feat: sops-nix configuration

encrypt personal ssh key for git

home/default.nix

@@ -21,8 +21,8 @@
     ./terminal.nix
     ./bat.nix
     ./aerospace.nix
-    # TODO ./browser.nix
-    # TODO ./pass.nix
+    ./sops.nix
+    ./ssh.nix
     # TODO ./claude-code.nix
     # TODO ./codex.nix
     # TODO ./gemini-cli.nix

home/gh.nix

@@ -1,3 +1,8 @@
 {
-  programs.gh.enable = true;
+  programs.gh = {
+    enable = true;
+    settings = {
+      git_protocol = "ssh";
+    };
+  };
 }

home/nvf/default.nix

@@ -1,4 +1,8 @@
-{ lib, ... }:
+{
+  lib,
+  pkgs,
+  ...
+}:
 let
   options = import ./core/options.nix;
   autocmds = import ./core/autocmds.nix { inherit lib; };
@@ -11,7 +15,7 @@ let
   terminal = import ./plugins/terminal.nix;
   theme = import ./appearance/theme.nix;
   lsp = import ./lsp/lsp.nix;
-  treesitter = import ./lsp/treesitter.nix;
+  treesitter = import ./lsp/treesitter.nix { inherit pkgs; };
   autocomplete = import ./lsp/autocomplete.nix;
   languages = import ./lsp/languages;
 in

home/nvf/lsp/treesitter.nix

@@ -1,7 +1,13 @@
+{ pkgs, ... }:
 {
   # treesitter
   enable = true;
   addDefaultGrammars = true;
+  grammars = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [
+    nix
+    lua
+    yaml
+  ];
   fold = true;
   highlight = {
     enable = true;

home/sops.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  sops = {
+    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+
+    defaultSopsFile = ../secrets/poby.yaml;
+
+    secrets = {
+      "github_ssh_key" = { };
+    };
+  };
+}

home/ssh.nix

@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    matchBlocks = {
+      "*" = { };
+      "github.com" = {
+        host = "github.com";
+        user = "git";
+        identitiesOnly = true;
+        identityFile = [ config.sops.secrets."github_ssh_key".path ];
+      };
+    };
+  };
+}