use agenix to manage some secrets

I have some secrets that I want to manage for my user without having
to rely on 1password, and ensure proper rotation everywhere when
needed.

For now we only have two secrets (one for `llm` and another one is the
API key for anthropic for Emacs).

Will document the process better in the near future.

8 files changed, 64 insertions, 11 deletions

diff --git a/docs/secrets.org b/docs/secrets.org
new file mode 100644
index 0000000..04452dc
--- /dev/null
+++ b/docs/secrets.org
@@ -0,0 +1,15 @@
+* Secrets
+
+** SSH keys
+
+Get the ssh key from 1password with the following command:
+#+begin_src sh
+  op read "op://Private/nixos/private key?ssh-format=openssh" > ~/.ssh/nixos
+  op read "op://Private/nixos/public key?ssh-format=openssh" > ~/.ssh/nixos.pub
+#+end_src
+
+To create or edit a secret:
+#+begin_src
+  cd (git rev-parse --show-toplevel)/secrets
+  agenix -i ~/.ssh/nixos -e users/fcuny/llm.age
+#+end_src
diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix
index 9cc504b..7c438b6 100644
--- a/nix/lib/mkSystem.nix
+++ b/nix/lib/mkSystem.nix
@@ -40,6 +40,9 @@ systemFunc rec {
     {
       home-manager.useGlobalPkgs = true;
       home-manager.useUserPackages = true;
+      home-manager.sharedModules = [
+        inputs.agenix.homeManagerModules.default
+      ];
       home-manager.users.${user} = import userHMConfig {
         inputs = inputs;
         darwin = darwin;
diff --git a/nix/users/fcuny/configs/emacs/site-lisp/init-llm.el b/nix/users/fcuny/configs/emacs/site-lisp/init-llm.el
index 4654613..48346e6 100644
--- a/nix/users/fcuny/configs/emacs/site-lisp/init-llm.el
+++ b/nix/users/fcuny/configs/emacs/site-lisp/init-llm.el
@@ -6,22 +6,19 @@
 ;; Configure completions
 
 ;;; Code:
-(defvar fcuny/op-item-cache nil)
+(require 's)
 
-(defun fcuny/read-op-item (op-item-path)
-  "Read and cache OP-ITEM-PATH item."
-  (or (cdr (assoc op-item-path fcuny/op-item-cache))
-      (let ((key (string-trim-right
-                  (shell-command-to-string (format "op read '%s'" op-item-path)))))
-        (unless (string-match-p "\\[ERROR\\]" key)
-          (push (cons op-item-path key) fcuny/op-item-cache)
-          key))))
+(defun fcuny/read-anthropic-key ()
+  "Read and return the API key for anthropic."
+  (with-temp-buffer
+    (insert-file-contents "~/.local/share/agenix/anthropic-api-key")
+    (s-trim (buffer-string))))
 
 (use-package gptel
   :custom
   (gptel-default-mode 'org-mode)
   :config
-  (gptel-make-anthropic "Claude" :stream t :key (lambda () (fcuny/read-op-item "op://Private/anthropic llm/credential"))))
+  (gptel-make-anthropic "Claude" :stream t :key (lambda () (fcuny/read-anthropic-key))))
 
 (use-package aidermacs
   :bind ("C-c a" . aidermacs-transient-menu)
@@ -29,7 +26,7 @@
   (aider-args '("--no-check-update" "--no-show-model-warnings"))
   (aidermacs-default-model "claude-3-7-sonnet-latest")
   :config
-  (setenv "ANTHROPIC_API_KEY" (fcuny/read-op-item "op://Private/anthropic llm/credential")))
+  (setenv "ANTHROPIC_API_KEY" (fcuny/read-anthropic-key)))
 
 (provide 'init-llm)
 
diff --git a/nix/users/fcuny/home-manager.nix b/nix/users/fcuny/home-manager.nix
index ae8c319..54b5ad7 100644
--- a/nix/users/fcuny/home-manager.nix
+++ b/nix/users/fcuny/home-manager.nix
@@ -21,6 +21,7 @@ in
       ./1password.nix
       ./dev.nix
       ./media.nix
+      ./secrets.nix
     ]
     ++ lib.optionals (machineUtils.isMachineType "work" systemName) [ ./work.nix ]
     ++ lib.optionals (machineUtils.isMachineType "personal" systemName) [ ./personal.nix ];
diff --git a/nix/users/fcuny/secrets.nix b/nix/users/fcuny/secrets.nix
new file mode 100644
index 0000000..0b6f7b6
--- /dev/null
+++ b/nix/users/fcuny/secrets.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  age = {
+    identityPaths = [ "${config.home.homeDirectory}/.ssh/nixos" ];
+    secretsDir = "${config.home.homeDirectory}/.local/share/agenix";
+
+    secrets = {
+      llm = {
+        file = ../../../secrets/users/fcuny/llm.age;
+        path = "${config.home.homeDirectory}/.config/llm/keys.json";
+      };
+      anthropic-api-key = {
+        file = ../../../secrets/users/fcuny/anthropic-api-key.age;
+      };
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..883ef91
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+let
+  users = {
+    fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
+  };
+in
+{
+  "users/fcuny/llm.age".publicKeys = [ users.fcuny ];
+  "users/fcuny/anthropic-api-key.age".publicKeys = [ users.fcuny ];
+}
diff --git a/secrets/users/fcuny/anthropic-api-key.age b/secrets/users/fcuny/anthropic-api-key.age
new file mode 100644
index 0000000..9928518
--- /dev/null
+++ b/secrets/users/fcuny/anthropic-api-key.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 9Ia8+w Q6ksvKOR40oiVtNAp9Sa1iCfdef0ntgJ6cRnnSnbWzM
+h/i6oBh/E3iUAm1TCruFb5LUGTt3enbFhUcEuxkZ9TY
+--- 6uwnMUvrqZaUdXIX7NaYpAzFDB4imIjuoKFPjCKnG/w
+�����'L�dz�Vs�0G|ei"ە3*x���ɫ�uܴ�綳
4�#ᑪ�xƙJ�C(���ɒ:d��=17�$��m<��덷@�W'���#6z!���fe2�
+.��6R��A��0N�Q�Tkj��(ԉ)
\ No newline at end of file
diff --git a/secrets/users/fcuny/llm.age b/secrets/users/fcuny/llm.age
new file mode 100644
index 0000000..780fe5b
--- /dev/null
+++ b/secrets/users/fcuny/llm.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 9Ia8+w Bir55Uqpbc9LiWfeuhcrl5FluYT7WGKtY0SdSvS0w1o
+SjAYkn0OrDGIgd4yK709Wc+Y7d3LaSHWQAdSe9qkUr8
+--- 5p8VDC+lrVMyXPaWdNDPWrONSjsC36LsLeNJoMqmSN4
+7
=3��WDz$y�Y���fWg�L� ��9WS4!�������߱s�|�e�aIk����@��Z��;_ޫ��z�h1�
ߗq�8,�]�B�v�����P��JP�&��q�0Cr��FT��J�{�(2���t*�%������QE��K�a��҄�^��Q�p��A��gH,���~�H�/T�u�����ܡ���/��PR����=mfζ���w���R�mY{JC
\ No newline at end of file