diff --git a/flake.lock b/flake.lock index b2a470a9..ff738f5b 100644 --- a/flake.lock +++ b/flake.lock @@ -497,10 +497,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1704808668, - "narHash": "sha256-9UICPzSeb95Euz609Av0G1TIAht6YGR1Ll9AOez+ZqA=", + "lastModified": 1704814015, + "narHash": "sha256-uvNwwjPrlgJqPL1Ur69z5oXcjgqy0StgjQ4H8azzjg4=", "ref": "refs/heads/main", - "rev": "1848f43b60092ef3d50ca17ed60389a11771d380", + "rev": "80a45114b35740d4fed8135ce03bad9b84e4a2ad", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" diff --git a/home/base/desktop/password-store/default.nix b/home/base/desktop/password-store/default.nix index 2d92ac90..9b41378c 100644 --- a/home/base/desktop/password-store/default.nix +++ b/home/base/desktop/password-store/default.nix @@ -1,4 +1,4 @@ -{pkgs, config, ...}: { +{pkgs, config, lib, ...}: { programs.password-store = { enable = true; package = pkgs.pass.withExtensions (exts: [ @@ -12,6 +12,19 @@ # See the “Environment variables” section of pass(1) and the extension man pages for more information about the available keys. settings = { PASSWORD_STORE_DIR = "${config.xdg.dataHome}/password-store"; + # Overrides the default gpg key identification set by init. + # Hexadecimal key signature is recommended. + # Multiple keys may be specified separated by spaces. + PASSWORD_STORE_KEY = lib.strings.concatStringsSep " " [ + "62526A4A0CF43E33" # E - Ryan Yin (Personal) + ]; + # all .gpg-id files and non-system extension files must be signed using a detached signature using the GPG key specified by + # the full 40 character upper-case fingerprint in this variable. + # If multiple fingerprints are specified, each separated by a whitespace character, then signatures must match at least one. + # The init command will keep signatures of .gpg-id files up to date. + PASSWORD_STORE_SIGNING_KEY = lib.strings.concatStringsSep " " [ + "433A66D63805BD1A" # S - Ryan Yin (Personal) + ]; PASSWORD_STORE_CLIP_TIME = "60"; PASSWORD_STORE_GENERATED_LENGTH = "15"; PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; diff --git a/secrets/darwin.nix b/secrets/darwin.nix index d43435b7..43922c19 100644 --- a/secrets/darwin.nix +++ b/secrets/darwin.nix @@ -31,6 +31,12 @@ owner = username; }; + "ryan4yin-gpg-subkeys.priv" = { + file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + mode = "0000"; + owner = "root"; + }; + # alias-for-work "alias-for-work.nushell" = { file = "${mysecrets}/alias-for-work.nushell.age"; @@ -62,6 +68,10 @@ source = config.age.secrets."ssh-key-romantic".path; }; + "agenix/ryan4yin-gpg-subkeys.priv" = { + source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path; + }; + # The following secrets are used by home-manager modules # But nix-darwin doesn't support environment.etc..mode # So we need to change its mode manually diff --git a/secrets/nixos.nix b/secrets/nixos.nix index f78b455f..b225bfe0 100644 --- a/secrets/nixos.nix +++ b/secrets/nixos.nix @@ -40,6 +40,12 @@ owner = username; }; + "ryan4yin-gpg-subkeys.priv" = { + file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age"; + mode = "0000"; + owner = "root"; + }; + # alias-for-work "alias-for-work.nushell" = { file = "${mysecrets}/alias-for-work.nushell.age"; @@ -72,6 +78,11 @@ user = username; }; + "agenix/ryan4yin-gpg-subkeys.priv" = { + source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path; + mode = "0000"; + }; + # The following secrets are used by home-manager modules # So we need to make then readable by the user "agenix/alias-for-work.nushell" = {