feat(sops): add cwp jira secret and url to sops as environment variables for rafiq

2025-03-20 20:36:35 +08:00 · 2025-03-20 20:36:35 +08:00 · c952e6df1e
commit c952e6df1e
parent 076f81007c
3 changed files with 27 additions and 8 deletions
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -1,4 +1,6 @@
 hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str]
+cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str]
+cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,8 +25,8 @@ sops:
            ZGlJMjlST1B2a1g4Uit5QkRhdFhHblUKHBDYMHxA8ZzGpII+tHLjuU1KoyQHRQr0
            D1j1VPmee1DMLt29/wEjAlY1iLrXSxmCD3Ua+MosexDJnTtBQxs8tA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-17T13:38:02Z"
-    mac: ENC[AES256_GCM,data:gyjlmW3HBITwcZNE1Bk98V18AUCLJo/2xRwV3NvW5SvfK9vJEp7msw4860L79fZHIu4qnOhYhwUcTOqvFLs0W5kKcphw/8wPa6qPFmuby9OQnJGX35UZO4oxKrdrfFiWTKoLQ48Uk5Tnj7YZxkN5umSbACQWdcSSvflyj1Pt2m4=,iv:smcrFEtJv/hXmf96wQUlCwmU8cMaG1Zr0+azxFxw3KY=,tag:OJkE9VBp0U3zRHhgBEn1Kg==,type:str]
+    lastmodified: "2025-03-20T12:33:27Z"
+    mac: ENC[AES256_GCM,data:hiN4Ew6ZVBg4hxbqx1EAwGXSLR1YyArjJCK3yruAjFhw4id4Q992wzqVBmyCQRF7jZ7d0ZjPQOXynMY8Hbx2IMZcmEM/hcP0A5ZhRbI1j98TujIbRHK0Qz5PG71/DoZF7jl6E/UNDFjW4pdVd/wxnBOpIAJ7fWOw7Hkzi2Mkess=,iv:nM0Q+T0FETBEWkJRH+BRFxFX5g0gf1BSaDJNIGbF+zE=,tag:KpJiAFbybAnqoCuW59M2YQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/systems/modules/common.nix
+++ b/systems/modules/common.nix
@ -2,7 +2,8 @@
  pkgs,
  config,
  ...
-}: {
+}:
+{
  imports = [
    ./networking.nix
    ./shell.nix
@ -15,21 +16,34 @@
    isNormalUser = true;
    description = "rafiq";
    hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path;
-    extraGroups = ["networkmanager" "wheel"];
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus"
    ];
  };

+  environment.sessionVariables.CWP_JIRA_ACCESS_KEY_FILE =
+    config.sops.secrets.cwp_jira_access_key.path;
+  environment.sessionVariables.CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path;
+
  security.sudo.wheelNeedsPassword = false;

  # Enable basic fonts for reasonable Unicode coverage
  fonts.enableDefaultPackages = true;

  nixpkgs.config.allowUnfree = true;
-  nix.settings.experimental-features = ["nix-command" "flakes"];
-  nix.settings.trusted-users = ["root" "@wheel"];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.settings.trusted-users = [
+    "root"
+    "@wheel"
+  ];

  environment.systemPackages = with pkgs; [
    git
--- a/systems/modules/sops.nix
+++ b/systems/modules/sops.nix
@ -1,5 +1,6 @@
-{inputs, ...}: {
-  imports = [inputs.sops-nix.nixosModules.sops];
+{ inputs, ... }:
+{
+  imports = [ inputs.sops-nix.nixosModules.sops ];
  sops = {
    defaultSopsFile = ../../secrets/secrets.yaml;
    age.sshKeyPaths = [
@ -10,6 +11,8 @@
      hashed_password_rafiq = {
        neededForUsers = true;
      };
+      cwp_jira_access_key = { };
+      cwp_jira_link = { };
    };
  };
 }