Refactor git credentials secrets

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-02-28 11:00:21 +00:00
parent d8374fe7b7
commit 91104fc4b0
16 changed files with 235 additions and 134 deletions
--- a/hosts/common/configs/system/nix/default.nix
+++ b/hosts/common/configs/system/nix/default.nix
@@ -1,11 +1,16 @@
 { config, inputs, ... }:
 {
  sops = {
-    secrets."nix/accessTokens/github.com".sopsFile = ../../../../../secrets/personal/secrets.yaml;
+    secrets = {
+      "git/credentials/github.com/public/username".sopsFile =
+        ../../../../../secrets/personal/secrets.yaml;
+      "git/credentials/github.com/public/password".sopsFile =
+        ../../../../../secrets/personal/secrets.yaml;
+    };

    templates."nix-access-tokens" = {
      content = ''
-        access-tokens = github.com=${config.sops.placeholder."nix/accessTokens/github.com"}
+        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
      '';
      group = "users";
    };
--- a/hosts/eirene/users/nick/configs/console/git/default.nix
+++ b/hosts/eirene/users/nick/configs/console/git/default.nix
@@ -17,16 +17,16 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "git/credentials/git.karaolidis.com/username".sopsFile =
+        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
          ../../../../../../../secrets/personal/secrets.yaml;
-        "git/credentials/git.karaolidis.com/password".sopsFile =
+        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
          ../../../../../../../secrets/personal/secrets.yaml;
      };

      templates."git/credentials" = {
        content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/password"
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
          }@git.karaolidis.com
        '';
        path = "${home}/.config/git/credentials";
--- a/hosts/eirene/users/nick/configs/console/gpg/default.nix
+++ b/hosts/eirene/users/nick/configs/console/gpg/default.nix
@@ -0,0 +1,18 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ config, ... }:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops.secrets = {
+      "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+    };
+
+    programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;
+  };
+}
--- a/hosts/eirene/users/nick/configs/console/ssh/default.nix
+++ b/hosts/eirene/users/nick/configs/console/ssh/default.nix
@@ -0,0 +1,22 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ config, ... }:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops.secrets = {
+      "ssh/key" = {
+        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        path = "${home}/.ssh/ssh_personal_ed25519_key";
+      };
+
+      "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+    };
+
+    programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
+  };
+}
--- a/hosts/eirene/users/nick/configs/gui/theme/default.nix
+++ b/hosts/eirene/users/nick/configs/gui/theme/default.nix
@@ -0,0 +1,8 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ ... }:
+{
+  home-manager.users.${user}.theme.wallpaper = ../../../../../../../static/wallpapers/clouds.png;
+}
--- a/hosts/eirene/users/nick/default.nix
+++ b/hosts/eirene/users/nick/default.nix
@@ -4,8 +4,6 @@ let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
  user = "nick";
  home = "/home/nick";
-
-  hmConfig = config.home-manager.users.${user};
 in
 {
  imports = [
@@ -82,9 +80,12 @@ in
    (import ../../../common/configs/user/gui/xdg { inherit user home; })

    (import ./configs/console/git { inherit user home; })
+    (import ./configs/console/gpg { inherit user home; })
+    (import ./configs/console/ssh { inherit user home; })
    (import ./configs/console/syncthing { inherit user home; })

    (import ./configs/gui/obsidian { inherit user home; })
+    (import ./configs/gui/theme { inherit user home; })
    (import ./configs/gui/vscode { inherit user home; })
  ];

@@ -109,30 +110,8 @@ in

  services.getty.autologinUser = user;

-  home-manager.users.${user} = {
-    home = {
-      username = user;
-      homeDirectory = home;
-    };
-
-    sops.secrets = {
-      "ssh/key" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        path = "${home}/.ssh/ssh_personal_ed25519_key";
-      };
-
-      "ssh/pass".sopsFile = ../../../../secrets/personal/secrets.yaml;
-
-      "gpg/key".sopsFile = ../../../../secrets/personal/secrets.yaml;
-
-      "gpg/pass".sopsFile = ../../../../secrets/personal/secrets.yaml;
-    };
-
-    programs.clipbook.bookmarks = {
-      "SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
-      "GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;
-    };
-
-    theme.wallpaper = ../../../../static/wallpapers/clouds.png;
+  home-manager.users.${user}.home = {
+    username = user;
+    homeDirectory = home;
  };
 }
--- a/hosts/elara/users/nikara/configs/console/git/default.nix
+++ b/hosts/elara/users/nikara/configs/console/git/default.nix
@@ -18,17 +18,35 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "git/credentials/git.karaolidis.com/username".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
-        "git/credentials/git.karaolidis.com/password".sopsFile =
-          ../../../../../../../secrets/personal/secrets.yaml;
+        "git/credentials/personal/git.karaolidis.com/admin/username" = {
+          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          key = "git/credentials/git.karaolidis.com/admin/username";
+        };
+
+        "git/credentials/personal/git.karaolidis.com/admin/password" = {
+          sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+          key = "git/credentials/git.karaolidis.com/admin/password";
+        };
+
+        "git/credentials/sas/github.com/admin/username" = {
+          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          key = "git/credentials/github.com/admin/username";
+        };
+
+        "git/credentials/sas/github.com/admin/password" = {
+          sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+          key = "git/credentials/github.com/admin/password";
+        };
      };

      templates."git/credentials" = {
        content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/password"
+          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/password"
          }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/username"}:${
+            hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/password"
+          }@github.com
        '';
        path = "${home}/.config/git/credentials";
      };
--- a/hosts/elara/users/nikara/configs/console/gpg/default.nix
+++ b/hosts/elara/users/nikara/configs/console/gpg/default.nix
@@ -0,0 +1,38 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ config, ... }:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops.secrets = {
+      "gpg/personal/key" = {
+        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        key = "gpg/key";
+      };
+
+      "gpg/personal/pass" = {
+        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        key = "gpg/pass";
+      };
+
+      "gpg/sas/key" = {
+        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        key = "gpg/key";
+      };
+
+      "gpg/sas/pass" = {
+        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        key = "gpg/pass";
+      };
+    };
+
+    programs.clipbook.bookmarks = {
+      "Personal GPG Passphrase".source = hmConfig.sops.secrets."gpg/personal/pass".path;
+      "SAS GPG Passphrase".source = hmConfig.sops.secrets."gpg/sas/pass".path;
+    };
+  };
+}
--- a/hosts/elara/users/nikara/configs/console/sas/default.nix
+++ b/hosts/elara/users/nikara/configs/console/sas/default.nix
@@ -0,0 +1,11 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ ... }:
+{
+  home-manager.users.${user}.sops.secrets = {
+    "artifactory/cdp/user".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+    "artifactory/cdp/password".sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+  };
+}
--- a/hosts/elara/users/nikara/configs/console/ssh/default.nix
+++ b/hosts/elara/users/nikara/configs/console/ssh/default.nix
@@ -2,20 +2,59 @@
  user ? throw "user argument is required",
  home ? throw "home argument is required",
 }:
-{ inputs, system, ... }:
+{
+  config,
+  inputs,
+  system,
+  ...
+}:
 let
+  hmConfig = config.home-manager.users.${user};
  selfPkgs = inputs.self.packages.${system};
 in
 {
-  home-manager.users.${user}.programs.ssh = {
-    matchBlocks = {
-      "cldlgn.fyi.sas.com" = {
-        inherit user;
-        hostname = "cldlgn.fyi.sas.com";
-        identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+  home-manager.users.${user} = {
+    sops.secrets = {
+      "ssh/personal/key" = {
+        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        key = "ssh/key";
+        path = "${home}/.ssh/ssh_personal_ed25519_key";
+      };
+
+      "ssh/personal/pass" = {
+        sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+        key = "ssh/pass";
+      };
+
+      "ssh/sas/key" = {
+        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        key = "ssh/key";
+        path = "${home}/.ssh/ssh_sas_ed25519_key";
+      };
+
+      "ssh/sas/pass" = {
+        sopsFile = ../../../../../../../secrets/sas/secrets.yaml;
+        key = "ssh/pass";
      };
    };

-    userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-sas-cldlgn ];
+    programs = {
+      ssh = {
+        matchBlocks = {
+          "cldlgn.fyi.sas.com" = {
+            inherit user;
+            hostname = "cldlgn.fyi.sas.com";
+            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          };
+        };
+
+        userKnownHostsFiles = with selfPkgs; [ ssh-known-hosts-sas-cldlgn ];
+      };
+
+      clipbook.bookmarks = {
+        "Personal SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/personal/pass".path;
+        "SAS SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/sas/pass".path;
+      };
+    };
  };
 }
--- a/hosts/elara/users/nikara/configs/gui/theme/default.nix
+++ b/hosts/elara/users/nikara/configs/gui/theme/default.nix
@@ -0,0 +1,8 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ ... }:
+{
+  home-manager.users.${user}.theme.wallpaper = ../../../../../../../static/wallpapers/snow.jpg;
+}
--- a/hosts/elara/users/nikara/default.nix
+++ b/hosts/elara/users/nikara/default.nix
@@ -4,8 +4,6 @@ let
  # FIXME: https://github.com/NixOS/nixpkgs/issues/305643
  user = "nikara";
  home = "/home/nikara";
-
-  hmConfig = config.home-manager.users.${user};
 in
 {
  imports = [
@@ -77,14 +75,17 @@ in
    (import ./configs/console/c { inherit user home; })
    (import ./configs/console/git { inherit user home; })
    (import ./configs/console/go { inherit user home; })
+    (import ./configs/console/gpg { inherit user home; })
    (import ./configs/console/gradle { inherit user home; })
    (import ./configs/console/java { inherit user home; })
    (import ./configs/console/kubernetes { inherit user home; })
    (import ./configs/console/podman { inherit user home; })
+    (import ./configs/console/sas { inherit user home; })
    (import ./configs/console/ssh { inherit user home; })
    (import ./configs/console/viya4-orders-cli { inherit user home; })

    (import ./configs/gui/obsidian { inherit user home; })
+    (import ./configs/gui/theme { inherit user home; })
    (import ./configs/gui/vscode { inherit user home; })
  ];

@@ -109,68 +110,8 @@ in

  services.getty.autologinUser = user;

-  home-manager.users.${user} = {
-    home = {
-      username = user;
-      homeDirectory = home;
-    };
-
-    sops.secrets = {
-      # Personal
-      "ssh/personal/key" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        key = "ssh/key";
-        path = "${home}/.ssh/ssh_personal_ed25519_key";
-      };
-
-      "ssh/personal/pass" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        key = "ssh/pass";
-      };
-
-      "gpg/personal/key" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        key = "gpg/key";
-      };
-
-      "gpg/personal/pass" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        key = "gpg/pass";
-      };
-
-      # SAS
-      "ssh/sas/key" = {
-        sopsFile = ../../../../secrets/sas/secrets.yaml;
-        key = "ssh/key";
-        path = "${home}/.ssh/ssh_sas_ed25519_key";
-      };
-
-      "ssh/sas/pass" = {
-        sopsFile = ../../../../secrets/sas/secrets.yaml;
-        key = "ssh/pass";
-      };
-
-      "gpg/sas/key" = {
-        sopsFile = ../../../../secrets/sas/secrets.yaml;
-        key = "gpg/key";
-      };
-
-      "gpg/sas/pass" = {
-        sopsFile = ../../../../secrets/sas/secrets.yaml;
-        key = "gpg/pass";
-      };
-
-      "artifactory/cdp/user".sopsFile = ../../../../secrets/sas/secrets.yaml;
-      "artifactory/cdp/password".sopsFile = ../../../../secrets/sas/secrets.yaml;
-    };
-
-    programs.clipbook.bookmarks = {
-      "Personal SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/personal/pass".path;
-      "Personal GPG Passphrase".source = hmConfig.sops.secrets."gpg/personal/pass".path;
-      "SAS SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/sas/pass".path;
-      "SAS GPG Passphrase".source = hmConfig.sops.secrets."gpg/sas/pass".path;
-    };
-
-    theme.wallpaper = ../../../../static/wallpapers/snow.jpg;
+  home-manager.users.${user}.home = {
+    username = user;
+    homeDirectory = home;
  };
 }
--- a/hosts/installer/users/nick/configs/console/git/default.nix
+++ b/hosts/installer/users/nick/configs/console/git/default.nix
@@ -17,16 +17,16 @@ in
  home-manager.users.${user} = {
    sops = {
      secrets = {
-        "git/credentials/git.karaolidis.com/username".sopsFile =
+        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
          ../../../../../../../secrets/personal/secrets.yaml;
-        "git/credentials/git.karaolidis.com/password".sopsFile =
+        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
          ../../../../../../../secrets/personal/secrets.yaml;
      };

      templates."git/credentials" = {
        content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/password"
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
          }@git.karaolidis.com
        '';
        path = "${home}/.config/git/credentials";
--- a/hosts/installer/users/nick/configs/console/gpg/default.nix
+++ b/hosts/installer/users/nick/configs/console/gpg/default.nix
@@ -0,0 +1,11 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ ... }:
+{
+  home-manager.users.${user}.sops.secrets = {
+    "gpg/key".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+    "gpg/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+  };
+}
--- a/hosts/installer/users/nick/configs/console/ssh/default.nix
+++ b/hosts/installer/users/nick/configs/console/ssh/default.nix
@@ -0,0 +1,16 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{ ... }:
+{
+  home-manager.users.${user}.sops.secrets = {
+    "ssh/key" = {
+      sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+      path = "${home}/.ssh/ssh_personal_ed25519_key";
+    };
+
+    "ssh/pass".sopsFile = ../../../../../../../secrets/personal/secrets.yaml;
+
+  };
+}
--- a/hosts/installer/users/nick/default.nix
+++ b/hosts/installer/users/nick/default.nix
@@ -33,6 +33,8 @@ in
    (import ../../../common/configs/user/console/zsh { inherit user home; })

    (import ./configs/console/git { inherit user home; })
+    (import ./configs/console/gpg { inherit user home; })
+    (import ./configs/console/ssh { inherit user home; })
  ];

  # echo "password" | mkpasswd -s
@@ -56,23 +58,8 @@ in

  services.getty.autologinUser = user;

-  home-manager.users.${user} = {
-    home = {
-      username = user;
-      homeDirectory = home;
-    };
-
-    sops.secrets = {
-      "ssh/key" = {
-        sopsFile = ../../../../secrets/personal/secrets.yaml;
-        path = "${home}/.ssh/ssh_personal_ed25519_key";
-      };
-
-      "ssh/pass".sopsFile = ../../../../secrets/personal/secrets.yaml;
-
-      "gpg/key".sopsFile = ../../../../secrets/personal/secrets.yaml;
-
-      "gpg/pass".sopsFile = ../../../../secrets/personal/secrets.yaml;
-    };
+  home-manager.users.${user}.home = {
+    username = user;
+    homeDirectory = home;
  };
 }