Skip to content

git: sign commits if ssh verficiations unlock a secret password #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zimeg merged 13 commits into from
Mar 29, 2026
Merged

git: sign commits if ssh verficiations unlock a secret password #79

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
86523dc
git: sign commits if ssh verficiations unlock a secret password
theorderingmachine Mar 29, 2026
a3e0521
build: separate keys from shared defaults
theorderingmachine Mar 29, 2026
fa8ef76
ci: use generic github runner account with corrections to bins
theorderingmachine Mar 29, 2026
cfa97bf
fix: use gitconfig format for nixos settings
theorderingmachine Mar 29, 2026
92ad336
docs: recall restart the runner
zimeg Mar 29, 2026
5087333
fix: show self as a signed runner of local commits
zimeg Mar 29, 2026
c07c320
docs: instruct account swapping
zimeg Mar 29, 2026
15d4c13
chore: alphabetics
theorderingmachine Mar 29, 2026
2b7fed0
chore: alphabetics
theorderingmachine Mar 29, 2026
9ab0466
feat: show signatures on work machine too
zimeg Mar 29, 2026
bd789ff
style: organize ssh accounts without obvious default in secrets
theorderingmachine Mar 29, 2026
86e03a2
style: namespace github accounts for keys as well
theorderingmachine Mar 29, 2026
5b44961
style: prefer matching homemanager implementation for allowed signers
theorderingmachine Mar 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes.

## patches

- `git`: sign commits if ssh verficiations unlock a secret password 2026-03-28
- `codex`: call additional provider for agentic development process 2026-03-28
- `node`: follow the unstable channels for active releases in shell 2026-03-28
- `git`: skip signing commits with default unused as warning appear 2026-03-28
Expand Down
11 changes: 11 additions & 0 deletions machines/puma/programs/git/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,21 @@
{
programs.git = {
settings = {
gpg = {
ssh = {
allowedSignersFile = "~/.config/git/allowed_signers";
};
};
user = {
email = "zim@o526.net";
name = "@zimeg";
};
};
signing = {
key = "~/.ssh/id_ed25519";
};
};
home.file.".config/git/allowed_signers".text = ''
zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZQSWnGNtSoSAaK90h3FYsxTlevad8+BpTzR2DwiT1C
'';
}
54 changes: 37 additions & 17 deletions machines/tim/configuration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,21 +54,41 @@
};
secrets = {
"github/runners/dotfiles" = {
owner = "dotfiles";
group = "dotfiles";
group = "_github-runner";
owner = "_github-runner";
path = "/run/secrets/github/runners/dotfiles";
};
"github/ssh" = {
"github/theorderingmachine" = {
key = "ssh/private";
owner = "dotfiles";
group = "dotfiles";
group = "_github-runner";
owner = "_github-runner";
path = "/run/secrets/github/theorderingmachine";
};
"ssh/private" = {
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/id_ed25519";
};
"ssh/public" = {
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/id_ed25519.pub";
};
"ssh/private" = {
"ssh/theorderingmachine/private" = {
key = "ssh/private";
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/id_ed25519";
path = "/Users/ez/.ssh/accounts/theorderingmachine";
};
"ssh/theorderingmachine/public" = {
key = "ssh/public";
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/accounts/theorderingmachine.pub";
};
"ssh/zimeg/private" = {
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/accounts/zimeg";
};
"ssh/zimeg/public" = {
owner = input.config.users.users.ez.name;
path = "/Users/ez/.ssh/accounts/zimeg.pub";
};
};
};
Expand All @@ -77,20 +97,20 @@
stateVersion = 5;
};
users = {
knownGroups = [ "dotfiles" ];
knownUsers = [ "dotfiles" ];
knownGroups = [ "_github-runner" ];
knownUsers = [ "_github-runner" ];
groups = {
dotfiles = {
gid = 534;
_github-runner = {
gid = 533;
};
};
users = {
dotfiles = {
createHome = true;
gid = 534;
home = "/private/var/lib/dotfiles";
name = "dotfiles";
uid = 534;
_github-runner = {
createHome = false;
gid = 533;
home = "/private/var/lib/github-runners";
name = "_github-runner";
uid = 533;
};
ez = {
home = /Users/ez;
Expand Down
1 change: 1 addition & 0 deletions machines/tim/home.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
{
imports = [
./programs/gh
./programs/ssh
./programs/wd
];
}
9 changes: 9 additions & 0 deletions machines/tim/programs/gh/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# gh

swapping accounts in certain projects takes commands:

```sh
$ git config user.name "@zimeg"
$ git config user.email "zim@o526.net"
$ git config user.signingKey "~/.ssh/accounts/zimeg"
```
12 changes: 12 additions & 0 deletions machines/tim/programs/gh/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,23 @@
};
};
programs.git = {
signing = {
key = "~/.ssh/accounts/theorderingmachine";
};
settings = {
gpg = {
ssh = {
allowedSignersFile = "~/.config/git/allowed_signers";
};
};
user = {
email = "tom@deorr.co";
name = "@theorderingmachine";
};
};
};
home.file.".config/git/allowed_signers".text = ''
tom@deorr.co ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEZymM2zPOY+aa0nDpUlvWqA5q74zrNS8uzJN6/84DQ
zim@o526.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+dGTTCom1yRR0tjxJSFMSgMpGhAULcMqeTA6dF0hrD
'';
}
15 changes: 15 additions & 0 deletions machines/tim/programs/ssh/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# https://github.com/openssh/openssh-portable
{
programs.ssh.matchBlocks = {
theorderingmachine = {
hostname = "github.com";
identitiesOnly = true;
identityFile = "~/.ssh/accounts/theorderingmachine";
};
zimeg = {
hostname = "github.com";
identitiesOnly = true;
identityFile = "~/.ssh/accounts/zimeg";
};
};
}
25 changes: 14 additions & 11 deletions machines/tim/secrets/vault.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,24 @@
github:
runners:
dotfiles: ENC[AES256_GCM,data:DnuiyzT8zyHIkfd0gds1//PSjv1PSOo/9a/JnFqQLW5QrMxEkQfgi37l2doVP84SDBjJF2vcuYNaoB/MCLUbbDrmh4+xIOLgrB5murLRs6n4n3MrLbefh7lIipeu,iv:LU1quTHniQWWSBtrwsY0dZwqzp58cMYXyvkmBJWgoX8=,tag:M7WjyNC4aj/kgDNrGZhpsA==,type:str]
dotfiles: ENC[AES256_GCM,data:CLkBrlPi2KXyC5uw0Xzvcw6v2pMbbxj/ZPpg9P3F1XQ++mtp6TyjoMwv7JUZxjwxAxU5bMUjmuE9Ge1j4GHHDdTwsEfhhntaZTRUmUCJo1Hy+N4XbQuB/gUuv9c5,iv:4uBGUllCDuVSo0IG6qHb8kHNxQIOnc1YMHHDJwBTinQ=,tag:jhbcKoqGN2U+baJuRbYegA==,type:str]
ssh:
public: ENC[AES256_GCM,data:4sdsm6WRY1ELv8N20zsiCdG19fmyvdWrse7GmYFzlR/MdkIRIWXZLcawEYW6tEk4FOGQDtWc82rSP6dCzAEywYHFrIS4lVzTMztF+5sOaEgcfoqLHuEpc1rOLaRD,iv:Iy6MIjOHkHb1J2Y7M+cDNyWfRIrGdb1HMFZEQkXl/Xk=,tag:7IXbitgZEFTnrMHOym2WJg==,type:str]
private: ENC[AES256_GCM,data:9I8Noox6cFuQOgYhDVaSKsr/bTi1GbRWMrvPiJr3oZRz0f+fKOrVFSDxIwmC40O/rAlToQQHf0rY2KhriT0TWweIVwnCCTMDNcyXUw0GVxVcUlMo/fkXrUsuZnxUHwyPefYDrvjnqKYNKOT2XG2pjiOMt36YM1QHb8uME72wnDz5LlgdhjcaFR5uepTHwZRfJkOcc80xWirEFEikTxKTikYWcoXyGvEMidIVYQqNicFFdvYJ9rk5k7yZ/3hhMNo/6GwFWl6XP/S8JP8URLQZlLFT0UmV5p9jEVBYnUuT6Y4pcYFKYtAVFNnTvDe25GUjMCf8kgOoyzhGaxWPtf6oU15jNHxL1vYItlHgV4JXWbuh7wu3SRAKCEtFW+zAH9lZFv99xXuYxWqQVU0KIfsd9RRZJCHsB2/YnPhVVTtdQPbyKQ8R1UxyP0F7Rp0X9I0u9hm5r8SbRAnkhbJoVmQdJGMY+gCiB6L7RkLRqDEzkYatpqry9kTMvzAkQu1WKTbCmWd2UN7TvPW2BYpraibm,iv:KTjokJcK0hcLx0yaWswdPioMJc0+bHYbpcuFm6o99D4=,tag:FtDChakJm1ox8sJ3LJC0ww==,type:str]
private: ENC[AES256_GCM,data:jP37GYLwElPGRzvo5D8UVR1cs8thDGk59trYg+au50lF7pw3Fyag6Zp7YOC05vf+sRoBMzhPJk7ot21SL3iB9/KP7LsoLdV0SehajiIVmEIXCvHMZ2RG6RMF1N0X5ItUNDPMq5q3oIJpKqc8AsYHyTCUvbFIW/MHa3bNM49hy9rMWuogYVw3qdguTG3BKtDlTu0jaPzZ7vNlnVkoi00iyRanlC/H04Qr15Wyu8K/5l/FNgLP5Os5wXLtCIRZCYV3SiuBCn+uzYOpDSWbOt/bnFBbGggaVYBWhJyanEYP7rmtI3xBgTvjdM2ZG/IOP2EeMkEDuWRlJ9OApvngtjeHyHBwhT2JWEw0LWxTo9HYFiPMABVDqe438ysMLN6HB+U55nJ2W7Npro4oFY69BoPw+NebL2d2OoOCmzF27UlJH/Oi3rvYb4WoHjNdCMk1svVAPMzIkgx2l7bbukPUXUyYvp5fP4hdf8cjfcAdlEY+/xvKU23BUlXqymmM+S9orLzSe9fcA02umc/QJiF6fgOT,iv:+lyyTfwd5xfvBmaBYvAHLUNPBUy6poPgWHqFTPxstU8=,tag:mFZhOBZrtsbakWDBKHjdiw==,type:str]
public: ENC[AES256_GCM,data:n7DxJLpXqvuEJvNbowj/YvmkOeeDHx2LZe+ibg4hfHfCr6Gf/MXm5m3VgEAVQGOUiJm9cteXeP8GiW9vOTo6DpF9luu9lOWMdQoGutJ5PHsL/U3zBTN9FLFope9A,iv:9P9Tn5tSQS/4tC8g4npD2cADW2wt+ftfHVPLtjXq8e8=,tag:l+WOCb/ijffslXtqekBCqQ==,type:str]
zimeg:
private: ENC[AES256_GCM,data:3MiyRQMQW6NHnl3BbxcXGGVrhMvkKyZvqB67RZtjmqWH5P/P78h23ok02JEsOKZPZEgsPWhYFfXAFlyAxB2HzjfwQtGQp6l5xSdi9QyCZhxMyWAimE7mu/yRqTTY9hrRndD8a1BfdlT7k7V+OOYMg9cJ68/aU5fIhH4+O0x1SpziLOliaSubXIu/5f/lg33E1mdbrVen/zyhThxKOGTyVHI9ieljp9IQG4oDktf/mzonZtSaBUpxriffm4KZ53P9yOyHvRqjQOhAoMQjUN9Kd0LJdwMTzYbMMukMmqqowAwOih0wAGl5Mql533JIUfc2zcFRf5O4dK9ux/UU02v9gktGD3DN0rkbGp08ZRsgd0QxUe9pguL5VKFbV5SrjOv1ZNgxttf+BvA2aggDiYOfTfkHHfgnDQDvtn2YEhXbrulsY4dvNg/MEplV6gIECItIaCtp+Ns0MJL7znoAZTg0O6HNN0xnH8J473OQGMsMgNFaPvQd5e/LSAwmWioLHWHO7DAQQHTYjXolltrk7Dgj,iv:O9CM2/4JRDEP5rbL90iTb2xUSkJtl1JaBoXJTCPFN08=,tag:r+Wu4nIW5113sShO5ntwfg==,type:str]
public: ENC[AES256_GCM,data:VgiB5Zw3uUady+V2Qm2UESLJYyIeiDsYdqNLmnKP0NU0CjFsZtR5eO8ps5C3BOXG/5QwDonuFgrTWVTxDZgymAzNySxKrUwCKgN+8s6JHnJzFQjFDKJclYIAAkgS,iv:wGSgGs50ZtByocZPLeL1nPFM83oFE5sD2Ockrr/WVdw=,tag:5i0hpvW0yZkqMtIpTJij+w==,type:str]
sops:
age:
- recipient: age1ym7363kc42kwm3zr5uqnwsvrqjthypj6k4dxs42cckh6cjl90qyskr05tp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUENBOUF2STJHMVpLT2E5
V3U0bkRpZ25Ya0lheGwrYmVONmhPdkcvMkJZCnVoSENuOTJzYnNhdVZ4Q0ZOQzAz
SGdDczVyZW9PTEhodmR5UUZqanAvUDQKLS0tIE1oejVqRGtFSndjeklqQ1JBSTNj
OEc2RUFIT2hGYVhTSjh4TnB6VTZXZ0EK3vBA/+YIBeFf1ZQ8X8AMS3lcPmqQnnQU
qy2hAzJwMO7j5uUaPpfsFaAOCyPpviTT4xUNc876ZVxQUgJCgYVB+w==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeFM4bUoybnYydVVCM0xN
YnZTTFN5M0M2SzAvWExaWHVKVUNzVy9qUG00CmtTTVRta09HNUV3bTNrTWVCczlK
dXpDN1hlaldaaWJsa3ovWkI3TGlkV2cKLS0tIGRxaGpuMmRWR1JiU3htNkVKQ2lQ
dlRqRHQ5TVBzT2l1SVVWSkRiZytkQm8KDq9QcFcx4CMZACFSW5yP1zAPAamnmK8U
NcZ5cJbqFIcMWFDfd+nV9aMoa1n1aLAfybZ/WkMKbQCfEzpM231snA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-09T05:31:31Z"
mac: ENC[AES256_GCM,data:+ztP5fbVTHMthENjil/u2WWs8yuEEW+6O7a//hOohldmRMdKp/DBQ8WOre/RIUGFK7s3EmZ9BuZj1DlpYyCIbACsibh7jsXTZ4PTIZs05yBqyuyhq4+RgnKgiprVDA5CWpnVELnHdgfCBMWSDcTB/rLWZdlCW0WBY5qtHXA1p8E=,iv:eOJTdNp1mfz40zved/GNItxnU0uWVD330kBK8vrGvzk=,tag:fwJ4mu3nFGT7qBRAPYT1nQ==,type:str]
lastmodified: "2026-03-29T02:57:50Z"
mac: ENC[AES256_GCM,data:vh7/Oq4Q547txi/UqQcHsJHoWOmE0VmHlbFppr2uKh53cPIPNhQJBxDYWLpb4dykcTlUT3iQQgw4R4WrriFwv/gNd+hQsAox28G3N9PIkTGlBLeH8tXWdvj+oWgW58BD16TMDwt0RtNRAUMBtHf/ofxwGj7PeYHU0Nc6GrjaPy8=,iv:Gwj2N9ZRpUT9JlBaLZ//7pHaUM3JU/moBVBXuihsXW8=,tag:hQjACt11tKOR+XlPSn/61g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.12.2
7 changes: 7 additions & 0 deletions machines/tim/services/github-runners/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# github runners

some runs tim requires a restart:

```sh
$ sudo launchctl kickstart -k system/org.nixos.github-runner-dotfiles
```
11 changes: 6 additions & 5 deletions machines/tim/services/github-runners/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,23 @@
dotfiles = {
enable = true;
ephemeral = true;
extraEnvironment = {
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "1";
Copy link
Copy Markdown
Owner

@zimeg zimeg Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔭 note: This fixed an odd issue stopping authentication

GIT_SSH_COMMAND = "ssh -i /run/secrets/github/theorderingmachine -o StrictHostKeyChecking=accept-new";
};
extraLabels = [
"tim"
];
extraEnvironment = {
GIT_SSH_COMMAND = "ssh -i /run/secrets/github/ssh -o StrictHostKeyChecking=accept-new";
};
extraPackages = [
pkgs.openssh # https://github.com/openssh/openssh-portable
pkgs.fastfetch # https://github.com/fastfetch-cli/fastfetch
];
group = "dotfiles";
group = "_github-runner";
Copy link
Copy Markdown
Owner

@zimeg zimeg Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👾 note: We revert 4a97d67 to find expected logs-

name = "tim";
replace = true;
tokenFile = "/run/secrets/github/runners/dotfiles";
url = "https://github.com/zimeg/.DOTFILES";
user = "dotfiles";
user = "_github-runner";
};
};
}
11 changes: 11 additions & 0 deletions machines/tom/programs/git/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,16 @@
{
programs.git = {
enable = true;
config = {
commit = {
gpgSign = true;
};
gpg = {
format = "ssh";
};
user = {
signingKey = "~/.ssh/id_ed25519";
};
};
};
}
3 changes: 3 additions & 0 deletions machines/work/programs/git/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# https://github.com/git/git
{
programs.git = {
signing = {
key = "~/.ssh/id_ed25519";
};
settings = {
user = {
email = "eden.zimbelman@salesforce.com";
Expand Down
3 changes: 2 additions & 1 deletion programs/git/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,8 @@
enable = true;
};
signing = {
format = null;
format = "ssh";
signByDefault = true;
};
};
home.file.".config/git/mailmap" = {
Expand Down
Loading