From fa620983be153a0f057be1ec063ecee77267e9ed Mon Sep 17 00:00:00 2001 From: Mohammad Rafiq Date: Tue, 25 Mar 2025 04:45:56 +0800 Subject: [PATCH] feat(sops): add cargo registry token as secret --- secrets/secrets.yaml | 5 +++-- systems/modules/common.nix | 16 +++++++++------- systems/modules/sops.nix | 7 ++++++- users/modules/programs/zsh.nix | 4 +++- users/modules/sh.nix | 1 - 5 files changed, 21 insertions(+), 12 deletions(-) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 2c28b1d..8d4586a 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,6 +1,7 @@ hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str] rafiq-nemesis: ENC[AES256_GCM,data:W+739P+Q2PR3pFNXITIB1p2skE6woBweR92s+dCDBY2qovhI1HkP2eEKIAjkd4XT+re0HEA/LDOgxBEx4YB9GOHY/rgf7HI/8/MzevaU1UGSXTXAlDhRDj7GP7XV3BfmxOsAPgrDeca7rN7QHto9EXJiZRril9KIlFQhrHEljXvQQ0Hu1gAVdQoRuMjxk7KFlJ7FPUVq862Dgtwow5M2Lg69sMJdE/aW8uW//nkmvvLEpd7aen2LaDTxydiPHebLCEHEIG/0muexnxhqtuy0Emx0OISZwbL6G5IG2Oa65TvDg3ZKSvnlLpOvqYa1alAmscdkzw5xGIoVjDW+DIb67NrmB9MBeVF+g70g/TGBURCNU3ZysvpNueU5OAEExi3t6S32qzQFn0iAJXwuGnnZhsJMCU5wmGt/6PeYOt5wR7J8GtseK8jxs0/0FMtDGniR9lQwsp7WNFiB+OJHXrDm2/iG0GioUOWKayrpFp4yiGUXxAaETal7q1bFWsv/eYtWoz9QsToR9HE=,iv:IhnHuLY3oxtImw6DzJIbTb/Xrj6yablexVD29wZgRis=,tag:TT6xfdCL4vxx/Q5NsL3BUA==,type:str] rafiq-mellinoe: ENC[AES256_GCM,data:1Ouj3GcmYfWsMmaQ1eDnbLuKk0BH2ec8yqYdA9kmKVIAX66IFnk9yMJd/2ECF7lAqx+Uqvul+f8xuNfXINTVgUQ1jQIT8FFbWzsAc6aJZbzWG79cdM90uQyJXOY/zVkDsYiL9UcVzIf26hjZqjarouyPhq7qtokatS1QgVFzDjQjhKOGyiaBVNElgFCdzXtzb3on6v381R3pCGePCjwBjEBuNTzXrqGgHs9FHjvga9z0Vry4bUKsZQvs/Vxa8QSX7+5jslEFk0bUmypBmg+Qv/89FbYHgMmfR2D26kZhVzxlXA4F7ZJvxeYbcOJw3r55SsQGwgB3Te08jG6rK8JFb7JahJ0qBm73ZJkH8y0bEXgNj9JwdNIoX4RnHy5ihgnmwK7GICD9jk6gXbzcbcohi6+ZcreCDKEhnYU9Y3mh8CwqwS+IafDTKFrHrJibikVTlPG7jcclaTWQiAvDjDHvHUnr360QmhFfUs8xGu7f+7aKYcAH6jSOLzPWCPQfp/w8ETq+bTd8DkulSGjmGRghJCxXOTk=,iv:hO2wQHi+hTqmM0c1UbJMqx1z/77G1rQ1R/R7GkI/yBU=,tag:NatoghXfI5/BHejnciFv4w==,type:str] +cargo_api_key: ENC[AES256_GCM,data:kZ2ic/3Ig2x1s4LJITanu1WsQ1MnQCC9Z6+kTzrHXmM+iBE=,iv:7wy6F5v1A1/N+ZorQat0lswDy+dgwdg/jlfYYIv8cWc=,tag:bfr/DVnFCUSWtXKlMkqZHg==,type:str] cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str] cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str] sops: @@ -27,8 +28,8 @@ sops: dGZmTEN0NWlnVExHczNYdHphbUJRaFEKEWtxkXbzZheNzX4tMirXa5mGrctwIdhv 7T1dBHn2h3B5FUHe5RVgQpEJvQD6ed2AIeY6XSAkt7ofhUzHzMNGow== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-22T10:25:55Z" - mac: ENC[AES256_GCM,data:xiRUjBCnTGf2V+fHA8HLw9jvIVgFuMl1K4exHeX/ykKeh5z9fHFcRj9mcJcE8ZxXvax8MiWeHf9H93PsEy7ocD6FvBD04tWL5oHOgZtuUs4u2RpVR+/PyvUMdVhv9I78U/aJMv19bshwCCbS4TqTKR9bzZy5e0kQPb0NK9K3OlI=,iv:fQzFqToEI27775xdhXI/ObPO2/+vZY29O/ll2+jCTb4=,tag:KqM0KNMX5TvHP74MwQoz0A==,type:str] + lastmodified: "2025-03-24T19:58:38Z" + mac: ENC[AES256_GCM,data:5gGR1ikHTkAfcZarOpuus9jDgarFPbGEecs5rJUM6EcvKUsdk+x00iCiT7TNyAusf7qCQ85Lrl+EVb1XJ6qq7qOe+q+uIukKbs4mIftiz1w1dsQlFeo5QBjsLI8+7cCik92gAF6bBKzf+P1nZ0h9gMCbiVUiBEGkubRiEdwDnWg=,iv:gEflEBaZ/JgFuJCflaS4PbBC2/eWKSPDktk4Q4hicKA=,tag:+fuM6FhldSETQ/Cs9ANsow==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/systems/modules/common.nix b/systems/modules/common.nix index a6037bb..5107299 100644 --- a/systems/modules/common.nix +++ b/systems/modules/common.nix @@ -28,10 +28,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus" ]; }; + environment = { + sessionVariables = { + CWP_JIRA_ACCESS_KEY_FILE = config.sops.secrets.cwp_jira_access_key.path; + CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path; + }; - environment.sessionVariables.CWP_JIRA_ACCESS_KEY_FILE = - config.sops.secrets.cwp_jira_access_key.path; - environment.sessionVariables.CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path; + systemPackages = with pkgs; [ + git + ]; + }; security.sudo.wheelNeedsPassword = false; @@ -48,10 +54,6 @@ "@wheel" ]; - environment.systemPackages = with pkgs; [ - git - ]; - time.timeZone = "Asia/Singapore"; i18n.defaultLocale = "en_SG.UTF-8"; diff --git a/systems/modules/sops.nix b/systems/modules/sops.nix index 6caf200..a5e6925 100644 --- a/systems/modules/sops.nix +++ b/systems/modules/sops.nix @@ -1,4 +1,4 @@ -{ inputs, ... }: +{ inputs, config, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; sops = { @@ -13,6 +13,11 @@ }; cwp_jira_access_key = { }; cwp_jira_link = { }; + cargo_api_key = { + mode = "0440"; + owner = config.users.users.rafiq.name; + group = config.users.users.rafiq.group; + }; }; }; } diff --git a/users/modules/programs/zsh.nix b/users/modules/programs/zsh.nix index f5d36ed..e01926a 100644 --- a/users/modules/programs/zsh.nix +++ b/users/modules/programs/zsh.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, osConfig, ... }: { programs.zsh = { enable = true; @@ -12,6 +12,8 @@ '' # Bind CTRL+Backspace to delete whole word bindkey '^H' backward-kill-word + # Set Cargo Registry Token + export CARGO_REGISTRY_TOKEN="$(cat ${osConfig.sops.secrets.cargo_api_key.path})" ''; # TODO: Look into whether we need to add the history attribute profileExtra = # bash diff --git a/users/modules/sh.nix b/users/modules/sh.nix index e0ecfc3..d7af8bc 100644 --- a/users/modules/sh.nix +++ b/users/modules/sh.nix @@ -6,7 +6,6 @@ ./programs/direnv.nix ./programs/fzf.nix ./programs/git.nix - ./programs/cargo.nix ./programs/nvf.nix ./programs/starship.nix ./programs/tealdeer.nix