git: sign commits if ssh verficiations unlock a secret password (#79)

theorderingmachine · zimeg · web-flow · commit 8654d8845e24 · 2026-03-28T23:48:46.000-07:00
Co-authored-by: @zimeg <zim@o526.net> Co-authored-by: Eden Zimbelman <eden.zimbelman@salesforce.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes.
 
 ## patches
 
+- `git`: sign commits if ssh verficiations unlock a secret password 2026-03-28
 - `codex`: call additional provider for agentic development process 2026-03-28
 - `node`: follow the unstable channels for active releases in shell 2026-03-28
 - `git`: skip signing commits with default unused as warning appear 2026-03-28
diff --git a/machines/puma/programs/git/default.nix b/machines/puma/programs/git/default.nix
@@ -2,10 +2,21 @@
 {
   programs.git = {
     settings = {
+      gpg = {
+        ssh = {
+          allowedSignersFile = "~/.config/git/allowed_signers";
+        };
+      };
       user = {
         email = "zim@o526.net";
         name = "@zimeg";
       };
     };
+    signing = {
+      key = "~/.ssh/id_ed25519";
+    };
   };
+  home.file.".config/git/allowed_signers".text = ''
+    zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZQSWnGNtSoSAaK90h3FYsxTlevad8+BpTzR2DwiT1C
+  '';
 }
diff --git a/machines/tim/configuration.nix b/machines/tim/configuration.nix
@@ -54,43 +54,63 @@
     };
     secrets = {
       "github/runners/dotfiles" = {
-        owner = "dotfiles";
-        group = "dotfiles";
+        group = "_github-runner";
+        owner = "_github-runner";
+        path = "/run/secrets/github/runners/dotfiles";
       };
-      "github/ssh" = {
-        key = "ssh/private";
-        owner = "dotfiles";
-        group = "dotfiles";
+      "github/accounts/theorderingmachine" = {
+        key = "ssh/accounts/theorderingmachine/private";
+        group = "_github-runner";
+        owner = "_github-runner";
+        path = "/run/secrets/github/accounts/theorderingmachine";
       };
-      "ssh/public" = {
+      "ssh/accounts/theorderingmachine/private" = {
         owner = input.config.users.users.ez.name;
-        path = "/Users/ez/.ssh/id_ed25519.pub";
+        path = "/Users/ez/.ssh/accounts/theorderingmachine";
+      };
+      "ssh/accounts/theorderingmachine/public" = {
+        owner = input.config.users.users.ez.name;
+        path = "/Users/ez/.ssh/accounts/theorderingmachine.pub";
+      };
+      "ssh/accounts/zimeg/private" = {
+        owner = input.config.users.users.ez.name;
+        path = "/Users/ez/.ssh/accounts/zimeg";
       };
-      "ssh/private" = {
+      "ssh/accounts/zimeg/public" = {
+        owner = input.config.users.users.ez.name;
+        path = "/Users/ez/.ssh/accounts/zimeg.pub";
+      };
+      "ssh/default/private" = {
+        key = "ssh/accounts/theorderingmachine/private";
         owner = input.config.users.users.ez.name;
         path = "/Users/ez/.ssh/id_ed25519";
       };
+      "ssh/default/public" = {
+        key = "ssh/accounts/theorderingmachine/public";
+        owner = input.config.users.users.ez.name;
+        path = "/Users/ez/.ssh/id_ed25519.pub";
+      };
     };
   };
   system = {
     configurationRevision = self.rev or self.dirtyRev or null;
     stateVersion = 5;
   };
   users = {
-    knownGroups = [ "dotfiles" ];
-    knownUsers = [ "dotfiles" ];
+    knownGroups = [ "_github-runner" ];
+    knownUsers = [ "_github-runner" ];
     groups = {
-      dotfiles = {
-        gid = 534;
+      _github-runner = {
+        gid = 533;
       };
     };
     users = {
-      dotfiles = {
-        createHome = true;
-        gid = 534;
-        home = "/private/var/lib/dotfiles";
-        name = "dotfiles";
-        uid = 534;
+      _github-runner = {
+        createHome = false;
+        gid = 533;
+        home = "/private/var/lib/github-runners";
+        name = "_github-runner";
+        uid = 533;
       };
       ez = {
         home = /Users/ez;
diff --git a/machines/tim/home.nix b/machines/tim/home.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./programs/gh
+    ./programs/ssh
     ./programs/wd
   ];
 }
diff --git a/machines/tim/programs/gh/README.md b/machines/tim/programs/gh/README.md
@@ -0,0 +1,9 @@
+# gh
+
+swapping accounts in certain projects takes commands:
+
+```sh
+$ git config user.name "@zimeg"
+$ git config user.email "zim@o526.net"
+$ git config user.signingKey "~/.ssh/accounts/zimeg"
+```
diff --git a/machines/tim/programs/gh/default.nix b/machines/tim/programs/gh/default.nix
@@ -10,10 +10,22 @@
   };
   programs.git = {
     settings = {
+      gpg = {
+        ssh = {
+          allowedSignersFile = "~/.config/git/allowed_signers";
+        };
+      };
       user = {
         email = "tom@deorr.co";
         name = "@theorderingmachine";
       };
     };
+    signing = {
+      key = "~/.ssh/accounts/theorderingmachine";
+    };
   };
+  home.file.".config/git/allowed_signers".text = ''
+    tom@deorr.co ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEZymM2zPOY+aa0nDpUlvWqA5q74zrNS8uzJN6/84DQ
+    zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+dGTTCom1yRR0tjxJSFMSgMpGhAULcMqeTA6dF0hrD
+  '';
 }
diff --git a/machines/tim/programs/ssh/default.nix b/machines/tim/programs/ssh/default.nix
@@ -0,0 +1,15 @@
+# https://github.com/openssh/openssh-portable
+{
+  programs.ssh.matchBlocks = {
+    theorderingmachine = {
+      hostname = "github.com";
+      identitiesOnly = true;
+      identityFile = "~/.ssh/accounts/theorderingmachine";
+    };
+    zimeg = {
+      hostname = "github.com";
+      identitiesOnly = true;
+      identityFile = "~/.ssh/accounts/zimeg";
+    };
+  };
+}
diff --git a/machines/tim/secrets/vault.yaml b/machines/tim/secrets/vault.yaml
@@ -1,21 +1,26 @@
 github:
     runners:
-        dotfiles: ENC[AES256_GCM,data:DnuiyzT8zyHIkfd0gds1//PSjv1PSOo/9a/JnFqQLW5QrMxEkQfgi37l2doVP84SDBjJF2vcuYNaoB/MCLUbbDrmh4+xIOLgrB5murLRs6n4n3MrLbefh7lIipeu,iv:LU1quTHniQWWSBtrwsY0dZwqzp58cMYXyvkmBJWgoX8=,tag:M7WjyNC4aj/kgDNrGZhpsA==,type:str]
+        dotfiles: ENC[AES256_GCM,data:CLkBrlPi2KXyC5uw0Xzvcw6v2pMbbxj/ZPpg9P3F1XQ++mtp6TyjoMwv7JUZxjwxAxU5bMUjmuE9Ge1j4GHHDdTwsEfhhntaZTRUmUCJo1Hy+N4XbQuB/gUuv9c5,iv:4uBGUllCDuVSo0IG6qHb8kHNxQIOnc1YMHHDJwBTinQ=,tag:jhbcKoqGN2U+baJuRbYegA==,type:str]
 ssh:
-    public: ENC[AES256_GCM,data:4sdsm6WRY1ELv8N20zsiCdG19fmyvdWrse7GmYFzlR/MdkIRIWXZLcawEYW6tEk4FOGQDtWc82rSP6dCzAEywYHFrIS4lVzTMztF+5sOaEgcfoqLHuEpc1rOLaRD,iv:Iy6MIjOHkHb1J2Y7M+cDNyWfRIrGdb1HMFZEQkXl/Xk=,tag:7IXbitgZEFTnrMHOym2WJg==,type:str]
-    private: ENC[AES256_GCM,data:9I8Noox6cFuQOgYhDVaSKsr/bTi1GbRWMrvPiJr3oZRz0f+fKOrVFSDxIwmC40O/rAlToQQHf0rY2KhriT0TWweIVwnCCTMDNcyXUw0GVxVcUlMo/fkXrUsuZnxUHwyPefYDrvjnqKYNKOT2XG2pjiOMt36YM1QHb8uME72wnDz5LlgdhjcaFR5uepTHwZRfJkOcc80xWirEFEikTxKTikYWcoXyGvEMidIVYQqNicFFdvYJ9rk5k7yZ/3hhMNo/6GwFWl6XP/S8JP8URLQZlLFT0UmV5p9jEVBYnUuT6Y4pcYFKYtAVFNnTvDe25GUjMCf8kgOoyzhGaxWPtf6oU15jNHxL1vYItlHgV4JXWbuh7wu3SRAKCEtFW+zAH9lZFv99xXuYxWqQVU0KIfsd9RRZJCHsB2/YnPhVVTtdQPbyKQ8R1UxyP0F7Rp0X9I0u9hm5r8SbRAnkhbJoVmQdJGMY+gCiB6L7RkLRqDEzkYatpqry9kTMvzAkQu1WKTbCmWd2UN7TvPW2BYpraibm,iv:KTjokJcK0hcLx0yaWswdPioMJc0+bHYbpcuFm6o99D4=,tag:FtDChakJm1ox8sJ3LJC0ww==,type:str]
+    accounts:
+        theorderingmachine:
+            private: ENC[AES256_GCM,data:YiLC08VqAkNasy50FK0IwOwe4o/0S4eQ7ElXEnhTrLeK94Qk/IpSiw3D5EVY7E8JmydBQsBT7M4M6Qx3TXNMq//1kaPbQPQkSKIw1Dv/hf1I5OVAeXiP8DMLy3vcWDMutZptjdt0OCkAzh9pCvU52dtKu1zUWkh05KEuHOiXso7bcihL/B9EeqjPpnUxzk/cgOx80gFmjH2yr7YH1kzo+0d00FI1rRh0xicIefD3HBB8o3gx4LDWUp8x1ICft+OrXIRO7ly7zLJXsxtyPZmEH3U0SApYozxSfoK0RFxU308YGRd5IFOshOQwpiEFjmpSSquDIagVuwK4YinGxDJZT6qk+xYtgOCRaWyUcS3QJ0QOadiaY6vDauWqueFB1p2GyWNcRzP6R041KgddDwVIq99zS9iLZFHoHfYFG2pjs2EvzWOqW21lqHjhODyCZd6Nkr83yONHZ3crghgQzsHingrsPkhTL3UWVXYi0kcTqVdp6CMuf4c4CcmnVbiP8LH0oiFgzYK17wY4f0mJW8ge,iv:XPhzszBiVBpvbI4WuzLKbXxQlg+jioW8M1PA07LFHPI=,tag:B/ZTh/4yzDf7WtOM02blqg==,type:str]
+            public: ENC[AES256_GCM,data:9miSUHEGNvW4dFDNPPcR/J4KGuAvGio7+lH3Bu2qcM379h91Y3R1PEgspQG8IvC6UFBAqAnqDC6G22Ale0+MV9sd9qQUJw6jabDLr63QGu1N5ZeFUL1rGqcQOl/f,iv:2+mntQ3rLM3l/m5tKJoMswkBfe7lKHBL1l1FZkowjtg=,tag:0uopOiMYwh/rFF8e8SRzgg==,type:str]
+        zimeg:
+            private: ENC[AES256_GCM,data:R4aMYjwW+RGdfFdg6fc48tPPea18sKlM5v4N/vBqWHkN4qW1nBoNkGd/ngviT+JRuCAhEAveZFClYuvfwpeJ7QCz1pzqDRK9uNE83br3YPyrhoWFIv3+WAKwp1pQdFPttrzJOY+QqcS2twgADTADfX4hDN77+sKCNE/Lgm59WzUWMCQyTm4H5nPYZe4q1vYAInCYl7v6bfbm17ns55/ulUTtAg6jcWxpe0heXdpdt7uY3EWJDiUpv7my988xWfGOfvwOdLljaLu0eRYMjC4JY0ZFAyqxNP6I5G8kv5HeqPYdv86ftUc9FNiyyDFjVoWY9fGi6029lRkbvpFMOwi9YfEBqMW1QIf+0ERFCOkWjbV7/oJghBpMOQ1kcrZXoAOox317wG9NLkSI1y9e42T6PWrSfNftrewysQvW5D5Y4Y26XgtW/wsNAESLFib6j/Z/eT3CQtW6rO6mLE1MY7IKZ6daEbugdtu/TyK4belMfbvLU4qllxG5NY4bUCXWrlpwuhNpcLj6lZirZnYgBnxL,iv:AnF8m/LcJ9IFYwSvvUL+39JfJWSHdmuQHOteAYQOpa4=,tag:K3Hfyz4nNnM8JGz+ILwqbw==,type:str]
+            public: ENC[AES256_GCM,data:Xm/4F/lJ9cJaY9e+If/B+36u/9NFkJnliqqoaNaTf5yWYIAnj5+dIa6MO68tD4tPokum0ddoF+N7O2l1dwD/hJohiPGrvUHFu6midelpUk70HuByI5BMK8b2fJYt,iv:6FUbzaVUxa/7uOQFJezN/nGr5KG/P+UWolf+wJye6HY=,tag:KVBZYIwIL4FTUR3U4bjpSg==,type:str]
 sops:
     age:
         - recipient: age1ym7363kc42kwm3zr5uqnwsvrqjthypj6k4dxs42cckh6cjl90qyskr05tp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUENBOUF2STJHMVpLT2E5
-            V3U0bkRpZ25Ya0lheGwrYmVONmhPdkcvMkJZCnVoSENuOTJzYnNhdVZ4Q0ZOQzAz
-            SGdDczVyZW9PTEhodmR5UUZqanAvUDQKLS0tIE1oejVqRGtFSndjeklqQ1JBSTNj
-            OEc2RUFIT2hGYVhTSjh4TnB6VTZXZ0EK3vBA/+YIBeFf1ZQ8X8AMS3lcPmqQnnQU
-            qy2hAzJwMO7j5uUaPpfsFaAOCyPpviTT4xUNc876ZVxQUgJCgYVB+w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeFM4bUoybnYydVVCM0xN
+            YnZTTFN5M0M2SzAvWExaWHVKVUNzVy9qUG00CmtTTVRta09HNUV3bTNrTWVCczlK
+            dXpDN1hlaldaaWJsa3ovWkI3TGlkV2cKLS0tIGRxaGpuMmRWR1JiU3htNkVKQ2lQ
+            dlRqRHQ5TVBzT2l1SVVWSkRiZytkQm8KDq9QcFcx4CMZACFSW5yP1zAPAamnmK8U
+            NcZ5cJbqFIcMWFDfd+nV9aMoa1n1aLAfybZ/WkMKbQCfEzpM231snA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-09T05:31:31Z"
-    mac: ENC[AES256_GCM,data:+ztP5fbVTHMthENjil/u2WWs8yuEEW+6O7a//hOohldmRMdKp/DBQ8WOre/RIUGFK7s3EmZ9BuZj1DlpYyCIbACsibh7jsXTZ4PTIZs05yBqyuyhq4+RgnKgiprVDA5CWpnVELnHdgfCBMWSDcTB/rLWZdlCW0WBY5qtHXA1p8E=,iv:eOJTdNp1mfz40zved/GNItxnU0uWVD330kBK8vrGvzk=,tag:fwJ4mu3nFGT7qBRAPYT1nQ==,type:str]
+    lastmodified: "2026-03-29T06:16:31Z"
+    mac: ENC[AES256_GCM,data:AwwjcOAdVyZ9u3WOfdec17Si4dw9n3a45zDcmmFbWLIT+q3UHDwbBXQz/hu71x58CJPQFYaDeW5vgGdtyNpTGeUImCmRmr46fHoDCMliGmVYq/6zLSj0TbfTElSpI6cEiD+9+Yk4yKULFeI5o0YqHUcm4i1AZUXkJtJ5w3Q9rAE=,iv:SWA7WAKosc1UQsGeds/UlQIxht4tEv77CyQtRX7ZEtc=,tag:f++bKIj0H4W9vq5L/nftFA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.2
diff --git a/machines/tim/services/github-runners/README.md b/machines/tim/services/github-runners/README.md
@@ -0,0 +1,7 @@
+# github runners
+
+some runs tim requires a restart:
+
+```sh
+$ sudo launchctl kickstart -k system/org.nixos.github-runner-dotfiles
+```
diff --git a/machines/tim/services/github-runners/default.nix b/machines/tim/services/github-runners/default.nix
@@ -5,22 +5,23 @@
     dotfiles = {
       enable = true;
       ephemeral = true;
+      extraEnvironment = {
+        DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
+        GIT_SSH_COMMAND = "ssh -i /run/secrets/github/accounts/theorderingmachine -o StrictHostKeyChecking=accept-new";
+      };
       extraLabels = [
         "tim"
       ];
-      extraEnvironment = {
-        GIT_SSH_COMMAND = "ssh -i /run/secrets/github/ssh -o StrictHostKeyChecking=accept-new";
-      };
       extraPackages = [
         pkgs.openssh # https://github.com/openssh/openssh-portable
         pkgs.fastfetch # https://github.com/fastfetch-cli/fastfetch
       ];
-      group = "dotfiles";
+      group = "_github-runner";
       name = "tim";
       replace = true;
       tokenFile = "/run/secrets/github/runners/dotfiles";
       url = "https://github.com/zimeg/.DOTFILES";
-      user = "dotfiles";
+      user = "_github-runner";
     };
   };
 }
diff --git a/machines/tom/programs/gh/default.nix b/machines/tom/programs/gh/default.nix
@@ -10,12 +10,23 @@
   };
   programs.git = {
     settings = {
+      gpg = {
+        ssh = {
+          allowedSignersFile = "~/.config/git/allowed_signers";
+        };
+      };
       user = {
         email = "tom@deorr.co";
         name = "@theorderingmachine";
       };
     };
+    signing = {
+      key = "~/.ssh/id_ed25519";
+    };
   };
+  home.file.".config/git/allowed_signers".text = ''
+    tom@deorr.co ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGLeFO/h/8B3u8gq6N1s1/sHnQK7Su7+4elRm3eS4W
+  '';
   home.sessionVariables = {
     GITHUB_TOKEN = "$(</run/secrets/github/oauth)";
   };
diff --git a/machines/work/programs/git/default.nix b/machines/work/programs/git/default.nix
@@ -2,10 +2,21 @@
 {
   programs.git = {
     settings = {
+      gpg = {
+        ssh = {
+          allowedSignersFile = "~/.config/git/allowed_signers";
+        };
+      };
       user = {
         email = "eden.zimbelman@salesforce.com";
         name = "Eden Zimbelman";
       };
     };
+    signing = {
+      key = "~/.ssh/id_ed25519";
+    };
   };
+  home.file.".config/git/allowed_signers".text = ''
+    eden.zimbelman@salesforce.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN56hpEg6OYyzNHNm5j8lGNYkE0nHYRIT5Tg1IJZk3oH
+  '';
 }
diff --git a/programs/git/default.nix b/programs/git/default.nix
@@ -64,7 +64,8 @@
       enable = true;
     };
     signing = {
-      format = null;
+      format = "ssh";
+      signByDefault = true;
     };
   };
   home.file.".config/git/mailmap" = {

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`{`
`3`	`3`	`imports = [`
`4`	`4`	`./programs/gh`
	`5`	`+ ./programs/ssh`
`5`	`6`	`./programs/wd`
`6`	`7`	`];`
`7`	`8`	`}`