diff --git a/CHANGELOG.md b/CHANGELOG.md index fc23ef2..60b12a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes. ## patches +- `git`: sign commits if ssh verficiations unlock a secret password 2026-03-28 - `codex`: call additional provider for agentic development process 2026-03-28 - `node`: follow the unstable channels for active releases in shell 2026-03-28 - `git`: skip signing commits with default unused as warning appear 2026-03-28 diff --git a/machines/puma/programs/git/default.nix b/machines/puma/programs/git/default.nix index 10237fe..1bd7574 100644 --- a/machines/puma/programs/git/default.nix +++ b/machines/puma/programs/git/default.nix @@ -2,10 +2,21 @@ { programs.git = { settings = { + gpg = { + ssh = { + allowedSignersFile = "~/.config/git/allowed_signers"; + }; + }; user = { email = "zim@o526.net"; name = "@zimeg"; }; }; + signing = { + key = "~/.ssh/id_ed25519"; + }; }; + home.file.".config/git/allowed_signers".text = '' + zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZQSWnGNtSoSAaK90h3FYsxTlevad8+BpTzR2DwiT1C + ''; } diff --git a/machines/tim/configuration.nix b/machines/tim/configuration.nix index 64f1460..811218e 100644 --- a/machines/tim/configuration.nix +++ b/machines/tim/configuration.nix @@ -54,22 +54,42 @@ }; secrets = { "github/runners/dotfiles" = { - owner = "dotfiles"; - group = "dotfiles"; + group = "_github-runner"; + owner = "_github-runner"; + path = "/run/secrets/github/runners/dotfiles"; }; - "github/ssh" = { - key = "ssh/private"; - owner = "dotfiles"; - group = "dotfiles"; + "github/accounts/theorderingmachine" = { + key = "ssh/accounts/theorderingmachine/private"; + group = "_github-runner"; + owner = "_github-runner"; + path = "/run/secrets/github/accounts/theorderingmachine"; }; - "ssh/public" = { + "ssh/accounts/theorderingmachine/private" = { owner = input.config.users.users.ez.name; - path = "/Users/ez/.ssh/id_ed25519.pub"; + path = "/Users/ez/.ssh/accounts/theorderingmachine"; + }; + "ssh/accounts/theorderingmachine/public" = { + owner = input.config.users.users.ez.name; + path = "/Users/ez/.ssh/accounts/theorderingmachine.pub"; + }; + "ssh/accounts/zimeg/private" = { + owner = input.config.users.users.ez.name; + path = "/Users/ez/.ssh/accounts/zimeg"; }; - "ssh/private" = { + "ssh/accounts/zimeg/public" = { + owner = input.config.users.users.ez.name; + path = "/Users/ez/.ssh/accounts/zimeg.pub"; + }; + "ssh/default/private" = { + key = "ssh/accounts/theorderingmachine/private"; owner = input.config.users.users.ez.name; path = "/Users/ez/.ssh/id_ed25519"; }; + "ssh/default/public" = { + key = "ssh/accounts/theorderingmachine/public"; + owner = input.config.users.users.ez.name; + path = "/Users/ez/.ssh/id_ed25519.pub"; + }; }; }; system = { @@ -77,20 +97,20 @@ stateVersion = 5; }; users = { - knownGroups = [ "dotfiles" ]; - knownUsers = [ "dotfiles" ]; + knownGroups = [ "_github-runner" ]; + knownUsers = [ "_github-runner" ]; groups = { - dotfiles = { - gid = 534; + _github-runner = { + gid = 533; }; }; users = { - dotfiles = { - createHome = true; - gid = 534; - home = "/private/var/lib/dotfiles"; - name = "dotfiles"; - uid = 534; + _github-runner = { + createHome = false; + gid = 533; + home = "/private/var/lib/github-runners"; + name = "_github-runner"; + uid = 533; }; ez = { home = /Users/ez; diff --git a/machines/tim/home.nix b/machines/tim/home.nix index 4157545..f63b1ac 100644 --- a/machines/tim/home.nix +++ b/machines/tim/home.nix @@ -2,6 +2,7 @@ { imports = [ ./programs/gh + ./programs/ssh ./programs/wd ]; } diff --git a/machines/tim/programs/gh/README.md b/machines/tim/programs/gh/README.md new file mode 100644 index 0000000..49a9825 --- /dev/null +++ b/machines/tim/programs/gh/README.md @@ -0,0 +1,9 @@ +# gh + +swapping accounts in certain projects takes commands: + +```sh +$ git config user.name "@zimeg" +$ git config user.email "zim@o526.net" +$ git config user.signingKey "~/.ssh/accounts/zimeg" +``` diff --git a/machines/tim/programs/gh/default.nix b/machines/tim/programs/gh/default.nix index 456eadc..ea46d98 100644 --- a/machines/tim/programs/gh/default.nix +++ b/machines/tim/programs/gh/default.nix @@ -10,10 +10,22 @@ }; programs.git = { settings = { + gpg = { + ssh = { + allowedSignersFile = "~/.config/git/allowed_signers"; + }; + }; user = { email = "tom@deorr.co"; name = "@theorderingmachine"; }; }; + signing = { + key = "~/.ssh/accounts/theorderingmachine"; + }; }; + home.file.".config/git/allowed_signers".text = '' + tom@deorr.co ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEZymM2zPOY+aa0nDpUlvWqA5q74zrNS8uzJN6/84DQ + zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+dGTTCom1yRR0tjxJSFMSgMpGhAULcMqeTA6dF0hrD + ''; } diff --git a/machines/tim/programs/ssh/default.nix b/machines/tim/programs/ssh/default.nix new file mode 100644 index 0000000..082f757 --- /dev/null +++ b/machines/tim/programs/ssh/default.nix @@ -0,0 +1,15 @@ +# https://github.com/openssh/openssh-portable +{ + programs.ssh.matchBlocks = { + theorderingmachine = { + hostname = "github.com"; + identitiesOnly = true; + identityFile = "~/.ssh/accounts/theorderingmachine"; + }; + zimeg = { + hostname = "github.com"; + identitiesOnly = true; + identityFile = "~/.ssh/accounts/zimeg"; + }; + }; +} diff --git a/machines/tim/secrets/vault.yaml b/machines/tim/secrets/vault.yaml index 7c3da59..4c0dc1c 100644 --- a/machines/tim/secrets/vault.yaml +++ b/machines/tim/secrets/vault.yaml @@ -1,21 +1,26 @@ github: runners: - dotfiles: ENC[AES256_GCM,data:DnuiyzT8zyHIkfd0gds1//PSjv1PSOo/9a/JnFqQLW5QrMxEkQfgi37l2doVP84SDBjJF2vcuYNaoB/MCLUbbDrmh4+xIOLgrB5murLRs6n4n3MrLbefh7lIipeu,iv:LU1quTHniQWWSBtrwsY0dZwqzp58cMYXyvkmBJWgoX8=,tag:M7WjyNC4aj/kgDNrGZhpsA==,type:str] + dotfiles: ENC[AES256_GCM,data:CLkBrlPi2KXyC5uw0Xzvcw6v2pMbbxj/ZPpg9P3F1XQ++mtp6TyjoMwv7JUZxjwxAxU5bMUjmuE9Ge1j4GHHDdTwsEfhhntaZTRUmUCJo1Hy+N4XbQuB/gUuv9c5,iv:4uBGUllCDuVSo0IG6qHb8kHNxQIOnc1YMHHDJwBTinQ=,tag:jhbcKoqGN2U+baJuRbYegA==,type:str] ssh: - public: ENC[AES256_GCM,data:4sdsm6WRY1ELv8N20zsiCdG19fmyvdWrse7GmYFzlR/MdkIRIWXZLcawEYW6tEk4FOGQDtWc82rSP6dCzAEywYHFrIS4lVzTMztF+5sOaEgcfoqLHuEpc1rOLaRD,iv:Iy6MIjOHkHb1J2Y7M+cDNyWfRIrGdb1HMFZEQkXl/Xk=,tag:7IXbitgZEFTnrMHOym2WJg==,type:str] - private: ENC[AES256_GCM,data:9I8Noox6cFuQOgYhDVaSKsr/bTi1GbRWMrvPiJr3oZRz0f+fKOrVFSDxIwmC40O/rAlToQQHf0rY2KhriT0TWweIVwnCCTMDNcyXUw0GVxVcUlMo/fkXrUsuZnxUHwyPefYDrvjnqKYNKOT2XG2pjiOMt36YM1QHb8uME72wnDz5LlgdhjcaFR5uepTHwZRfJkOcc80xWirEFEikTxKTikYWcoXyGvEMidIVYQqNicFFdvYJ9rk5k7yZ/3hhMNo/6GwFWl6XP/S8JP8URLQZlLFT0UmV5p9jEVBYnUuT6Y4pcYFKYtAVFNnTvDe25GUjMCf8kgOoyzhGaxWPtf6oU15jNHxL1vYItlHgV4JXWbuh7wu3SRAKCEtFW+zAH9lZFv99xXuYxWqQVU0KIfsd9RRZJCHsB2/YnPhVVTtdQPbyKQ8R1UxyP0F7Rp0X9I0u9hm5r8SbRAnkhbJoVmQdJGMY+gCiB6L7RkLRqDEzkYatpqry9kTMvzAkQu1WKTbCmWd2UN7TvPW2BYpraibm,iv:KTjokJcK0hcLx0yaWswdPioMJc0+bHYbpcuFm6o99D4=,tag:FtDChakJm1ox8sJ3LJC0ww==,type:str] + accounts: + theorderingmachine: + private: ENC[AES256_GCM,data:YiLC08VqAkNasy50FK0IwOwe4o/0S4eQ7ElXEnhTrLeK94Qk/IpSiw3D5EVY7E8JmydBQsBT7M4M6Qx3TXNMq//1kaPbQPQkSKIw1Dv/hf1I5OVAeXiP8DMLy3vcWDMutZptjdt0OCkAzh9pCvU52dtKu1zUWkh05KEuHOiXso7bcihL/B9EeqjPpnUxzk/cgOx80gFmjH2yr7YH1kzo+0d00FI1rRh0xicIefD3HBB8o3gx4LDWUp8x1ICft+OrXIRO7ly7zLJXsxtyPZmEH3U0SApYozxSfoK0RFxU308YGRd5IFOshOQwpiEFjmpSSquDIagVuwK4YinGxDJZT6qk+xYtgOCRaWyUcS3QJ0QOadiaY6vDauWqueFB1p2GyWNcRzP6R041KgddDwVIq99zS9iLZFHoHfYFG2pjs2EvzWOqW21lqHjhODyCZd6Nkr83yONHZ3crghgQzsHingrsPkhTL3UWVXYi0kcTqVdp6CMuf4c4CcmnVbiP8LH0oiFgzYK17wY4f0mJW8ge,iv:XPhzszBiVBpvbI4WuzLKbXxQlg+jioW8M1PA07LFHPI=,tag:B/ZTh/4yzDf7WtOM02blqg==,type:str] + public: ENC[AES256_GCM,data:9miSUHEGNvW4dFDNPPcR/J4KGuAvGio7+lH3Bu2qcM379h91Y3R1PEgspQG8IvC6UFBAqAnqDC6G22Ale0+MV9sd9qQUJw6jabDLr63QGu1N5ZeFUL1rGqcQOl/f,iv:2+mntQ3rLM3l/m5tKJoMswkBfe7lKHBL1l1FZkowjtg=,tag:0uopOiMYwh/rFF8e8SRzgg==,type:str] + zimeg: + private: ENC[AES256_GCM,data:R4aMYjwW+RGdfFdg6fc48tPPea18sKlM5v4N/vBqWHkN4qW1nBoNkGd/ngviT+JRuCAhEAveZFClYuvfwpeJ7QCz1pzqDRK9uNE83br3YPyrhoWFIv3+WAKwp1pQdFPttrzJOY+QqcS2twgADTADfX4hDN77+sKCNE/Lgm59WzUWMCQyTm4H5nPYZe4q1vYAInCYl7v6bfbm17ns55/ulUTtAg6jcWxpe0heXdpdt7uY3EWJDiUpv7my988xWfGOfvwOdLljaLu0eRYMjC4JY0ZFAyqxNP6I5G8kv5HeqPYdv86ftUc9FNiyyDFjVoWY9fGi6029lRkbvpFMOwi9YfEBqMW1QIf+0ERFCOkWjbV7/oJghBpMOQ1kcrZXoAOox317wG9NLkSI1y9e42T6PWrSfNftrewysQvW5D5Y4Y26XgtW/wsNAESLFib6j/Z/eT3CQtW6rO6mLE1MY7IKZ6daEbugdtu/TyK4belMfbvLU4qllxG5NY4bUCXWrlpwuhNpcLj6lZirZnYgBnxL,iv:AnF8m/LcJ9IFYwSvvUL+39JfJWSHdmuQHOteAYQOpa4=,tag:K3Hfyz4nNnM8JGz+ILwqbw==,type:str] + public: ENC[AES256_GCM,data:Xm/4F/lJ9cJaY9e+If/B+36u/9NFkJnliqqoaNaTf5yWYIAnj5+dIa6MO68tD4tPokum0ddoF+N7O2l1dwD/hJohiPGrvUHFu6midelpUk70HuByI5BMK8b2fJYt,iv:6FUbzaVUxa/7uOQFJezN/nGr5KG/P+UWolf+wJye6HY=,tag:KVBZYIwIL4FTUR3U4bjpSg==,type:str] sops: age: - recipient: age1ym7363kc42kwm3zr5uqnwsvrqjthypj6k4dxs42cckh6cjl90qyskr05tp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUENBOUF2STJHMVpLT2E5 - V3U0bkRpZ25Ya0lheGwrYmVONmhPdkcvMkJZCnVoSENuOTJzYnNhdVZ4Q0ZOQzAz - SGdDczVyZW9PTEhodmR5UUZqanAvUDQKLS0tIE1oejVqRGtFSndjeklqQ1JBSTNj - OEc2RUFIT2hGYVhTSjh4TnB6VTZXZ0EK3vBA/+YIBeFf1ZQ8X8AMS3lcPmqQnnQU - qy2hAzJwMO7j5uUaPpfsFaAOCyPpviTT4xUNc876ZVxQUgJCgYVB+w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeFM4bUoybnYydVVCM0xN + YnZTTFN5M0M2SzAvWExaWHVKVUNzVy9qUG00CmtTTVRta09HNUV3bTNrTWVCczlK + dXpDN1hlaldaaWJsa3ovWkI3TGlkV2cKLS0tIGRxaGpuMmRWR1JiU3htNkVKQ2lQ + dlRqRHQ5TVBzT2l1SVVWSkRiZytkQm8KDq9QcFcx4CMZACFSW5yP1zAPAamnmK8U + NcZ5cJbqFIcMWFDfd+nV9aMoa1n1aLAfybZ/WkMKbQCfEzpM231snA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-09T05:31:31Z" - mac: ENC[AES256_GCM,data:+ztP5fbVTHMthENjil/u2WWs8yuEEW+6O7a//hOohldmRMdKp/DBQ8WOre/RIUGFK7s3EmZ9BuZj1DlpYyCIbACsibh7jsXTZ4PTIZs05yBqyuyhq4+RgnKgiprVDA5CWpnVELnHdgfCBMWSDcTB/rLWZdlCW0WBY5qtHXA1p8E=,iv:eOJTdNp1mfz40zved/GNItxnU0uWVD330kBK8vrGvzk=,tag:fwJ4mu3nFGT7qBRAPYT1nQ==,type:str] + lastmodified: "2026-03-29T06:16:31Z" + mac: ENC[AES256_GCM,data:AwwjcOAdVyZ9u3WOfdec17Si4dw9n3a45zDcmmFbWLIT+q3UHDwbBXQz/hu71x58CJPQFYaDeW5vgGdtyNpTGeUImCmRmr46fHoDCMliGmVYq/6zLSj0TbfTElSpI6cEiD+9+Yk4yKULFeI5o0YqHUcm4i1AZUXkJtJ5w3Q9rAE=,iv:SWA7WAKosc1UQsGeds/UlQIxht4tEv77CyQtRX7ZEtc=,tag:f++bKIj0H4W9vq5L/nftFA==,type:str] unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.2 diff --git a/machines/tim/services/github-runners/README.md b/machines/tim/services/github-runners/README.md new file mode 100644 index 0000000..132007c --- /dev/null +++ b/machines/tim/services/github-runners/README.md @@ -0,0 +1,7 @@ +# github runners + +some runs tim requires a restart: + +```sh +$ sudo launchctl kickstart -k system/org.nixos.github-runner-dotfiles +``` diff --git a/machines/tim/services/github-runners/default.nix b/machines/tim/services/github-runners/default.nix index 032f09c..e4b4d10 100644 --- a/machines/tim/services/github-runners/default.nix +++ b/machines/tim/services/github-runners/default.nix @@ -5,22 +5,23 @@ dotfiles = { enable = true; ephemeral = true; + extraEnvironment = { + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1"; + GIT_SSH_COMMAND = "ssh -i /run/secrets/github/accounts/theorderingmachine -o StrictHostKeyChecking=accept-new"; + }; extraLabels = [ "tim" ]; - extraEnvironment = { - GIT_SSH_COMMAND = "ssh -i /run/secrets/github/ssh -o StrictHostKeyChecking=accept-new"; - }; extraPackages = [ pkgs.openssh # https://github.com/openssh/openssh-portable pkgs.fastfetch # https://github.com/fastfetch-cli/fastfetch ]; - group = "dotfiles"; + group = "_github-runner"; name = "tim"; replace = true; tokenFile = "/run/secrets/github/runners/dotfiles"; url = "https://github.com/zimeg/.DOTFILES"; - user = "dotfiles"; + user = "_github-runner"; }; }; } diff --git a/machines/tom/programs/gh/default.nix b/machines/tom/programs/gh/default.nix index 4094cd1..09f9e81 100644 --- a/machines/tom/programs/gh/default.nix +++ b/machines/tom/programs/gh/default.nix @@ -10,12 +10,23 @@ }; programs.git = { settings = { + gpg = { + ssh = { + allowedSignersFile = "~/.config/git/allowed_signers"; + }; + }; user = { email = "tom@deorr.co"; name = "@theorderingmachine"; }; }; + signing = { + key = "~/.ssh/id_ed25519"; + }; }; + home.file.".config/git/allowed_signers".text = '' + tom@deorr.co ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWGLeFO/h/8B3u8gq6N1s1/sHnQK7Su7+4elRm3eS4W + ''; home.sessionVariables = { GITHUB_TOKEN = "$(