From 87ad449cc22a6e5ec84c77fbe46f0a75dfff706e Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Sun, 15 Oct 2023 15:44:55 +0800
Subject: [PATCH] secrets,nix: add nix access tokens

---
 users/guanranwang/nixos.nix            | 9 +++++++--
 users/guanranwang/secrets/secrets.yaml | 6 ++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/users/guanranwang/nixos.nix b/users/guanranwang/nixos.nix
index eb25e81..032d115 100644
--- a/users/guanranwang/nixos.nix
+++ b/users/guanranwang/nixos.nix
@@ -4,7 +4,7 @@
   users.users."guanranwang" = {
     isNormalUser = true;
     description = "Guanran Wang";
-    extraGroups = [ "wheel" "networkmanager" "tss" ]; # tss = access to tpm devices
+    extraGroups = [ "wheel" "networkmanager" "tss" "nix-access-tokens" ]; # tss = access to tpm devices
     hashedPasswordFile = config.sops.secrets."hashed-passwd".path;
     shell = pkgs.fish;
     packages = [];
@@ -22,6 +22,8 @@
   ### home-manager
   home-manager.users.guanranwang = import ./home-manager/nixos;
   ### sops-nix
+  nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
+  users.groups."nix-access-tokens" = {};
   sops = {
     defaultSopsFile = ./secrets/secrets.yaml;
     age.sshKeyPaths = [ "/nix/persist/system/etc/ssh/ssh_host_ed25519_key" ];
@@ -29,8 +31,11 @@
     secrets = {
       "hashed-passwd".neededForUsers = true;                # Hashed user password
       "wireless/home".path = "/var/lib/iwd/wangxiaobo.psk"; # Home wifi password
+      "nix-access-tokens" = {
+        group = config.users.groups."nix-access-tokens".name;
+        mode = "0440";
+      };
       "clash-config" = {                                    # Clash.Meta configuration
-        #mode = "0444"; # readable
         owner = config.users.users."clash-meta".name;
         group = config.users.users."clash-meta".group;
         restartUnits = [ "clash-meta.service" ];
diff --git a/users/guanranwang/secrets/secrets.yaml b/users/guanranwang/secrets/secrets.yaml
index bd0d6ad..72099de 100644
--- a/users/guanranwang/secrets/secrets.yaml
+++ b/users/guanranwang/secrets/secrets.yaml
@@ -1,5 +1,7 @@
 #ENC[AES256_GCM,data:foyB70p8iklGCcX/ybRiMKVWDohm,iv:d42fIurrsZ3wL7e6dowyMXyN1dduRQWNKeqM1AKPzDk=,tag:LXUJOv4GOmI+6l2qcMwBUQ==,type:comment]
 hashed-passwd: ENC[AES256_GCM,data:aXK4GlXTJAHjw/fpwBYWUnKtaHhxYI/anpQZgUI8tYoSw7qRhAdfO84FoUSEGvqin0889dmtXGqFErBK1Q8TQpBh5DX2VVmeWg==,iv:rs2uBRdhKBUrwFIgJrAgt1lqyyDTP1HXNQvy3k3ANTc=,tag:aTIA9fB7MUNI0tNkBxLQJg==,type:str]
+#ENC[AES256_GCM,data:+EOgpndwI/KdAI7qsh6w35gx,iv:mhr3AuN/zpkSnXSwDcAHeNz71l/XBYGnIAeTiC5Rldo=,tag:2XW+tocIkD1tYrXluxD0iQ==,type:comment]
+nix-access-tokens: ENC[AES256_GCM,data:jbh84h/tNCj85Vaq0DiffrxzBWyKgGZsmhj3D/D7Iod6wXnXkY+vctJLgo6h4BVEU6PXVIMWFJzTovjkgmzOCA+jWXw1RBl3XskwLLY9uRArHi77Dfxm1k/ZnPL6T77ZnHVwYBbzxf3+zoFLCcrWZWqHkIcFOoMd,iv:LJED9JArmGPP9AIfXHhUiicDSa8DyP1cV2POhdTM+CY=,tag:4NJK+KAw1q2iQ0ZnreQuAA==,type:str]
 #ENC[AES256_GCM,data:Twmef9H4w9Ay/RrX9jWay1Bj3b8=,iv:ZFSSskG0NNSpJ/0MbUIUZtaYT6haq4pH/A9RsuoFqks=,tag:4A3AmDjzMGwHT96fy00k0A==,type:comment]
 wireless:
     home: ENC[AES256_GCM,data:JTJVamFEmSIdVCJZcitgBCY4M3Gfg8T/F+LTed8TclIjeVEATc3vci6PoBvuuE6JTThowKm7quP8Q5Sn0ZdIn/j6/XOMo/mfh5zXAqQ5Q55xTym9mO3RCaeYdUg4IRDcmnzPTguErSySgB6/feizGEMe8OMNwHzOreI8NqrNXgQnDE3ZmdT0LzJ17JWgBe6KwedKxIweSxwmcyGErQkYvJPdsxXdBAa5gD40S0ioPETbZI73E6aOOEryp1poTVjfFSu2IWELryR/ZVUOcU2VmveP7+YGE7ydpR7CHnAUEu36tWD4iYIb71XRhEW/rffVnwHHCAJfgVS4/t55B2BM3JvQYMZt3McHEr+R2dnD2KJv55ADKt/73ibAPYrj4EmEHUbswXxgqOJPErHQSNKXejJzBhxaIK63L7wZwzthfU/BbnV32l4A0Oxm3c0gpyyRFNhE3UPi+h5pzRcoyfDPJzfQTC76mN4oSjRW3lQV3bBLA5qflRGzI8xS+vc2UFlW2XVxoKINrGZTkB8T34WFvJty3JvD9ddSp/dqnu4LaIMETcWKMrabvelJunIvq59dw+9HPpM7Be/NOuAErHlwvHaFSWjQ/yz2CG8b/djzpQ==,iv:znowKErkz/f72SvyBa5/TN52mc0Ks4XoxNY/5rcihCI=,tag:4pHdKBYfQ0A+y3ZrTfpFjg==,type:str]
@@ -30,8 +32,8 @@ sops:
             bEdVQ0dicTVaRkJUNFB0d3Y1S1hmL3MKFVPyIyjRkQcdimUE/tWxQzQU1cqkB5lN
             o+7a8JuA5gOxG7OInWbfkDe9/wSFCJW2S5z9jON/tLy6atPdmPYUdg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-10-12T14:17:18Z"
-    mac: ENC[AES256_GCM,data:JEtG8NcT5KK9VQIJxCRpjtHtwngf8qC4oLoV9MoxD7t1UPQVlpKrxCOhby/zvlKzTc0nTLc/sEOF7VAXclICXZGLiYZxL2iWf7sBG8MWdFAEVkZADOTSNvofrbkuP8RJQpJzvyKBAwmhHTR14N2y1voo7f7zNjfyE+8Vu2PL5m4=,iv:8N1wjSTqGIH9PFzy7X6wvKBGGP76EvhPp1KQ7Fk2QBA=,tag:W0LOQA3rQvZZcI5D52LI+A==,type:str]
+    lastmodified: "2023-10-14T08:37:22Z"
+    mac: ENC[AES256_GCM,data:1JWQyLehqUDDGmFRx/ticbDUCs7yyxzP5gQO1LB9BLGxr5AFXYhO/5+NZbmo4087Bl+mkZ2vopg5ZlIG8npYdBmeNvlXQfPjbfnw4GSnwomPKWvYpY5uBCnazxaJFIavK67EgdVLIIkLiL9F7RjMrNCvjj1LXZSxA8eRxysuloA=,iv:qqTEQURJ5G52jnZXI4rvWJKPArNLvNo/+1P+rfcj+7M=,tag:6xj9LraD3j4n+w6c3Ju66A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.0