feat: Encryption

2025-02-18 13:56:19 -07:00
parent 91b94d911f
commit d203a71aaa
15 changed files with 80 additions and 26 deletions
--- a/users/crumb/default.nix
+++ b/users/crumb/default.nix
@@ -21,9 +21,10 @@
    xdg.enable = true;

    sydnix = {
+      gpg.enable = true;
      sops = {
        enable = true;
-        keyFile = "/persist/vault/${config.home.username}/keys/melbourne";
+        keyFile = "/persist/private-keys/age/${config.home.username}";
      };
    };

--- a/users/crumb/files.nix
+++ b/users/crumb/files.nix
@@ -2,12 +2,6 @@

 let mutableSymlink = config.lib.file.mkOutOfStoreSymlink;
 in lib.mkMerge [
-  {
-    # TODO: Move to programs/age.nix.
-    xdg.configFile."sops/age/keys.txt".source =
-      mutableSymlink "/persist/vault/${config.home.username}/keys/melbourne";
-  }
-
  {
    ### Some basic impermanence setup.

--- a/users/crumb/programs/age.nix
+++ b/users/crumb/programs/age.nix
@@ -1,8 +1,18 @@
 { config, lib, pkgs, ... }:

-{
+let mutableSymlink = config.lib.file.mkOutOfStoreSymlink;
+in {
  home.packages = [
    # Rage supports pinentry while Age does not.
    pkgs.rage
  ];
+
+  # Private keys must be mutable symlinks since we don't want the key inside the
+  # world-readable store.
+  home.file."private-keys/age/crumb.age".source =
+    mutableSymlink "/persist/private-keys/age/${config.home.username}.age";
+
+  home.file."public-keys/age/crumb.pub".source =
+    ../../../public-keys/age/${config.home.username}.pub;
 }
+
--- a/users/crumb/programs/emacs/modules/syd-age.el
+++ b/users/crumb/programs/emacs/modules/syd-age.el
@@ -4,9 +4,7 @@
  :hook (on-first-file . age-file-enable)
  :custom
  ((age-program "rage")
-   (age-default-identity (format "/persist/vault/%s/keys/melbourne"
-                                 user-login-name))
-   (age-default-recipient (format "/persist/vault/%s/keys/melbourne.pub"
-                                  user-login-name))))
+   (age-default-identity "~/private-keys/age/crumb.age")
+   (age-default-recipient "~/public-keys/age/crumb.pub")))

 (provide 'syd-age)
--- a/users/crumb/programs/emacs/modules/syd-ui.el
+++ b/users/crumb/programs/emacs/modules/syd-ui.el
@@ -64,6 +64,9 @@
  :custom ((display-line-numbers-type 'relative)
           ;; Always ask "y/n"; never "yes/no".
           (use-short-answers t)
+           ;; I don't like that `grep' asks me to save unsaved files.  It makes
+           ;; me think it's about to kill my buffers.
+           (grep-save-buffers nil)
           ;; The default value is `ask', meaning that Emacs will ask for
           ;; confirmation any time you follow a symlink to a file under version
           ;; control.  The documentation claims this is "dangerous, and