diff options
| author | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 19:53:00 +1100 |
|---|---|---|
| committer | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 19:53:00 +1100 |
| commit | 6456bd1bb272de217f08228534c5bc9c3796be73 (patch) | |
| tree | 3e2a8f8087b381748df5517dd8aed41cc9d95729 | |
| parent | 6f11c79d88e692bebb69b2e12bfde9f52f8df55c (diff) | |
fix secret BS
| -rw-r--r-- | labsrv01/configuration.nix | 2 | ||||
| -rw-r--r-- | labsrv01/home.nix | 31 | ||||
| -rw-r--r-- | labsrv01/zsh-config.zsh | 3 |
3 files changed, 23 insertions, 13 deletions
diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix index 81dae08..eda606d 100644 --- a/labsrv01/configuration.nix +++ b/labsrv01/configuration.nix @@ -68,7 +68,7 @@ hashedPasswordFile = config.sops.secrets.kj_hashed_password.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" - "ssh-ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" ]; }; }; diff --git a/labsrv01/home.nix b/labsrv01/home.nix index b016b9e..c5b5989 100644 --- a/labsrv01/home.nix +++ b/labsrv01/home.nix @@ -81,16 +81,23 @@ services.gpg-agent = { enable = true; }; - home.activation.importGpgPrivateKey = config.lib.dag.entryAfter ["sops-nix" "onFilesChange"] '' - export GNUPGHOME="${config.programs.gpg.homedir}" - run ${pkgs.gnupg}/bin/gpg --batch --verbose --trust-model always --import "${config.sops.secrets.kj_gpg_private_key.path}" - echo "GPG private key imported from sops secret" - ''; - home.activation.setSSHPublicKey = config.lib.dag.entryAfter ["sops-nix" "onFilesChange"] '' - writeSSHKeygenPublicPart() { - ${pkgs.openssh}/bin/ssh-keygen -y -f ~/.ssh/id_ed25519 | tee ~/.ssh/id_ed25519.pub - } - echo "Setting SSH public key from private part" - run writeSSHKeygenPublicPart - ''; + systemd.user.services.manage-secrets = { + Unit = { + Description = "Import GPG and SSH keys from sops secrets"; + After = [ "sops-nix.service" ]; + Requires = [ "sops-nix.service" ]; + }; + Service = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = toString (pkgs.writeShellScript "manage-secrets" '' + export GNUPGHOME="${config.programs.gpg.homedir}" + ${pkgs.gnupg}/bin/gpg --batch --verbose --trust-model always --import "${config.sops.secrets.kj_gpg_private_key.path}" + ${pkgs.openssh}/bin/ssh-keygen -y -f "${config.home.homeDirectory}/.ssh/id_ed25519" > "${config.home.homeDirectory}/.ssh/id_ed25519.pub" + ''); + }; + Install = { + WantedBy = [ "default.target" ]; + }; + }; } diff --git a/labsrv01/zsh-config.zsh b/labsrv01/zsh-config.zsh index 8ef8747..a1039a4 100644 --- a/labsrv01/zsh-config.zsh +++ b/labsrv01/zsh-config.zsh @@ -43,3 +43,6 @@ prompt_themes+=( gentoo ) # Use the gentoo prompt prompt gentoo + +# Make sure GPG & SSH keys are properly imported +systemctl --user start --wait manage-secrets.service 2>/dev/null || true |