dotfiles/nixos/secrets.nix

{
  inputs,
  pkgs,
  ...
}: {
  home-manager.users.imalison = {config, ...}: {
    imports = [inputs.agenix.homeManagerModules.default];
    age.identityPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
    home.packages = [
      inputs.agenix.packages."${pkgs.stdenv.hostPlatform.system}".default
    ];
    age.secrets.gpg-keys.file = ./secrets/gpg-keys.age;
    age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age;
    age.secrets.gws-client-secret.file = ./secrets/gws-client-secret.json.age;

    home.sessionVariables.GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE = "${config.xdg.configHome}/gws/client_secret.json";

    systemd.user.services.import-gpg-key = {
      Unit = {
        Description = "Import GPG private key";
        After = ["agenix.service"];
        # 3 total retries
        StartLimitIntervalSec = 0;
        StartLimitBurst = 3;
      };

      Install.WantedBy = ["default.target"];
      Service = {
        Type = "oneshot";
        RestartSec = 5;
        Restart = "on-failure";
        ExecStart = let
          replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];
          path = replace config.age.secrets.gpg-keys.path;
          passphrasePath = replace config.age.secrets.gpg-passphrase.path;
          importScript = pkgs.writeShellScript "import-gpg-key" ''
            set -eu

            normalized_key_file="$(mktemp)"
            trap 'rm -f "$normalized_key_file"' EXIT

            # Some historical exports omitted the required blank line after the
            # armor header. GnuPG imports the keys but exits non-zero, which
            # leaves the unit in a failed state.
            awk '
              pending_blank {
                if ($0 != "") {
                  print ""
                }
                pending_blank = 0
              }
              { print }
              /^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {
                pending_blank = 1
              }
            ' ${path} > "$normalized_key_file"

            exec ${pkgs.gnupg}/bin/gpg \
              --batch \
              --pinentry-mode loopback \
              --passphrase-file ${passphrasePath} \
              --import "$normalized_key_file"
          '';
        in "${importScript}";
      };
    };

    systemd.user.services.link-gws-client-secret = {
      Unit = {
        Description = "Link gws client secret";
        After = ["agenix.service"];
      };

      Install.WantedBy = ["default.target"];
      Service = {
        Type = "oneshot";
        ExecStart = let
          replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];
          secretPath = replace config.age.secrets.gws-client-secret.path;
          linkScript = pkgs.writeShellScript "link-gws-client-secret" ''
            set -eu

            config_dir="${config.xdg.configHome}/gws"
            target="${secretPath}"
            link_path="$config_dir/client_secret.json"

            mkdir -p "$config_dir"
            ln -sfn "$target" "$link_path"
          '';
        in "${linkScript}";
      };
    };
  };
}
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`{`
			`inputs,`
			`pkgs,`
			`...`
			`}: {`
			`home-manager.users.imalison = {config, ...}: {`
			`imports = [inputs.agenix.homeManagerModules.default];`
			`age.identityPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`home.packages = [`
Add codex 0.92.0 PR patch and fix deprecation warnings - Add nixpkgs PR 483705 to bump codex from 0.89.0 to 0.92.0 - Disable overlay version overrides in favor of PR patches - Replace deprecated pkgs.system with pkgs.stdenv.hostPlatform.system - Replace deprecated xfce.thunar with thunar Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 00:15:33 -08:00			`inputs.agenix.packages."${pkgs.stdenv.hostPlatform.system}".default`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`];`
			`age.secrets.gpg-keys.file = ./secrets/gpg-keys.age;`
[NixOS] Provide passphrase when importing gpg key 2023-08-22 19:14:08 -06:00			`age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age;`
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`age.secrets.gws-client-secret.file = ./secrets/gws-client-secret.json.age;`

			`home.sessionVariables.GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE = "${config.xdg.configHome}/gws/client_secret.json";`

[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`systemd.user.services.import-gpg-key = {`
			`Unit = {`
			`Description = "Import GPG private key";`
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`After = ["agenix.service"];`
[NixOS] Allow retries of import key 2023-08-22 18:07:27 -06:00			`# 3 total retries`
			`StartLimitIntervalSec = 0;`
			`StartLimitBurst = 3;`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`};`
[NixOS] Wait for agenix to try to import gpg key 2023-08-22 18:00:31 -06:00
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`Install.WantedBy = ["default.target"];`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`Service = {`
			`Type = "oneshot";`
[NixOS] Allow retries of import key 2023-08-22 18:07:27 -06:00			`RestartSec = 5;`
fix(nixos): normalize GPG key imports 2026-03-31 16:27:16 -07:00			`Restart = "on-failure";`
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`ExecStart = let`
			`replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];`
			`path = replace config.age.secrets.gpg-keys.path;`
			`passphrasePath = replace config.age.secrets.gpg-passphrase.path;`
			`importScript = pkgs.writeShellScript "import-gpg-key" ''`
			`set -eu`

			`normalized_key_file="$(mktemp)"`
			`trap 'rm -f "$normalized_key_file"' EXIT`

			`# Some historical exports omitted the required blank line after the`
			`# armor header. GnuPG imports the keys but exits non-zero, which`
			`# leaves the unit in a failed state.`
			`awk '`
			`pending_blank {`
			`if ($0 != "") {`
			`print ""`
fix(nixos): normalize GPG key imports 2026-03-31 16:27:16 -07:00			`}`
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`pending_blank = 0`
			`}`
			`{ print }`
			`/^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {`
			`pending_blank = 1`
			`}`
			`' ${path} > "$normalized_key_file"`

			`exec ${pkgs.gnupg}/bin/gpg \`
			`--batch \`
			`--pinentry-mode loopback \`
			`--passphrase-file ${passphrasePath} \`
			`--import "$normalized_key_file"`
			`'';`
			`in "${importScript}";`
			`};`
			`};`

			`systemd.user.services.link-gws-client-secret = {`
			`Unit = {`
			`Description = "Link gws client secret";`
			`After = ["agenix.service"];`
			`};`

			`Install.WantedBy = ["default.target"];`
			`Service = {`
			`Type = "oneshot";`
			`ExecStart = let`
			`replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];`
			`secretPath = replace config.age.secrets.gws-client-secret.path;`
			`linkScript = pkgs.writeShellScript "link-gws-client-secret" ''`
			`set -eu`

			`config_dir="${config.xdg.configHome}/gws"`
			`target="${secretPath}"`
			`link_path="$config_dir/client_secret.json"`

			`mkdir -p "$config_dir"`
			`ln -sfn "$target" "$link_path"`
			`'';`
			`in "${linkScript}";`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`};`
			`};`
Update local desktop and secrets configuration 2026-04-12 14:58:33 -07:00			`};`
[NixOS] Set up agenix and auto import gpg key 2023-08-22 15:48:29 -06:00			`}`