1password: sign git commits

home/_1password.nix

@@ -1,4 +1,7 @@
-{ pkgs, lib, ... }:
+{ flake, config, pkgs, lib, ... }:
+let
+  userConfig = flake.config.people.users.${config.home.username};
+in
 {
   home.packages = with pkgs; [
     _1password
@@ -20,4 +23,18 @@
       };
     };
   };
+
+  # https://developer.1password.com/docs/ssh/git-commit-signing/
+  # 
+  # For this to work on GitHub, you must have added the SSH pub key as a signing key, see
+  # https://1password.community/discussion/comment/667515/#Comment_667515
+  programs.git.includes = [{
+    condition = "gitdir:~/code/**"; # Personal repos only
+    contents = {
+      user.signingKey = userConfig.sshKey;
+      gpg.format = "ssh";
+      gpg.ssh.program = "/Applications/1Password.app/Contents/MacOS/op-ssh-sign";
+      commit.gpgsign = true;
+    };
+  }];
 }