From dd4017ab39e44ec689e046bd4c68e98f9fa37aca Mon Sep 17 00:00:00 2001 From: EdenQwQ Date: Mon, 3 Mar 2025 14:32:06 +0800 Subject: [PATCH] secrets: use agenix --- flake.lock | 136 ++++++++++++++++++++++++----- flake.nix | 1 + home/programs/coding/nixvim/ai.nix | 11 ++- hosts/default.nix | 2 + os/system/configuration.nix | 2 + secrets/age.nix | 6 ++ secrets/gemini_token.age | Bin 0 -> 362 bytes secrets/secrets.nix | 14 +++ secrets/siliconflow_token.age | Bin 0 -> 374 bytes 9 files changed, 149 insertions(+), 23 deletions(-) create mode 100644 secrets/age.nix create mode 100644 secrets/gemini_token.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/siliconflow_token.age diff --git a/flake.lock b/flake.lock index 99208fb..c6d6240 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1736955230, + "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -67,6 +88,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "firefox-gnome-theme": { "flake": false, "locked": { @@ -215,7 +258,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1731533236, @@ -233,7 +276,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1731533236, @@ -352,6 +395,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -372,7 +436,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "stylix", @@ -423,7 +487,7 @@ }, "nh": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1740563087, @@ -465,7 +529,7 @@ "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs_3", "nixpkgs-stable": "nixpkgs-stable", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -542,16 +606,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735563628, - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -598,16 +662,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1740560979, - "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5135c59491985879812717f4c9fea69604e7f26f", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -629,6 +693,22 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1740560979, + "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5135c59491985879812717f4c9fea69604e7f26f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1740560979, "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=", @@ -644,7 +724,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_6": { "locked": { "lastModified": 1735554305, "narHash": "sha256-zExSA1i/b+1NMRhGGLtNfFGXgLtgo+dcuzHzaWA6w3Q=", @@ -685,7 +765,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_5", "treefmt-nix": "treefmt-nix_2" }, "locked": { @@ -750,13 +830,14 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-parts": "flake-parts", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nh": "nh", "nil": "nil", "niri": "niri", "nixd": "nixd", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_4", "nixvim": "nixvim", "nur": "nur", "stylix": "stylix", @@ -795,12 +876,12 @@ "flake-utils": "flake-utils_3", "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", - "home-manager": "home-manager_2", + "home-manager": "home-manager_3", "nixpkgs": [ "nixpkgs" ], "nur": "nur_2", - "systems": "systems_3", + "systems": "systems_4", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -866,6 +947,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -1014,7 +1110,7 @@ }, "treefmt-nix_4": { "inputs": { - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1739829690, diff --git a/flake.nix b/flake.nix index f1bf0a3..1c4ce33 100644 --- a/flake.nix +++ b/flake.nix @@ -64,5 +64,6 @@ }; nh.url = "github:viperML/nh"; treefmt-nix.url = "github:numtide/treefmt-nix"; + agenix.url = "github:ryantm/agenix"; }; } diff --git a/home/programs/coding/nixvim/ai.nix b/home/programs/coding/nixvim/ai.nix index 097ae8a..330ffae 100644 --- a/home/programs/coding/nixvim/ai.nix +++ b/home/programs/coding/nixvim/ai.nix @@ -1,4 +1,9 @@ -{ user, ... }: +{ + user, + config, + lib, + ... +}: { programs.nixvim = { plugins = { @@ -32,7 +37,7 @@ # lua '' function () - local siliconflow_token_file = io.open("/home/${user}/Downloads/tokens/siliconflow_token", "r") + local siliconflow_token_file = io.open("${config.age.secrets.siliconflow_token.path}", "r") local siliconflow_api_key = siliconflow_token_file:read() siliconflow_token_file:close() return require("codecompanion.adapters").extend("openai_compatible", { @@ -53,7 +58,7 @@ # lua '' function() - local gemini_token_file = io.open("/home/${user}/Downloads/gemini_token", "r") + local gemini_token_file = io.open("${config.age.secrets.gemini_token.path}", "r") local gemini_api_key = gemini_token_file:read() gemini_token_file:close() return require("codecompanion.adapters").extend("gemini", { diff --git a/hosts/default.nix b/hosts/default.nix index c9c7c46..5bd8135 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -23,6 +23,8 @@ let inputs.stylix.homeManagerModules.stylix inputs.niri.homeModules.niri inputs.nixvim.homeManagerModules.nixvim + inputs.agenix.homeManagerModules.default + ../secrets/age.nix ]; in { diff --git a/os/system/configuration.nix b/os/system/configuration.nix index e0cecc9..ee69921 100644 --- a/os/system/configuration.nix +++ b/os/system/configuration.nix @@ -104,6 +104,8 @@ gnome.gnome-browser-connector.enable = true; gvfs.enable = true; + + openssh.enable = true; }; security = { diff --git a/secrets/age.nix b/secrets/age.nix new file mode 100644 index 0000000..8f6d201 --- /dev/null +++ b/secrets/age.nix @@ -0,0 +1,6 @@ +{ + age.secrets = { + siliconflow_token.file = ./siliconflow_token.age; + gemini_token.file = ./gemini_token.age; + }; +} diff --git a/secrets/gemini_token.age b/secrets/gemini_token.age new file mode 100644 index 0000000000000000000000000000000000000000..2bb2a709375a4bb1400ace79cd94a1a04fda78de GIT binary patch literal 362 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlEy(k(mTm0s>0kYzbebkIG?LL&B;6>yvj4pGceF8!`aKJG%_qV zsyxu!&?qk=v@k0$!r9V2J2ltL$CFD}S63l5$~nR<$E?VpA|uqx$iF-)r99Boy~wYi z%EH|>J>SC3$S~dC!@aa1!hnn6lVKXei*@aaOS>BQ&#E-@@Io!Xw?kvMjjJ%!ErjmN6a>k2Htbkt2` zqGH*OIT^ew55=B2x_e*gu2rkH3r?B7iM96TY<-jJwsSpg|EJBhsLubzV943t#Mt)X Iga4w901WSljsO4v literal 0 HcmV?d00001