diff options
| -rw-r--r-- | profiles/home-manager.nix | 1 | ||||
| -rw-r--r-- | users/modules/onepassword.nix | 148 | ||||
| -rw-r--r-- | users/profiles/mac.nix | 2 | ||||
| -rw-r--r-- | users/profiles/work.nix | 11 | ||||
| -rw-r--r-- | users/programs/1password.nix | 41 | ||||
| -rw-r--r-- | users/programs/onepassword.nix | 9 |
6 files changed, 170 insertions, 42 deletions
diff --git a/profiles/home-manager.nix b/profiles/home-manager.nix index 3a81cce..f6ea8dd 100644 --- a/profiles/home-manager.nix +++ b/profiles/home-manager.nix @@ -24,6 +24,7 @@ home-manager.sharedModules = [ inputs.agenix.homeManagerModules.default "${self}/users/modules/userinfo.nix" + "${self}/users/modules/onepassword.nix" { nixpkgs.overlays = [ inputs.agenix.overlays.default diff --git a/users/modules/onepassword.nix b/users/modules/onepassword.nix new file mode 100644 index 0000000..d98df25 --- /dev/null +++ b/users/modules/onepassword.nix @@ -0,0 +1,148 @@ +{ + config, + lib, + pkgs, + ... +}: + +with lib; + +let + cfg = config.programs.onepassword; + + generateAgentConfig = + keys: + let + keyToToml = + key: + let + lines = + [ "[[ssh-keys]]" ] + ++ optional (key.item != null) ''item = "${key.item}"'' + ++ optional (key.vault != null) ''vault = "${key.vault}"'' + ++ [ ''account = "${key.account}"'' ]; + in + concatStringsSep "\n" lines; + in + concatStringsSep "\n\n" (map keyToToml keys); + + home = config.home.homeDirectory; + darwinSockPath = "${home}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"; + defaultSockPath = ".1password/agent.sock"; + +in +{ + options.programs.onepassword = { + enable = mkEnableOption "1Password CLI and SSH agent integration"; + + package = mkOption { + type = types.package; + default = pkgs._1password-cli; + description = "The 1Password CLI package to use."; + }; + + socketPath = mkOption { + type = types.str; + default = defaultSockPath; + description = "Relative path from home directory for the SSH agent socket."; + example = ".1password/agent.sock"; + }; + + darwinSocketPath = mkOption { + type = types.str; + default = darwinSockPath; + description = "Full path to the 1Password agent socket on macOS."; + }; + + setSshAuthSock = mkOption { + type = types.bool; + default = true; + description = "Whether to set the SSH_AUTH_SOCK environment variable."; + }; + + configureSshClient = mkOption { + type = types.bool; + default = true; + description = "Whether to configure the SSH client to use 1Password agent."; + }; + + fishIntegration = mkOption { + type = types.bool; + default = false; + description = "Enable fish shell completion for 1Password CLI."; + }; + + sshKeys = mkOption { + type = + with types; + listOf (submodule { + options = { + item = mkOption { + type = nullOr str; + default = null; + description = "The name of the SSH key item in 1Password."; + example = "Git Signing Key"; + }; + + vault = mkOption { + type = nullOr str; + default = null; + description = "The vault name where the SSH key is stored (optional)."; + example = "Private"; + }; + + account = mkOption { + type = str; + default = "my.1password.com"; + description = "The 1Password account identifier."; + example = "my.1password.com"; + }; + }; + }); + default = [ ]; + description = "SSH keys configuration for 1Password agent. Lists from multiple configurations will be merged."; + example = [ + { account = "my.1password.com"; } + { + item = "Git Signing Key"; + vault = "Work"; + account = "ACME, Inc."; + } + { + item = "Personal SSH Key"; + account = "my.1password.com"; + } + ]; + }; + }; + + config = mkIf cfg.enable { + home.packages = [ cfg.package ]; + + home.sessionVariables = mkIf cfg.setSshAuthSock { + SSH_AUTH_SOCK = "${home}/${cfg.socketPath}"; + }; + + # Create symlink to Darwin socket (macOS specific) + home.file."${cfg.socketPath}" = mkIf pkgs.stdenv.isDarwin { + source = config.lib.file.mkOutOfStoreSymlink cfg.darwinSocketPath; + }; + + # Configure SSH client + programs.ssh = mkIf cfg.configureSshClient { + extraConfig = "IdentityAgent ~/${cfg.socketPath}"; + }; + + # Fish shell integration + programs.fish = mkIf cfg.fishIntegration { + interactiveShellInit = '' + op completion fish | source + ''; + }; + + # Generate SSH agent configuration + home.file.".config/1Password/ssh/agent.toml" = mkIf (cfg.sshKeys != [ ]) { + text = generateAgentConfig cfg.sshKeys; + }; + }; +} diff --git a/users/profiles/mac.nix b/users/profiles/mac.nix index f001f99..16e3b59 100644 --- a/users/profiles/mac.nix +++ b/users/profiles/mac.nix @@ -1,7 +1,6 @@ { self, pkgs, ... }: { imports = [ - "${self}/users/programs/1password.nix" "${self}/users/programs/alacritty" "${self}/users/programs/bat.nix" "${self}/users/programs/direnv.nix" @@ -12,6 +11,7 @@ "${self}/users/programs/gh.nix" "${self}/users/programs/git.nix" "${self}/users/programs/go.nix" + "${self}/users/programs/onepassword.nix" "${self}/users/programs/ssh.nix" "${self}/users/programs/starship.nix" "${self}/users/programs/tmux.nix" diff --git a/users/profiles/work.nix b/users/profiles/work.nix index feb5a46..538b547 100644 --- a/users/profiles/work.nix +++ b/users/profiles/work.nix @@ -2,6 +2,7 @@ lib, self, pkgs, + config, ... }: let @@ -42,6 +43,16 @@ in vault ]; + programs.onepassword = lib.mkMerge [ + config.programs.onepassword.sshKeys + [ + { + account = "roblox.1password.com"; + vault = "Private"; + } + ] + ]; + programs.fish = { shellAbbrs = let diff --git a/users/programs/1password.nix b/users/programs/1password.nix deleted file mode 100644 index 63892c7..0000000 --- a/users/programs/1password.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, config, ... }: -let - home = config.home.homeDirectory; - darwinSockPath = "${home}/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"; - sockPath = ".1password/agent.sock"; -in -{ - home.packages = with pkgs; [ - _1password-cli - ]; - - home.sessionVariables = { - SSH_AUTH_SOCK = "${home}/${sockPath}"; - }; - - home.file.sock = { - source = config.lib.file.mkOutOfStoreSymlink darwinSockPath; - target = sockPath; - }; - - programs.fish = { - interactiveShellInit = '' - op completion fish | source - ''; - }; - - programs.ssh = { - extraConfig = "IdentityAgent ~/${sockPath}"; - }; - - # Generate ssh agent config for 1Password - # I want both my personal and work keys - home.file.".config/1Password/ssh/agent.toml".text = '' - [[ssh-keys]] - account = "my.1password.com" - - [[ssh-keys]] - account = "roblox.1password.com" - vault = "Private" - ''; -} diff --git a/users/programs/onepassword.nix b/users/programs/onepassword.nix new file mode 100644 index 0000000..f364a9e --- /dev/null +++ b/users/programs/onepassword.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + programs.onepassword = { + enable = true; + sshKeys = [ + { account = "my.1password.com"; } # All keys from personal account + ]; + }; +} |