feat: move user secrets to user dir and add github ssh secret

reference/hosts/demeter/default.nix

@@ -8,8 +8,6 @@
     [
       ./configuration.nix
       ../../modules
-      ../../secrets
-      ../../users/youwen/nixos.nix
       self.nixosModules.liminalOS
       {
         home-manager.users.youwen = {

reference/modules/default.nix

@@ -1,5 +1,10 @@
 { config, ... }:
 {
+  imports = [
+    ../secrets/nixos
+    ../users/youwen/nixos.nix
+  ];
+
   nix.extraOptions = ''
     !include ${config.age.secrets.nix_config_github_pat.path}
   '';

reference/secrets/nixos/default.nix

@@ -0,0 +1,16 @@
+{
+  age.secrets = {
+    nix_config_github_pat = {
+      file = ./nix_config_github_pat.age;
+      owner = "youwen";
+      group = "users";
+      mode = "0440";
+    };
+    # github_ssh_priv_key = {
+    #   file = ./github_ssh_priv_key.age;
+    #   mode = "600";
+    #   owner = "root";
+    #   # path = "${config.home.homeDirectory}/.ssh/github_ssh_priv_key";
+    # };
+  };
+}

reference/secrets/nixos/secrets.nix

@@ -0,0 +1,11 @@
+let
+  youwen = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrIRHcvh0fxYNc0sukl8nSGRU8z1RjRmuc20iuk9TUqAxeew+0pSvY9lU4vshhrcGUe2OKIxgKJ76xdfGRw5ofmmd5Fr4If6tzWAWdE6Jr3J/w58YL6/ISOyRwjTserjWFIaO41y9OuLzf3UtzBF/1zexnGwq2lMJ7MAi0JNJ5O+umgrcnF1BDWyw7ymVkiQTruJ3LV2XgJDpOKQlFnVGKgYyMgVGeGYjiZO9Sj8edq1ZFeEH1jN5TnAdnqsiwhFgZpCrBxFFZKohuQLyH+QaOmBsdgSZwsg4Prndtxp5GTrknupPCgEWJ1rgvykEchYajeWQLxyeW/O/4iSST7VLKS7dgzUHZ5Dxf/QP1iCSeJqCIIJssuIslMK1vYmJZYk098ZDlLrFCLepQqy0YGvZe4OVP4BK4UNu5DKKLTpPNwDnyf1NSNTT2q2TsWXKWBDl1eurX9MBR24ZQEoP0gvcnTKr+2rheOTWJ5asDswEWphp5zQxBjztPGe55H0zjnqk= youwen@demeter";
+  users = [ youwen ];
+
+  demeter = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdcVbgUyQb+W3UjmYb3K9l9jkq/NkTSWAGFUJczJ07kEAg9nUUEfU6RGMCzCEbwWsVpNZysRfef6nxerQBcKiRz/bLUocFl/80ZoylQuxkWU8cvGdImFCtP76YKoVNwuHS0R31Qi90zQLnxs1oLmULSACH6Mw7+suYkVtH1prQdUHdx2bcOPqFk8Qpm8WuRNHxEbrFNuHNarHF3XHo/iIgJh8OeMbwE+MtoZCSfPMEnWGg4nKal3fQ3GO21wUyIZIZrSCMiYKzfvWrlLhd8rkKbGp+VRNe3m5q7k5p+pGSJMYHTRaGwOGY92L+GJOjjr/HrloINiEMC82zmUWctXQhK+4ni3ssPmOesEblfr9tXfwU0Xh0zNhqeljw/ptaZrM3k/yMW4h1DgI9BeBwcNcYqaHLwX6IqG5b8XxI+/JQniQmZIZM+kBx6GyZFrPxM84XWxhwjRKnn4oBU8kVn3RBlNwz3AFIjGpOh86Rd343X8Q6JbrMT/z17bL6StKXZfUFqgOWEs/JJEHT/DWKL2zF2ppqa5ZuJhzevrtKfAxomURXnQ77MPCUtbo2PFHmcl3fUD+yS2GD/8a492rUlCG2d5FS7KfW3L9rQwTnNBqQMGUu1Uc6qz5LWLEF7yoBtdKKZ3Y4lyPP3/lAQPs5j0Jx+coBdySca3xrmmvMj4/aIQ== root@nixos";
+  systems = [ demeter ];
+in
+{
+  "nix_config_github_pat.age".publicKeys = users ++ systems;
+  "github_ssh_priv_key.age".publicKeys = users ++ systems;
+}

reference/users/youwen/hm.nix

@@ -1,13 +1,11 @@
-{ osConfig, pkgs, ... }:
+{ config, osConfig, ... }:
-let
-  inherit (osConfig.age) secrets;
-  gpgSig = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
-  oauth = pkgs.fetchurl {
-    url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py";
-    hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU=";
-  };
-in
 {
+
+  imports = [
+    ./secrets
+    ./neomutt.nix
+  ];
+
   home = {
     username = "youwen";
     homeDirectory = "/home/youwen";
@@ -22,100 +20,21 @@ in
     userEmail = "youwenw@gmail.com";
     signing = {
       signByDefault = true;
-      key = gpgSig;
+      key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
     };
   };
 
-  home.packages = [
+  programs.ssh = {
-    # a script to automatically refresh oauth token for gsuite
-    (pkgs.writeShellScriptBin "activate-neomutt-oauth" ''
-      ${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \
-        --provider google \
-        --verbose \
-        --test \
-        --authorize \
-        --authflow localhostauthcode \
-        --client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \
-        --client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})"
-    '')
-  ];
-
-  programs.neomutt = {
     enable = true;
-    editor = "nvim";
+    matchBlocks = {
-    sidebar.enable = true;
+      "code.youwen.dev" = {
-    sort = "reverse-date-received";
+        host = "code.youwen.dev";
-    vimKeys = true;
+        port = 222;
-    checkStatsInterval = 60;
-
-    # without this, neomutt won't use the cache because the messages directory
-    # doesn't exist
-    extraConfig = ''
-      set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages`
-
-      macro index,pager \cs "<pipe-message> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
-      macro attach,compose \cs "<pipe-entry> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
-    '';
-  };
-
-  accounts.email.accounts = {
-    "youwenw" = {
-      address = "youwenw@gmail.com";
-      flavor = "gmail.com";
-      userName = "youwenw";
-      primary = true;
-      realName = "Youwen Wu";
-      gpg.encryptByDefault = true;
-      gpg.signByDefault = true;
-      gpg.key = gpgSig;
-      folders.drafts = "[Gmail]/Drafts";
-      neomutt = {
-        enable = true;
-        mailboxType = "imap";
       };
-      passwordCommand = "cat ${secrets.youwen_app_password.path}";
+      "github" = {
-    };
+        host = "github.com";
-
+        identityFile = config.age.secrets.github_ssh_priv_key.path;
-    "tincan" = {
-      address = "tincangto@gmail.com";
-      flavor = "gmail.com";
-      userName = "tincangto";
-      realName = "Youwen Wu";
-      folders = {
-        drafts = "[Gmail]/Drafts";
-        trash = "[Gmail]/Trash";
       };
-      neomutt = {
-        enable = true;
-        mailboxType = "imap";
-      };
-      passwordCommand = "cat ${secrets.tincan_app_password.path}";
-    };
-
-    "youwen_ucsb" = {
-      address = "youwen@ucsb.edu";
-      flavor = "gmail.com";
-      userName = "youwen_ucsb";
-      realName = "Youwen Wu";
-      gpg.encryptByDefault = true;
-      gpg.signByDefault = true;
-      gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2";
-      folders.drafts = "[Gmail]/Drafts";
-      neomutt = {
-        enable = true;
-        mailboxType = "imap";
-
-        extraConfig = ''
-          unset passwordCommand
-          set imap_user = "youwen@ucsb.edu"
-          set imap_authenticators="oauthbearer:xoauth2"
-          set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens"
-
-          set smtp_authenticators = ''${imap_authenticators}
-          set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command}
-        '';
-      };
-      passwordCommand = "";
     };
   };
 }

reference/users/youwen/neomutt.nix

@@ -0,0 +1,102 @@
+{ config, pkgs, ... }:
+let
+  inherit (config.age) secrets;
+  oauth = pkgs.fetchurl {
+    url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py";
+    hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU=";
+  };
+in
+{
+  programs.neomutt = {
+    enable = true;
+    editor = "nvim";
+    sidebar.enable = true;
+    sort = "reverse-date-received";
+    vimKeys = true;
+    checkStatsInterval = 60;
+
+    # without this, neomutt won't use the cache because the messages directory
+    # doesn't exist
+    extraConfig = ''
+      set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages`
+
+      macro index,pager \cs "<pipe-message> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
+      macro attach,compose \cs "<pipe-entry> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
+    '';
+  };
+
+  accounts.email.accounts = {
+    "youwenw" = {
+      address = "youwenw@gmail.com";
+      flavor = "gmail.com";
+      userName = "youwenw";
+      primary = true;
+      realName = "Youwen Wu";
+      gpg.encryptByDefault = true;
+      gpg.signByDefault = true;
+      gpg.key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
+      folders.drafts = "[Gmail]/Drafts";
+      neomutt = {
+        enable = true;
+        mailboxType = "imap";
+      };
+      passwordCommand = "cat ${secrets.youwen_app_password.path}";
+    };
+
+    "tincan" = {
+      address = "tincangto@gmail.com";
+      flavor = "gmail.com";
+      userName = "tincangto";
+      realName = "Youwen Wu";
+      folders = {
+        drafts = "[Gmail]/Drafts";
+        trash = "[Gmail]/Trash";
+      };
+      neomutt = {
+        enable = true;
+        mailboxType = "imap";
+      };
+      passwordCommand = "cat ${secrets.tincan_app_password.path}";
+    };
+
+    "youwen_ucsb" = {
+      address = "youwen@ucsb.edu";
+      flavor = "gmail.com";
+      userName = "youwen_ucsb";
+      realName = "Youwen Wu";
+      gpg.encryptByDefault = true;
+      gpg.signByDefault = true;
+      gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2";
+      folders.drafts = "[Gmail]/Drafts";
+      neomutt = {
+        enable = true;
+        mailboxType = "imap";
+
+        extraConfig = ''
+          unset passwordCommand
+          set imap_user = "youwen@ucsb.edu"
+          set imap_authenticators="oauthbearer:xoauth2"
+          set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens"
+
+          set smtp_authenticators = ''${imap_authenticators}
+          set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command}
+        '';
+      };
+      passwordCommand = "";
+    };
+  };
+
+  home.packages = [
+    # a script to automatically refresh oauth token for gsuite
+    (pkgs.writeShellScriptBin "activate-neomutt-oauth" ''
+      ${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \
+        --provider google \
+        --verbose \
+        --test \
+        --authorize \
+        --authflow localhostauthcode \
+        --client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \
+        --client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})"
+    '')
+  ];
+}

reference/users/youwen/secrets/default.nix

@@ -1,41 +1,30 @@
+{ config, ... }:
 {
   age.secrets = {
     youwen_app_password = {
       file = ./youwenw_app_password.age;
-      owner = "youwen";
-      group = "users";
       mode = "600";
     };
     youwen_ucsb_client_id = {
       file = ./youwen_ucsb_client_id.age;
-      owner = "youwen";
-      group = "users";
       mode = "600";
     };
     youwen_ucsb_client_secret = {
       file = ./youwen_ucsb_client_secret.age;
-      owner = "youwen";
-      group = "users";
       mode = "600";
     };
     tincan_app_password = {
       file = ./tincan_app_password.age;
-      owner = "youwen";
-      group = "users";
       mode = "600";
     };
     github_cli_secret_config = {
       file = ./github_cli_secret_config.age;
-      owner = "youwen";
-      group = "users";
       mode = "600";
-      path = "/home/youwen/.config/gh/hosts.yml";
+      path = "${config.home.homeDirectory}/.config/gh/hosts.yml";
     };
-    nix_config_github_pat = {
+    github_ssh_priv_key = {
-      file = ./nix_config_github_pat.age;
+      file = ./github_ssh_priv_key.age;
-      owner = "youwen";
+      mode = "600";
-      group = "users";
-      mode = "0440";
     };
   };
 }

reference/users/youwen/secrets/secrets.nix

@@ -11,5 +11,5 @@ in
   "youwen_ucsb_client_secret.age".publicKeys = users ++ systems;
   "tincan_app_password.age".publicKeys = users ++ systems;
   "github_cli_secret_config.age".publicKeys = users ++ systems;
-  "nix_config_github_pat.age".publicKeys = users ++ systems;
+  "github_ssh_priv_key.age".publicKeys = users ++ systems;
 }