da157.id
0xda157's home-manager and nixos config
thing
+41
-11
+14
-3
modules/home/secrets/default.nix
+14
-3
modules/home/secrets/default.nix
···
8
8
{
9
9
options.l.secrets.enable = lib.mkEnableOption "enable secrets management using sops-nix";
10
10
11
-
config.sops = lib.mkIf config.l.secrets.enable {
12
-
defaultSopsFile = "${self}/secrets/${name}.yaml";
13
-
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
11
+
config = lib.mkIf config.l.secrets.enable {
12
+
sops = {
13
+
defaultSopsFile = "${self}/secrets/${name}.yaml";
14
+
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
15
+
secrets = {
16
+
"pgp-key/fingerprint" = { };
17
+
"pgp-key/private" = { };
18
+
};
19
+
};
20
+
21
+
programs.gpg = {
22
+
enable = true;
23
+
homedir = "${config.xdg.dataHome}/gnupg";
24
+
};
14
25
};
15
26
}
+16
-1
modules/nixos/secrets/default.nix
+16
-1
modules/nixos/secrets/default.nix
···
1
-
{ self, name, ... }:
1
+
{
2
+
self,
3
+
name,
4
+
pkgs,
5
+
...
6
+
}:
2
7
{
3
8
sops = {
4
9
defaultSopsFile = "${self}/secrets/hosts/${name}.yaml";
5
10
age.keyFile = "/root/.config/sops/age/keys.txt";
11
+
};
12
+
13
+
programs.gnupg.agent = {
14
+
enable = true;
15
+
enableSSHSupport = true;
16
+
};
17
+
18
+
services = {
19
+
dbus.packages = [ pkgs.gcr ];
20
+
pcscd.enable = true;
6
21
};
7
22
}
+6
-5
modules/users/da157/cli/git/default.nix
+6
-5
modules/users/da157/cli/git/default.nix
···
3
3
inherit (config.sops) secrets;
4
4
in
5
5
{
6
-
programs.git = {
7
-
signing.format = "ssh";
8
-
includes = lib.mkIf config.l.secrets.enable [
6
+
programs.git = lib.mkIf config.l.secrets.enable {
7
+
signing = {
8
+
format = "openpgp";
9
+
key = "B7AC1B10365D45FF"; # pragma: allowlist secret
10
+
};
11
+
includes = [
9
12
{
10
13
condition = "hasconfig:remote.*.url:*github.com*/**";
11
14
contents = {
12
-
user.signingKey = secrets."ssh-keys/github".path;
13
15
commit.gpgsign = true;
14
16
tag.gpgsign = true;
15
17
};
···
17
19
{
18
20
condition = "hasconfig:remote.*.url:*codeberg.org*/**";
19
21
contents = {
20
-
user.signingKey = secrets."ssh-keys/codeberg".path;
21
22
commit.gpgsign = true;
22
23
tag.gpgsign = true;
23
24
};
+5
-2
secrets/da157.yaml
+5
-2
secrets/da157.yaml
···
1
+
pgp-key:
2
+
fingerprint: ENC[AES256_GCM,data:8f3lqRgqCfMOa02bJqq5s6G28fFo87ke6UOfhtCzRl2/KkoH3uEsLaimyRiObQiSSW0=,iv:sCvTp9xnjAVDmXNYczk84a/a7dQlvEhoshJNF2nwh9I=,tag:AxR/HcBUIxMq6wawrK9WAw==,type:str]
3
+
private: ENC[AES256_GCM,data:gsd7YyoVNM+hcau/hGP1Gp4hmXGmx/HjWJfm8Bxtm2N2QFOQ+4mJ0fOLs+PxD63JTvrLwV8ESKFMaotkywussDNWkOjqHJuBSr2ZisBEeXv4ulUfEb+SM0hnhz0/T1RdOi4/xJIw8lzVe6rjsEl0UZL2zayL4qN7CT+BiLBSMwIv2KW0EE7b1FsR6BaX6U5SPsdQG0z6AnxYB0HRpyXcDJF92wgj3/a7aCizsz6u/yMFG3XWn3tAwUvoVbpgnj+++J4vpjfSun6s5Sjfct4lZAKqPuHCE4l27Vnocw0KQujBAAFf3yuYqXA38eIHnn6uyBFV0u7uw+E7E/41KoyJe7nTjHgo7gdbK14OnB7vMMjO4hjEx8NKvsObd58nhCfp2xcAXCwnua7Y/4OqTpct9XXY92P340ssQ7YEIWfhKeZAF+W7W5D8AeNY40uq4RoA9asfl+r/wkw49G1sWoQ8/Xc4OQ3OEDnr/787VP036Q4Zv/QZRkaaOdpc0RoJGmXczVV/GLMNegqtNlqQaC1+vmFQP2Q=,iv:gk+EJ3JTmwRHmcqaOCAbKmBpB5vo8C25y91cBReLIiI=,tag:EvIOrR5ymJ4I03p6J8ezzg==,type:str]
1
4
ssh-keys:
2
5
codeberg-pub: ENC[AES256_GCM,data:401btfhUEKd0PcCMmxJ6jtS5lzYfpStq+fZdo7EFa2ecfBDx8h8B/KjJaSSa5T+A56yc3fJMCEnjjETOXKSWWi1+026/aXmoPYq/bcONw0lZDvvcmOw69PJScfe/G7hm2M599id9wLT4,iv:8dcBBPtwTBzeZBFvaMTXCDl+uA5wiAIIvzssWNmH29U=,tag:RUCFy/buR5leZzn5WHDgjw==,type:str]
3
6
codeberg: ENC[AES256_GCM,data:sazeV6B67GmDO3JDCmevOGBF1mTV4CyUepj4KeuQkJpFQFwsDFK452RNBjqGVWwb0upAcHevpod+vOkqVltO5VIYU0BfTJE28Lv11UPEmJRuTFPvRrcP8orFPhWa7fQdfguULpc5w8BPZLx6JkVM3/vD1zEqza6W1oRIVDEq4L88p/GYgFtzlEm35fYCn5cHJKanKVLBeW4cjf5V6KjCZkGStuwWDJV1O5wXGtbXCYoiUl62csTM8Rn8N834OtmIvsNuKyhQtkt/Vj0i+TSbUYukLSTojXJuvWR887bmkSOLvhxKY/UDgx2ZvCXF8OuGojnwfxIw6lqnLJ543gwjt8lS3FbvuGsxW6u2dxT8nKY//jRroHQe3ZOUglGkm27LdXBk5lt7AO1uVYy5a5Fsb2/DNQj+yLFDHdy8miqtKhsWQLiJxcqvKtEsr3P/Z4lzOmqJhZ/BnLE/0s2B/iVuanCMdHHrrnMSXxWbqE7y2keKb8h/TA0d14xQTUYz8ocOGYkJWzXCFm8EgnxERQG98oIO4PhjNXt8essMX0VNATHdOYY=,iv:o+ZbcVwtgmDGK6z++kCTYhEjauPpKURd3yc+O7Tc03I=,tag:KZ9EZhXqbRtQxiTg2C0apg==,type:str]
···
18
21
cithUXN3cnNxc2VKOUM3UVYxWUpMZmMKwzmf6hZHBSHP5FX4cARZPr4DTyL473Zo
19
22
4I5HKbb5E9iO2qoGyVoga9OilJqWDMAGyZwz9wpyiq22d7f5zRE7EA==
20
23
-----END AGE ENCRYPTED FILE-----
21
-
lastmodified: "2025-12-02T00:32:45Z"
22
-
mac: ENC[AES256_GCM,data:iugjy2G2D+Vhfktkz56aAnw1fVh+Y21sIePK+swqQl+VwbwRCaLBSL9ssjAZC6a2DmOBYcfYVOO+BCEPPpWNU1jmc77emvQFq4DFfpMIyCqQleKp3+issm/9hAenN4puVSbm9RC6pGmlOXBYA1+SFxIZevuPVluIxTOoLG2y/2k=,iv:emVtmWVP1ydJ/jZoQ8RYZ5eSflc4p3HGcdXEOuqnr0M=,tag:YQDxWXlV0OrY16uRlzDzgQ==,type:str]
24
+
lastmodified: "2025-12-29T00:14:02Z"
25
+
mac: ENC[AES256_GCM,data:R5+cnKqUhASv0fdeuhMO3jA2BaxSl51iyr2TwIAym+UIDdxvFDK1xylyIa8P05rtgk0se7BzZiB/ZkCk1SZb94+oauu1dBxX5mIsguayWUGisp+xQJaOGC9Q1A/Cci723LCoBcJuWRyl3Em56FXogV4jrQOE2/vdvDFYQ4Mon3k=,iv:uBWULQIJ0en54vAgjy8MxkKTIPc32Dw6YUDok8Uvq50=,tag:uFcVMmLkNOFLZXH0aZOXAA==,type:str]
23
26
unencrypted_suffix: _unencrypted
24
27
version: 3.11.0