From 68db92c762b0459ada5eb4b0e2f5eaddf16f9bf6 Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 18:10:10 +0900 Subject: [PATCH 1/6] =?UTF-8?q?feat:=20forgejo=E3=81=AEtoken=E3=82=92?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- secrets/forgejo.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 secrets/forgejo.yaml diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml new file mode 100644 index 00000000..5f268807 --- /dev/null +++ b/secrets/forgejo.yaml @@ -0,0 +1,19 @@ +token: + - normal: ENC[AES256_GCM,data:itdIIbD1JfJIjnfl8UFkaWNJXNaoDEGP6eAGtz/v/uihBBWV3Ky0Pw==,iv:U7JDfz+HdrPyrrqGfnGIT3o+vvyxX259eLHnBCDSzCY=,tag:7zq7rXnRL1DrKZOlyWobxg==,type:str] +sops: + lastmodified: "2026-06-27T09:10:01Z" + mac: ENC[AES256_GCM,data:Hcx3rFUDCNDu3fgwRNUyhlF2hoYU+Hq/WiztXu6NwYqVXBfm+Jm0WJLfO8VIo8Oxr5BmT0rfyiTo2XL1GFiEQG3fi5O6+LwiDubUEk5AdwxblKFuEVvs+WKIhVeZjzlsXGULmrJ0ffOrgX2pBVyGoYTZTX899FQ4KyUe7X8Sqg0=,iv:WDxBlc44Q6IZe6yEYihEojFZWLFAylG+VWtm1sXVBAY=,tag:NXzSju7TvaSBTqvZkU6htA==,type:str] + pgp: + - created_at: "2026-06-27T09:09:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dxlt1nl1bPpUSAQdAaAAOMdqH5EP8yLBSIujsB1h88uq/T6uaTN4mMxQ7dXww + v1essRwlkmCViXYzGH3C1RLbWMEnLCWPLR+v2c6lGoQcdcX3jMQ4uue17TJceFns + 0l4BN5zFWbnsPAo6Hf3RZOmVA/AOlI8v5WTKRO2LnlOpX3mjyTjm02pPQUPig9GW + WknsoSrhu9Kmh+Fy3qkwI6j4QQsj25s2flpg+IK30hzesQg474R6iadxDRpvigIy + =745l + -----END PGP MESSAGE----- + fp: 7DDE3BC405DC58D94BF661D342248C7D0FB73D57 + unencrypted_suffix: _unencrypted + version: 3.13.1 From 8812e1ad035482bd75098d4b5de9d61dab06432b Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 18:18:58 +0900 Subject: [PATCH 2/6] =?UTF-8?q?feat:=20pass=E3=81=AB=E3=82=88=E3=82=8Bforg?= =?UTF-8?q?ejo=E5=90=91=E3=81=91=E3=81=AE=E3=83=91=E3=82=B9=E3=83=AF?= =?UTF-8?q?=E3=83=BC=E3=83=89=E8=A8=98=E6=86=B6=E3=81=AE=E8=A8=AD=E5=AE=9A?= =?UTF-8?q?=E3=82=92=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- home/core/git.nix | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/home/core/git.nix b/home/core/git.nix index 8420e383..809b61b4 100644 --- a/home/core/git.nix +++ b/home/core/git.nix @@ -46,6 +46,10 @@ in push.default = "current"; rerere.enabled = true; github.user = "ncaq"; + credential."https://forgejo.ncaq.net" = { + helper = "!${pkgs.pass-git-helper}/bin/pass-git-helper $@"; + useHttpPath = false; + }; }; ignores = [ "**/.claude/scheduled_tasks.lock" @@ -59,5 +63,13 @@ in gh.enable = true; }; - home.packages = with pkgs; [ zizmor ]; + xdg.configFile."pass-git-helper/git-pass-mapping.ini".text = '' + [forgejo.ncaq.net*] + target=forgejo.ncaq.net/ncaq + username=ncaq + ''; + home.packages = with pkgs; [ + pass-git-helper + zizmor + ]; } From c88b73b86090cf2c20e47e6e8030fae2c7e547d3 Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 18:28:58 +0900 Subject: [PATCH 3/6] =?UTF-8?q?fix:=20secrets=E3=81=AE=E3=83=87=E3=83=BC?= =?UTF-8?q?=E3=82=BF=E6=A7=8B=E9=80=A0=E3=81=AE=E3=83=9F=E3=82=B9=E3=82=92?= =?UTF-8?q?=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- secrets/forgejo.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml index 5f268807..521ab920 100644 --- a/secrets/forgejo.yaml +++ b/secrets/forgejo.yaml @@ -1,8 +1,8 @@ token: - - normal: ENC[AES256_GCM,data:itdIIbD1JfJIjnfl8UFkaWNJXNaoDEGP6eAGtz/v/uihBBWV3Ky0Pw==,iv:U7JDfz+HdrPyrrqGfnGIT3o+vvyxX259eLHnBCDSzCY=,tag:7zq7rXnRL1DrKZOlyWobxg==,type:str] + normal: ENC[AES256_GCM,data:itdIIbD1JfJIjnfl8UFkaWNJXNaoDEGP6eAGtz/v/uihBBWV3Ky0Pw==,iv:U7JDfz+HdrPyrrqGfnGIT3o+vvyxX259eLHnBCDSzCY=,tag:7zq7rXnRL1DrKZOlyWobxg==,type:str] sops: - lastmodified: "2026-06-27T09:10:01Z" - mac: ENC[AES256_GCM,data:Hcx3rFUDCNDu3fgwRNUyhlF2hoYU+Hq/WiztXu6NwYqVXBfm+Jm0WJLfO8VIo8Oxr5BmT0rfyiTo2XL1GFiEQG3fi5O6+LwiDubUEk5AdwxblKFuEVvs+WKIhVeZjzlsXGULmrJ0ffOrgX2pBVyGoYTZTX899FQ4KyUe7X8Sqg0=,iv:WDxBlc44Q6IZe6yEYihEojFZWLFAylG+VWtm1sXVBAY=,tag:NXzSju7TvaSBTqvZkU6htA==,type:str] + lastmodified: "2026-06-27T09:28:43Z" + mac: ENC[AES256_GCM,data:JwwiPnslhp2BbIL3CVR+eMY2W+6pVpx1MZqD3+ujLgE5taAzVV78RYxi+B2ZKUHhwME9incK6gfL9fN+IpoKc4mb4h+j9rvehWbMdecC+QQ1Y5ZTCQ+VmFl1OUfQ5EaJlQtMaM/amC3OgJLxr5a4Tr8UMhbmUEL1XzycOXJX8io=,iv:zyNJebch/dnAQAQ+dZrFw0bFTKASVrJBm7fmewNNIhM=,tag:PNgOkRyxB+MaDPuhUKdF+Q==,type:str] pgp: - created_at: "2026-06-27T09:09:22Z" enc: |- From 0503b803a1ce22476128975d4fcb9fe640189036 Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 18:33:41 +0900 Subject: [PATCH 4/6] =?UTF-8?q?feat:=20sops=E3=81=A7=E9=95=B7=E6=9C=9F?= =?UTF-8?q?=E4=BF=9D=E5=AD=98=E3=81=95=E3=82=8C=E3=81=9F=E3=83=88=E3=83=BC?= =?UTF-8?q?=E3=82=AF=E3=83=B3=E3=82=92git=E9=80=A3=E6=90=BA=E3=81=8C?= =?UTF-8?q?=E8=B1=8A=E5=AF=8C=E3=81=AApass=E3=81=AB=E8=87=AA=E5=8B=95?= =?UTF-8?q?=E3=81=A7=E7=A7=BB=E3=81=97=E6=9B=BF=E3=81=88=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- home/core/git.nix | 10 +--------- home/core/pass.nix | 48 +++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 44 insertions(+), 14 deletions(-) diff --git a/home/core/git.nix b/home/core/git.nix index 809b61b4..3aa6e966 100644 --- a/home/core/git.nix +++ b/home/core/git.nix @@ -63,13 +63,5 @@ in gh.enable = true; }; - xdg.configFile."pass-git-helper/git-pass-mapping.ini".text = '' - [forgejo.ncaq.net*] - target=forgejo.ncaq.net/ncaq - username=ncaq - ''; - home.packages = with pkgs; [ - pass-git-helper - zizmor - ]; + home.packages = with pkgs; [ zizmor ]; } diff --git a/home/core/pass.nix b/home/core/pass.nix index bcc31977..d99025e6 100644 --- a/home/core/pass.nix +++ b/home/core/pass.nix @@ -1,4 +1,5 @@ { + pkgs, lib, config, ... @@ -6,6 +7,7 @@ let inherit (config.services.pass-secret-service) storePath; storeRel = lib.removePrefix "${config.home.homeDirectory}/" storePath; + inherit (config.programs.password-store.settings) PASSWORD_STORE_KEY; in { # GPGによる暗号化を行うpassを使用します。 @@ -26,9 +28,45 @@ in }; services.pass-secret-service.enable = true; - # `pass init`の代わりに宣言的に`.gpg-id`を配置してストアを初期化します。 - # `pass-secret-service`が内部で使うプログラムは`PASSWORD_STORE_KEY`を読まず、 - # 起動時に`.gpg-id`の存在を必須とするため実ファイルの配置が避けられません。 - home.file."${storeRel}/.gpg-id".text = - "${config.programs.password-store.settings.PASSWORD_STORE_KEY}\n"; + # gitのcredential helperとしてpass-git-helperを使用します。 + # Forgejoの`https`エンドポイントへのアクセス時に、 + # passに格納されたトークンを返します。 + # 実際のhelperの紐付けは`programs.git.settings.credential`で行います。 + xdg.configFile."pass-git-helper/git-pass-mapping.ini".text = '' + [forgejo.ncaq.net*] + target=forgejo.ncaq.net/ncaq + username=ncaq + ''; + + # sopsで管理されているForgejoのトークンを長期管理します。 + sops.secrets."forgejo/token/normal" = { + sopsFile = ../../secrets/forgejo.yaml; + key = "token/normal"; + mode = "0400"; + }; + + home = { + # `pass init`の代わりに宣言的に`.gpg-id`を配置してストアを初期化します。 + # `pass-secret-service`が内部で使うプログラムは`PASSWORD_STORE_KEY`を読まず、 + # 起動時に`.gpg-id`の存在を必須とするため実ファイルの配置が避けられません。 + file."${storeRel}/.gpg-id".text = "${PASSWORD_STORE_KEY}\n"; + + # sopsで復号化したトークンをpassのエントリとして再暗号化して配置します。 + # 内容が変化した時のみ書き換えて`home-manager switch`の度に差分が出るのを避けます。 + activation.forgejoTokenToPass = lib.hm.dag.entryAfter [ "sops-nix" ] '' + src="${config.sops.secrets."forgejo/token/normal".path}" + dst="${storePath}/forgejo.ncaq.net/ncaq.gpg" + $DRY_RUN_CMD mkdir -p "$(dirname "$dst")" + if [ ! -e "$dst" ] \ + || ! ${pkgs.gnupg}/bin/gpg --batch --quiet --decrypt "$dst" 2>/dev/null \ + | ${pkgs.diffutils}/bin/cmp -s - "$src"; then + $DRY_RUN_CMD ${pkgs.gnupg}/bin/gpg \ + --batch --yes --trust-model always \ + --encrypt --recipient ${PASSWORD_STORE_KEY} \ + --output "$dst" "$src" + fi + ''; + + packages = [ pkgs.pass-git-helper ]; + }; } From ddab738876f3a786aaec6118305f4c57391cbdc0 Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 18:37:18 +0900 Subject: [PATCH 5/6] =?UTF-8?q?fix:=20=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E3=82=B7=E3=83=BC=E3=82=AF=E3=83=AC=E3=83=83=E3=83=88=E3=83=95?= =?UTF-8?q?=E3=82=A1=E3=82=A4=E3=83=AB=E3=81=AE=E3=83=95=E3=82=A9=E3=83=BC?= =?UTF-8?q?=E3=83=9E=E3=83=83=E3=83=88=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- secrets/forgejo.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml index 521ab920..0e3fabac 100644 --- a/secrets/forgejo.yaml +++ b/secrets/forgejo.yaml @@ -1,18 +1,18 @@ token: - normal: ENC[AES256_GCM,data:itdIIbD1JfJIjnfl8UFkaWNJXNaoDEGP6eAGtz/v/uihBBWV3Ky0Pw==,iv:U7JDfz+HdrPyrrqGfnGIT3o+vvyxX259eLHnBCDSzCY=,tag:7zq7rXnRL1DrKZOlyWobxg==,type:str] + normal: ENC[AES256_GCM,data:fEeLXCPCyHw8PjaBT9SSeHc7mjk0YPHiiqOZHv51qcaStlwy2naGMw==,iv:3SmZ3dy+Ts1l/DBHS5WNVRlHoKwFLVptZnlqM43QfGY=,tag:smixRYYhgl5jTcCIPW1GxQ==,type:str] sops: - lastmodified: "2026-06-27T09:28:43Z" - mac: ENC[AES256_GCM,data:JwwiPnslhp2BbIL3CVR+eMY2W+6pVpx1MZqD3+ujLgE5taAzVV78RYxi+B2ZKUHhwME9incK6gfL9fN+IpoKc4mb4h+j9rvehWbMdecC+QQ1Y5ZTCQ+VmFl1OUfQ5EaJlQtMaM/amC3OgJLxr5a4Tr8UMhbmUEL1XzycOXJX8io=,iv:zyNJebch/dnAQAQ+dZrFw0bFTKASVrJBm7fmewNNIhM=,tag:PNgOkRyxB+MaDPuhUKdF+Q==,type:str] + lastmodified: "2026-06-27T09:36:39Z" + mac: ENC[AES256_GCM,data:U2yL4rz2R8x1zGxin9HcRmpTPml9/6mYgku/eM7WN8yHb+sPmJoV5kZyfgBqXLN/Xm+lZvGCKr3rWKcu1TwJeiyWFL6ZZ+apTVQAfpxfIfhvW3Kempnv3+RY9ZeKfO0bOFl14digH0Dy7mpXWgBIJ8oai6sSLJcls22nbV/IkXM=,iv:qEojYfsjBBIbel6tZNfZbGSoXtHhggORgi4eVrlq5cw=,tag:k0hUeZc9QpL4M0C8704fvw==,type:str] pgp: - - created_at: "2026-06-27T09:09:22Z" + - created_at: "2026-06-27T09:36:39Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4Dxlt1nl1bPpUSAQdAaAAOMdqH5EP8yLBSIujsB1h88uq/T6uaTN4mMxQ7dXww - v1essRwlkmCViXYzGH3C1RLbWMEnLCWPLR+v2c6lGoQcdcX3jMQ4uue17TJceFns - 0l4BN5zFWbnsPAo6Hf3RZOmVA/AOlI8v5WTKRO2LnlOpX3mjyTjm02pPQUPig9GW - WknsoSrhu9Kmh+Fy3qkwI6j4QQsj25s2flpg+IK30hzesQg474R6iadxDRpvigIy - =745l + hF4Dxlt1nl1bPpUSAQdAIqJ57h/GeJy+H2efDxNPZ4b/XOfTuLWkPgmJlismGXAw + LbptdFOqiB3XwVkQk6/HCQ8v8qlUOe2v5GAqeq0g05pnQVEmyywPoyfGPjcagEdf + 0lwBwwzvA4oFRIrmwUSt0c9pp/usISVEkC0YjS9U4PHe6D2y+M8+4xXpBNyhaN21 + eX8Wn5LWdoPICZ5vDbz0UiATcygS6b0D5rlUcfmqnL6dtxyVOvPoDllEE/972Q== + =Czd6 -----END PGP MESSAGE----- fp: 7DDE3BC405DC58D94BF661D342248C7D0FB73D57 unencrypted_suffix: _unencrypted From a69bae54850931eb184dcb6faf241f7865c6c055 Mon Sep 17 00:00:00 2001 From: ncaq Date: Sat, 27 Jun 2026 19:58:53 +0900 Subject: [PATCH 6/6] =?UTF-8?q?fix:=20forgejo=E3=81=AB=E3=83=A6=E3=83=BC?= =?UTF-8?q?=E3=82=B6=E5=90=8D=E3=82=92=E8=81=9E=E3=81=8B=E3=82=8C=E3=81=AB?= =?UTF-8?q?=E3=81=8F=E3=81=84=E3=82=88=E3=81=86=E3=81=AB=E3=81=99=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 定義が一部重複しているのはツールがどこから呼ぶかバラバラなので仕方がない。 --- home/core/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/core/git.nix b/home/core/git.nix index 3aa6e966..638e40f7 100644 --- a/home/core/git.nix +++ b/home/core/git.nix @@ -49,6 +49,7 @@ in credential."https://forgejo.ncaq.net" = { helper = "!${pkgs.pass-git-helper}/bin/pass-git-helper $@"; useHttpPath = false; + username = "ncaq"; }; }; ignores = [