+30 -1

modules/base/passwords/op.nix

reviewed

··· 46 46 }; 47 47 48 48 homeManager = 49 49 - { lib, ... }: 49 49 + { 50 50 + config, 51 51 + lib, 52 52 + ... 53 53 + }: 50 54 let 51 55 sshAuthSock = "$HOME/.1password/agent.sock"; 52 56 opPlugins = "$HOME/.config/op/plugins.sh"; 53 57 sessionVariables = { 54 58 SSH_AUTH_SOCK = sshAuthSock; 55 59 }; 60 60 + sops = config.sops; 56 61 in 57 62 { 58 63 home.sessionVariables = sessionVariables; 59 64 systemd.user.sessionVariables = sessionVariables; 65 65 + 66 66 + sops = { 67 67 + secrets = { 68 68 + op-a-family-id = { }; 69 69 + op-a-family-v-private-id = { }; 70 70 + op-a-work-id = { }; 71 71 + op-a-work-v-employee-id = { }; 72 72 + }; 73 73 + 74 74 + templates."op-ssh-agent.toml" = { 75 75 + path = "${config.xdg.configHome}/1Password/ssh/agent.toml"; 76 76 + content = '' 77 77 + [[ssh-keys]] 78 78 + account = "${sops.placeholder.op-a-family-id}" 79 79 + vault = "${sops.placeholder.op-a-family-v-private-id}" 80 80 + 81 81 + [[ssh-keys]] 82 82 + account = "${sops.placeholder.op-a-work-id}" 83 83 + vault = "${sops.placeholder.op-a-work-v-employee-id}" 84 84 + ''; 85 85 + }; 86 86 + }; 87 87 + 88 88 + # xdg.configFile."1Password/ssh/agent.toml".source = sops.templates."op-ssh-agent.toml".path; 60 89 61 90 programs = { 62 91 ssh = {

+8 -3

modules/users/sharparam/secrets.yaml

reviewed

··· 1 1 nix-access-tokens: ENC[AES256_GCM,data:oNSoiA9GpbWg1HjohBEk0TTxCX+rxMPGDgHgu8hXgQP650kZhIj8xGrSI6jr7COFZwC1yROf2GhWyy+th23p2CMc9rtaYxkM5s2xUV7fUrokoH0d8NL87jPgPIaM3rHDLxM+qYppUL/2+IWFBEh4axh6SM3m/K84,iv:MMW+TmxnO+MzX5fysKhktaRsKnQ+w7WSyyBTVAnLur8=,tag:js42S9re7XYC8IJntZmF3A==,type:str] 2 2 + #ENC[AES256_GCM,data:TgaCm6XDCDUBgQ==,iv:IBtDDNovGDhZOb0edkEmIdznfu5WKqiIZnx9R7CpIfs=,tag:R68+WVScIH1rpaSbUb8uKg==,type:comment] 3 3 + op-a-family-id: ENC[AES256_GCM,data:yOIrDwy11Wt0eKZAuYbDKgftugRwCos/bCY=,iv:U0W0ZMyqluaqMiHa7JhwREkEzdTmx5Vh+EA2jY2C0Ec=,tag:y0xLVDGGeKMr01EaMcC+0w==,type:str] 4 4 + op-a-family-v-private-id: ENC[AES256_GCM,data:cn+acHVNhhrFA8J5tcbIICwWZSTjfhVSVXA=,iv:js6ZZ7y0a1wxP5tNksCB1XbcY272fFgzAPIlkl5gGKk=,tag:gWqDs0WoPJtL7dsdTtHscA==,type:str] 5 5 + op-a-work-id: ENC[AES256_GCM,data:hYorDn/yA4wgyB4IV1MUtwLaBjOuM33wxHk=,iv:jZabQcnCyAW5U0vloq8MrYiDqt9NS6zpbEifKka2hnw=,tag:kCgoimUfZnity7tWgtMLTA==,type:str] 6 6 + op-a-work-v-employee-id: ENC[AES256_GCM,data:1ipeP+wEeds6mScB0ha8aoUzG4Ki4xo4uUM=,iv:QJenmWACJz4bupaEmMQorD0rgNNPb9kYIuyuUY0R0O4=,tag:wn/w9vqyVqAh3YhB3UGQ1g==,type:str] 2 7 sops: 3 8 age: 4 9 - recipient: age1yubikey1qf2pqf4uhz9nhppcvsg0wl6d24nmrc8wthz6rnthkv0s96th8a9mzqhgul5 ··· 49 54 bHp6NGUrYk9HeTNqdnNDRDNtL21sVDQKzo9I3v1eE/njlDORRHHxQsWDfNXVfQhC 50 55 iI+yL/SEvw8z2pIAeO8oOS3G888lBepCkbgM1qvx1SQc3lV/WPjn7A== 51 56 -----END AGE ENCRYPTED FILE----- 52 52 - lastmodified: "2026-03-24T00:27:53Z" 53 53 - mac: ENC[AES256_GCM,data:e/kZiaQTRT/oRXushuaB8nrjWXz7XC7eQfWBxwR+F7tjQZsB4OqcZlK003rBxNq/7zCdErpscwDTPD8Aao6oj5wfLBBtbJaUxDAHHKblJPOub/XHCnGAVu7FKyIKgsM8o+OIB9qTisL1RxNsPejVEVC9GqMC7GGMtAmiq3inUXQ=,iv:m4nVVZlNbJHx2BCI3GrYtiQvUA4uP4YNTlZ5qg4Gh8s=,tag:nlzMDr2YNzENGC+z2zlo/Q==,type:str] 57 57 + lastmodified: "2026-03-29T18:18:14Z" 58 58 + mac: ENC[AES256_GCM,data:nUXdpVpCt7ZphgS3dQsS2lUc3BBjhmBLlYQc0Zx992DLbMgKHx9uB+gxHhMvrNgw84fB5oU9PMUoPD6B+eaduh5cPR1jmBk+ujcVT1vGrBet23dIRpO9YBCKrjH0vym/p7ol/iDsW18/q25JZqYt7AT2ec0G+Ax+HYDcnzvD61E=,iv:8caBsCXyET2j3P66komUfVivdPrerow7C0Y5ptL/AQE=,tag:HSuLQeDeH+rpgIpxF5eUWQ==,type:str] 54 59 unencrypted_suffix: _unencrypted 55 55 - version: 3.12.1 60 60 + version: 3.12.2

+5 -3

modules/users/sharparam/sops.nix

reviewed

··· 2 2 den.aspects.sharparam.provides.secrets = { 3 3 homeManager = { 4 4 sops.secrets = { 5 5 - nix-access-tokens = { 6 6 - sopsFile = ./secrets.yaml; 7 7 - }; 5 5 + nix-access-tokens.sopsFile = ./secrets.yaml; 6 6 + op-a-family-id.sopsFile = ./secrets.yaml; 7 7 + op-a-family-v-private-id.sopsFile = ./secrets.yaml; 8 8 + op-a-work-id.sopsFile = ./secrets.yaml; 9 9 + op-a-work-v-employee-id.sopsFile = ./secrets.yaml; 8 10 }; 9 11 }; 10 12 };