接入 sops 管理 SSH 配置与私钥

home/hosts/eris.nix

@@ -11,6 +11,7 @@
     ../modules/shell-develop.nix
     ../modules/vscode.nix
     ../modules/gnome-dconf.nix
+    ../modules/ssh.nix
   ];
 
   home.packages = with pkgs;[

home/hosts/hypnos.nix

@@ -14,6 +14,7 @@
     ../modules/shell-develop.nix
     ../modules/zsh.nix
     ../modules/llm.nix
+    ../modules/ssh.nix
   ];
 
   programs.zsh.shellAliases = {

home/hosts/metis.nix

@@ -8,5 +8,6 @@
     ../modules/shell.nix
     ../modules/zsh.nix
     ../modules/shell-develop.nix
+    ../modules/ssh.nix
   ];
 }

home/modules/ssh.nix

@@ -0,0 +1,29 @@
+{ config, lib, ... }:
+{
+  sops = {
+    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+    defaultSopsFile = ../../secrets/ssh-config.yaml;
+  };
+
+  home.file.".ssh" = {
+    source = ./ssh;
+    recursive = true;
+  };
+
+  home.activation.sshDirPerms = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    if [ -d "$HOME/.ssh" ]; then
+      chmod 700 "$HOME/.ssh"
+    fi
+  '';
+
+  sops.secrets."ssh-config" = {
+    path = "${config.home.homeDirectory}/.ssh/config";
+    mode = "600";
+  };
+  sops.secrets."ssh-private" = {
+    sopsFile = ../../secrets/ssh-private.yaml;
+    path = "${config.home.homeDirectory}/.ssh/id_ed25519";
+    mode = "600";
+  };
+
+}

home/modules/ssh/ssh/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyrUiSdpTC+vP+pNDChehLG+ChYL2By2LtjmVJiHmaf origami@eris

home/modules/zsh/.zsh.d/nix.zsh

@@ -0,0 +1,38 @@
+#!/usr/bin/env zsh
+
+sops-update-file() {
+  local src_file="$1"
+  local yaml_file="$2"
+  local age_key_file="$HOME/.config/sops/age/keys.txt"
+
+  if [[ -z "$src_file" || -z "$yaml_file" ]]; then
+    echo "用法: sops-update-file <原文件> <yaml文件>" >&2
+    return 1
+  fi
+
+  if [[ ! -f "$src_file" ]]; then
+    echo "找不到原文件: $src_file" >&2
+    return 1
+  fi
+
+  if [[ ! -f "$age_key_file" ]]; then
+    echo "找不到 age 私钥: $age_key_file" >&2
+    return 1
+  fi
+
+  local key_name="${yaml_file:t:r}"
+  local age_pub
+  age_pub="$(nix-shell -p age --run "age-keygen -y $age_key_file")" || return 1
+
+  local tmp
+  tmp="$(mktemp /tmp/sops-update.XXXXXX.yaml)" || return 1
+  {
+    echo "${key_name}: |"
+    sed 's/^/  /' "$src_file"
+  } > "$tmp"
+
+  nix-shell -p sops --run "sops --encrypt --input-type yaml --output-type yaml --age $age_pub --config /dev/null $tmp" > "$yaml_file"
+  local rc=$?
+  rm -f "$tmp"
+  return $rc
+}

home/modules/zsh/.zshrc

@@ -12,6 +12,7 @@ source "$ZSHD/pdf.zsh"
 source "$ZSHD/completion.zsh"
 source "$ZSHD/modern-utils.zsh"
 source "$ZSHD/develop.zsh"
+source "$ZSHD/nix.zsh"
 
 # allow using # at begin
 setopt interactivecomments