feat: init password-store

flake.lock

@@ -497,10 +497,10 @@
     "mysecrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1704808668,
+        "lastModified": 1704814015,
-        "narHash": "sha256-9UICPzSeb95Euz609Av0G1TIAht6YGR1Ll9AOez+ZqA=",
+        "narHash": "sha256-uvNwwjPrlgJqPL1Ur69z5oXcjgqy0StgjQ4H8azzjg4=",
         "ref": "refs/heads/main",
-        "rev": "1848f43b60092ef3d50ca17ed60389a11771d380",
+        "rev": "80a45114b35740d4fed8135ce03bad9b84e4a2ad",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/ryan4yin/nix-secrets.git"

home/base/desktop/password-store/default.nix

@@ -1,4 +1,4 @@
-{pkgs, config, ...}: { 
+{pkgs, config, lib, ...}: { 
   programs.password-store = {
     enable = true;
     package = pkgs.pass.withExtensions (exts: [
@@ -12,6 +12,19 @@
     # See the “Environment variables” section of pass(1) and the extension man pages for more information about the available keys.
     settings = {
       PASSWORD_STORE_DIR = "${config.xdg.dataHome}/password-store";
+      # Overrides the default gpg key identification set by init. 
+      # Hexadecimal key signature is recommended.
+      # Multiple keys may be specified separated by spaces.
+      PASSWORD_STORE_KEY = lib.strings.concatStringsSep " " [
+        "62526A4A0CF43E33"  # E - Ryan Yin (Personal) <ryan4yin@linux.com>
+      ];
+      # all .gpg-id files and non-system extension files must be signed using a detached signature using the GPG key specified by
+      #   the full 40 character upper-case fingerprint in this variable.
+      # If multiple fingerprints are specified, each separated by a whitespace character, then signatures must match at least one. 
+      # The init command will keep signatures of .gpg-id files up to date.
+      PASSWORD_STORE_SIGNING_KEY = lib.strings.concatStringsSep " " [
+        "433A66D63805BD1A" # S - Ryan Yin (Personal) <ryan4yin@linux.com>
+      ];
       PASSWORD_STORE_CLIP_TIME = "60";
       PASSWORD_STORE_GENERATED_LENGTH = "15";
       PASSWORD_STORE_ENABLE_EXTENSIONS = "true";

secrets/darwin.nix

@@ -31,6 +31,12 @@
       owner = username;
     };
 
+    "ryan4yin-gpg-subkeys.priv" = {
+      file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+      mode = "0000";
+      owner = "root";
+    };
+
     # alias-for-work
     "alias-for-work.nushell" = {
       file = "${mysecrets}/alias-for-work.nushell.age";
@@ -62,6 +68,10 @@
       source = config.age.secrets."ssh-key-romantic".path;
     };
 
+    "agenix/ryan4yin-gpg-subkeys.priv" = {
+      source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path;
+    };
+
     # The following secrets are used by home-manager modules
     # But nix-darwin doesn't support environment.etc.<name>.mode
     # So we need to change its mode manually

secrets/nixos.nix

@@ -40,6 +40,12 @@
       owner = username;
     };
 
+    "ryan4yin-gpg-subkeys.priv" = {
+      file = "${mysecrets}/ryan4yin-gpg-subkeys.priv.age";
+      mode = "0000";
+      owner = "root";
+    };
+
     # alias-for-work
     "alias-for-work.nushell" = {
       file = "${mysecrets}/alias-for-work.nushell.age";
@@ -72,6 +78,11 @@
       user = username;
     };
 
+    "agenix/ryan4yin-gpg-subkeys.priv" = {
+      source = config.age.secrets."ryan4yin-gpg-subkeys.priv".path;
+      mode = "0000";
+    };
+
     # The following secrets are used by home-manager modules
     # So we need to make then readable by the user
     "agenix/alias-for-work.nushell" = {