwuVudmWkwoI77XX5azmuOUKrUL3akI53wDc5CJks=,tag:BJZl7M0C9EQAnELcrWYN4Q==,type:str]
 context7_api_key: ENC[AES256_GCM,data:XjwUQSarEtvWA0wnbRDn8QqFxSpCQphpzgTSeK2NVcn7Z0GLTpUkalCcFg==,iv:ttULoAsJ/4PhuE/LIVok7CaekVWO3FHwKGhjUQiG0E0=,tag:Va7wdsz90LF4LWpeQYP6Iw==,type:str]
 sops:
    age:
        - recipient: age1w74wqpmum6xa3mk5p7ya620e8mhn9afdyf30gh3fk44javxsmvssm4hs64
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArK24ySVh3cU1taUlJUENu
            bnpLRDlwN1JYRGJpNFVpU3ZjbkZrTlBxK2drCkZCcE9ZVWN1YitZZEM4NjRkUjAx
            Uy9yZ3F4TkRhNEpEMzRPVmM5ZjJmTW8KLS0tIDR1QVlFSkpEY2ZQZWFpOXVVTkR1
            YUFlVW1IcGpVdjRsMmlmL1lOeEQzY1EKH1K2NomPsote6PGp30ZASKKwQoZi9x5F
            UWPj6xphWXp/7lFE7XpujKU323tFj7mZ+wRCb77T9QTNbg8zGsUO/A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-04-11T15:51:24Z"
    mac: ENC[AES256_GCM,data:x3Os/6i9jdmyIitD2dnz9Dl2GPLDVQlbPfVMRnebixFJ5fX6L0BqPRVVG20FvtCUQSzTMKp5eVZPRtti3wkr5TyQHz/0bz65B7Ucq3ssnpz0Hh/X8JyLRb6dKyRiiE3kIHf82nq+Do5oFUEG95LmRvhvbVdIzdMF/TJNVXOd4DQ=,iv:hIljr/1Y0Ra02Y4PwykNjhhxzxYFeMc1/waSCEy2skA=,tag:NoLozwKMPZVxKAg8g6R3UA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.12.2
Author	SHA1	Message	Date
imbytecat	09463d0dbb	refactor(fish): extract op-env into reloadable function and skip comment lines	2026-04-13 15:46:19 +08:00
imbytecat	82ab946ba1	fix: op path	2026-04-13 15:38:10 +08:00
imbytecat	50808a9ecf	fix: use type -q and stdin for op inject to support WSL interop alias	2026-04-13 15:29:13 +08:00
imbytecat	024ea2c676	refactor(wsl): use Windows op.exe via interop instead of native 1password-cli	2026-04-13 15:21:34 +08:00
imbytecat	9e610b89b2	fix(wsl): enable interop to allow executing Windows executables	2026-04-13 15:14:47 +08:00
imbytecat	8f26433357	chore: update flake inputs (catppuccin/nix, home-manager)	2026-04-13 14:59:13 +08:00
imbytecat	b9e8566cee	refactor: replace sops-nix with 1Password CLI for secrets management	2026-04-13 14:57:11 +08:00
imbytecat	2f6e3aea89	fix(sops): use NixOS system module on WSL to avoid systemd user service failure	2026-04-13 13:49:27 +08:00
imbytecat	2a1fb40fd3	feat(wsl): enable nix-ld for VSCode Remote and auto-generate sops age key from ed25519	2026-04-13 13:37:06 +08:00