feat(sops): add cwp jira secrets as env vars

README.md

@@ -8,9 +8,9 @@
 
 # Adding Secrets with sops-nix
 
-Secrets are stored in secrets/secrets.yaml. You can edit these secrets with `sops secrets/secrets.yaml` given you have an age private key stored at `~/.config/sops/age/keys.txt`.
+Secrets are stored in configs/secrets/secrets.yaml. You can edit these secrets with `sops secrets.yaml` given you have an age private key stored at `~/.config/sops/age/keys.txt`.
 
-To decrypt these secrets with sops-nix during a rebuild, you must add your host public key to the `.sops.yaml` file. Generate it with `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age`, add it to the file, then run `sops updatekeys secrets/secrets.yaml`.
+To decrypt these secrets with sops-nix during a rebuild, you must add your host public key to the `.sops.yaml` file. Generate it with `cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age`, add it to the file, then run `sops updatekeys secrets.yaml`.
 
 # Provisioning A New Machine
 

configs/secrets/secrets.yaml

@@ -1,5 +1,7 @@
 password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str]
 ts_auth_key: ENC[AES256_GCM,data:2/pabfBT8KAGLKDytTMrhSBX8xr/TyJbX0mAsMlzmniyK9GT0xTAq3LsRfNLyCitSVauWIXwPYFia78NCw==,iv:PBDp4+SP9yVRJtmMmvJxUQju6qTOB7cJGSQZIbRSLm8=,tag:ZYDRlMrmmwwvxs71IV3dmQ==,type:str]
+cwp_jira_link: ENC[AES256_GCM,data:7YwR5ajQDcyZgUGgMonajBV7DG/wlxsbxpiagMaPCBk=,iv:loFSGCV4no/azjIRYxjZHDkrrJmH0nzGlF8t0o0yfo4=,tag:pQYLLq4fu7T8Z03GvrJ+3A==,type:str]
+cwp_jira_pat: ENC[AES256_GCM,data:+4VnPikwuSPHdPj9xihuFeht1FPYdZHcHxYNjKMwU2MU7VC4cOUA9vpcEgk=,iv:8f8Z/V9LnuTFdCsqJhaa55BL0ibgSW8PUQoW7FxAOZE=,tag:XL/Xf1QaNLiLT2m/dWcrKw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +26,8 @@ sops:
             WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7
             v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-26T20:33:11Z"
+    lastmodified: "2025-03-27T13:04:25Z"
-    mac: ENC[AES256_GCM,data:uiiaOtKhmIkVjUJSgpxJYZ+W0RoCf7ZZwQFoRTnjZtmdRRbUN6HiwWfACeo6ui4Uz8rWYfSMHrSuGCiS3v0cz21XLHt5L4txG+SaU/2q5NPlu5AzKR4LwtExdEyfDYZNptouRZUkyHbYNPt5evKvJHmgeb4+8NDfmErBLS3+6IE=,iv:m6tkc5Sk1DyUnCLdseynDFDqEJwwpJcypCx26jeufdA=,tag:1YIl8hMZYzqArrdh3ROORQ==,type:str]
+    mac: ENC[AES256_GCM,data:6eINPO68OJGMhWhORC4MfBiA4Qax30UYzZBGdeqsDsRfjFZ7TCCiLrdHOdGWOr0S9nCelXm9VnTjIjFGudpZ2k3vQ5lM9bt1DZ19Y2XbeHhC7jZJP51ql9NexNMlT10zLdWWUWhxoow8avAszAguUc0nmWgi+R9N+ctrtwAWpmw=,iv:OYBn6dYDZJrJJ6xXUXoK5Ml3fHBULMYnQXAfqM+1rUU=,tag:ScVH3GRaMAKNnLQNNNDgtw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4

configs/security.nix

@@ -7,8 +7,12 @@
   sops = {
     defaultSopsFile = ./secrets/secrets.yaml;
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets.password.neededForUsers = true;
+    secrets = {
-    secrets.ts_auth_key = { };
+      password.neededForUsers = true;
+      ts_auth_key = { };
+      cwp_jira_link = { };
+      cwp_jira_pat = { };
+    };
   };
 
   security.sudo.wheelNeedsPassword = false;

configs/shell/zsh.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  config,
   ...
 }:
 {
@@ -21,6 +22,9 @@
         ''
           # Bind CTRL+Backspace to delete whole word
           bindkey '^H' backward-kill-word
+
+          export CWP_JIRA_LINK_FILE="${config.sops.secrets.cwp_jira_link.path}"
+          export CWP_JIRA_PAT_FILE="${config.sops.secrets.cwp_jira_pat.path}"
         '';
       # TODO: Look into whether we need to add the history attribute
       profileExtra = # bash