From 63a3bb6e98a405141aedc9a616fa0bce37eecad6 Mon Sep 17 00:00:00 2001 From: Poby <87608318+smg1024@users.noreply.github.com> Date: Sat, 14 Mar 2026 21:22:56 +0900 Subject: [PATCH] feat: sops-nix configuration encrypt personal ssh key for git --- .sops.yaml | 7 +++ flake.lock | 99 +++++++------------------------------ flake.nix | 14 +++--- home/default.nix | 4 +- home/gh.nix | 7 ++- home/nvf/default.nix | 8 ++- home/nvf/lsp/treesitter.nix | 6 +++ home/sops.nix | 12 +++++ home/ssh.nix | 16 ++++++ secrets/poby.yaml | 16 ++++++ 10 files changed, 98 insertions(+), 91 deletions(-) create mode 100644 .sops.yaml create mode 100644 home/sops.nix create mode 100644 home/ssh.nix create mode 100644 secrets/poby.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..85d5427 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &poby age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j +creation_rules: + - path_regex: secrets/.*\.yaml$ + key_groups: + - age: + - *poby diff --git a/flake.lock b/flake.lock index 1fc81ad..921aba9 100644 --- a/flake.lock +++ b/flake.lock @@ -1,28 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs-darwin" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1770165109, - "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", - "owner": "ryantm", - "repo": "agenix", - "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "brew-src": { "flake": false, "locked": { @@ -41,28 +18,6 @@ } }, "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, - "darwin_2": { "inputs": { "nixpkgs": [ "nixpkgs-darwin" @@ -121,27 +76,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs-darwin" @@ -288,7 +222,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_2" + "systems": "systems" }, "locked": { "lastModified": 1773343795, @@ -306,33 +240,38 @@ }, "root": { "inputs": { - "agenix": "agenix", - "darwin": "darwin_2", - "home-manager": "home-manager_2", + "darwin": "darwin", + "home-manager": "home-manager", "homebrew-cask": "homebrew-cask", "homebrew-core": "homebrew-core", "nix-homebrew": "nix-homebrew", "nixpkgs": "nixpkgs", "nixpkgs-darwin": "nixpkgs-darwin", - "nvf": "nvf" + "nvf": "nvf", + "sops-nix": "sops-nix" } }, - "systems": { + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-darwin" + ] + }, "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "lastModified": 1773096132, + "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", "type": "github" }, "original": { - "owner": "nix-systems", - "repo": "default", + "owner": "Mic92", + "repo": "sops-nix", "type": "github" } }, - "systems_2": { + "systems": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/flake.nix b/flake.nix index 295890c..1007bc9 100644 --- a/flake.nix +++ b/flake.nix @@ -42,9 +42,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # TODO: agenix for secrets - agenix = { - url = "github:ryantm/agenix"; + # sops-nix for secrets + sops-nix = { + url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs-darwin"; }; }; @@ -56,7 +56,7 @@ darwin, home-manager, nvf, - agenix, + sops-nix, nix-homebrew, homebrew-core, homebrew-cask, @@ -99,7 +99,6 @@ homebrew.taps = builtins.attrNames config.nix-homebrew.taps; } ) - agenix.darwinModules.default home-manager.darwinModules.home-manager { home-manager = { @@ -107,7 +106,10 @@ useUserPackages = true; backupFileExtension = "backup"; extraSpecialArgs = specialArgs; - sharedModules = [ nvf.homeManagerModules.nvf ]; + sharedModules = [ + nvf.homeManagerModules.nvf + sops-nix.homeManagerModules.sops + ]; users.${username} = import ./home; }; } diff --git a/home/default.nix b/home/default.nix index 533eccf..c3c4b9e 100755 --- a/home/default.nix +++ b/home/default.nix @@ -21,8 +21,8 @@ ./terminal.nix ./bat.nix ./aerospace.nix - # TODO ./browser.nix - # TODO ./pass.nix + ./sops.nix + ./ssh.nix # TODO ./claude-code.nix # TODO ./codex.nix # TODO ./gemini-cli.nix diff --git a/home/gh.nix b/home/gh.nix index b922f10..9120613 100755 --- a/home/gh.nix +++ b/home/gh.nix @@ -1,3 +1,8 @@ { - programs.gh.enable = true; + programs.gh = { + enable = true; + settings = { + git_protocol = "ssh"; + }; + }; } diff --git a/home/nvf/default.nix b/home/nvf/default.nix index 5430100..05bc14b 100755 --- a/home/nvf/default.nix +++ b/home/nvf/default.nix @@ -1,4 +1,8 @@ -{ lib, ... }: +{ + lib, + pkgs, + ... +}: let options = import ./core/options.nix; autocmds = import ./core/autocmds.nix { inherit lib; }; @@ -11,7 +15,7 @@ let terminal = import ./plugins/terminal.nix; theme = import ./appearance/theme.nix; lsp = import ./lsp/lsp.nix; - treesitter = import ./lsp/treesitter.nix; + treesitter = import ./lsp/treesitter.nix { inherit pkgs; }; autocomplete = import ./lsp/autocomplete.nix; languages = import ./lsp/languages; in diff --git a/home/nvf/lsp/treesitter.nix b/home/nvf/lsp/treesitter.nix index f5f8657..c831cf8 100755 --- a/home/nvf/lsp/treesitter.nix +++ b/home/nvf/lsp/treesitter.nix @@ -1,7 +1,13 @@ +{ pkgs, ... }: { # treesitter enable = true; addDefaultGrammars = true; + grammars = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ + nix + lua + yaml + ]; fold = true; highlight = { enable = true; diff --git a/home/sops.nix b/home/sops.nix new file mode 100644 index 0000000..017e123 --- /dev/null +++ b/home/sops.nix @@ -0,0 +1,12 @@ +{ config, ... }: +{ + sops = { + age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + + defaultSopsFile = ../secrets/poby.yaml; + + secrets = { + "github_ssh_key" = { }; + }; + }; +} diff --git a/home/ssh.nix b/home/ssh.nix new file mode 100644 index 0000000..142acae --- /dev/null +++ b/home/ssh.nix @@ -0,0 +1,16 @@ +{ config, ... }: +{ + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { }; + "github.com" = { + host = "github.com"; + user = "git"; + identitiesOnly = true; + identityFile = [ config.sops.secrets."github_ssh_key".path ]; + }; + }; + }; +} diff --git a/secrets/poby.yaml b/secrets/poby.yaml new file mode 100644 index 0000000..a336b31 --- /dev/null +++ b/secrets/poby.yaml @@ -0,0 +1,16 @@ +github_ssh_key: ENC[AES256_GCM,data:nlZoOfyEMRj2U+P2ANao+ATS90zr8h4c+mVCu1JVoNpC50DBjyMl3eZDCDERISLHf0JWbg0wAZZbPI0Xp2KvZ9D4g+59Dd+F2csgAxUbTL0QPNkgFzSWQNINPR+pabf8phfWKFBJpBD66R8CGY0g8qM9oCJVGM2sGevdAKlhEHk5qsKZ48N0XdSzwXDxYpAeSt0Lz5mcuu8ndUZq+VJs744pLNd6Br6X6wgYJ8HpOXnzyequRer/Tp/EiX5Wel+Nu4JnlXa74ziv/AVqVdZS+mLylT1Cr+fnT3rASMHtA3KFokKlnoBzmJKlqKOcC9hCg7JApLn9s/iyWaC9AbFqZzEolwB0C9TkY3UHD6f5Eph0jaZemsI8DA1+CB39La48snLy0FraQ2yBdjQB/SwcO34OwqZaNHy6FaK5vNSMnDmlhC+FZkdHt6XkUMv8EZewLSA4WxkTuDE2fgF+NVoBNiSe4G9Fpmrl4h6Adp5pIxivthJPVEmudkTB1Q8TNp2yS2NLlWarUrgELNbGBgG0KocF3F6CXJKC8KNwI3x5cgW8GOB02h3EQGOmazTBUAOwjkZZ0V/8jzbEhRyEcou0LyhY6Ls/ltLaAAo6mtBaOB0=,iv:PNdvBAlSLsW2SxoiajXD6nCgl9EXFzR2SRfo6Ynj4iQ=,tag:qGMtoaigw1iEMET99PVSbw==,type:str] +sops: + age: + - recipient: age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaUt1Y1hFS1N0djNEU3NQ + QjFIMk9GZkxoeks2WUx0WlBNblR6dEpSZ2tBCkl3Wk1xaDlXWEFnYkIzZ2J3bUxw + bTltMDJtWEMrZ0NsbzFtTEQyelJsODQKLS0tIHFCYlZGalp2UVpIWTBRdUVob3JM + QXQ3YUkxWnk2U0hacjBMZDQ5WlNFQTAKzzzcoCZg7iNg5QoajxSpP1ka5qIIfaNE + 5VMXcX4qL0OszsO3j3ShYIT02m3XqkSeaOMSz+uty2BWtPCDZoLHrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-14T09:54:27Z" + mac: ENC[AES256_GCM,data:ynguXXBCddmM69U3GMBG6PdLksbljJa2MT3MuQMUVGb7ENQcSc/r9DUrq3XNlV12szK6L1uIf2qhIkLTzN8V2HulfgWZU0l4FY+Ityc0C4NUEVVQrmZPArnWjZ+/p2sUMzZjhUoOWwL7crlUQo1jLzU7s5+p2CsAZGuFppuRfOU=,iv:J+PUT9iFijdNJYpvwamr8q8hYDUxi/hLVs/W+4k/v9o=,tag:znv5HhzpI3TqRso/UDNTQw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.12.1