From e4d8b16ee6518d5c62b023f1e82f6805c72255a7 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Thu, 2 Oct 2025 12:52:14 -0600 Subject: [PATCH] encrypted gallery-dl secrets --- .sops.yaml | 7 ++++++ dotfiles/gallery-dl.nix | 20 ++++++++-------- modules/shell/multimedia.nix | 14 ++++++++++++ secrets/gallery.yaml | 44 ++++++++++++++++++++++++++++++++++++ 4 files changed, 75 insertions(+), 10 deletions(-) create mode 100644 secrets/gallery.yaml diff --git a/.sops.yaml b/.sops.yaml index 19beac9..e7812ed 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -25,6 +25,13 @@ creation_rules: - *workstation - *server - *miniserver + - path_regex: secrets/gallery.yaml$ + key_groups: + - age: + - *devkey + - *workstation + - *server + - *miniserver - path_regex: secrets/wireguard.yaml$ key_groups: - age: diff --git a/dotfiles/gallery-dl.nix b/dotfiles/gallery-dl.nix index db1a4b8..bb1c11d 100644 --- a/dotfiles/gallery-dl.nix +++ b/dotfiles/gallery-dl.nix @@ -14,7 +14,7 @@ }; bluesky = { username = "blablablamagic.bsky.social"; - password = "bb3m-xr4w-4vgf-oxmi"; + password = "{env[GALLERY_DL_BLUESKY_PASSWORD]}"; reposts = false; videos = true; directory = [ "{author['handle']}" ]; @@ -30,8 +30,8 @@ }; flickr = { size-max = "Original"; - access-token = "72157720915197374-51a26dc4fdfdf173"; - access-token-secret = "a1ddb10902f3fa85"; + access-token = "{env[GALLERY_DL_FLICKR_ACCESS_TOKEN]}"; + access-token-secret = "{env[GALLERY_DL_FLICKR_ACCESS_TOKEN_SECRET]}"; directory = [ "{category}" "{owner[username]}" @@ -84,19 +84,19 @@ "{title}" ]; tumblr = { - access-token = "5VwIW8TNBoNVPo9CzvKMza2wcn9gJXd6rnUBy6Ctqb4BCPpI59"; - access-token-secret = "8krZGeauA171aZpXZhwgZN8nZCxKQkXYKXWL473mTQPKrqoP3e"; + access-token = "{env[GALLERY_DL_TUMBLR_ACCESS_TOKEN]}"; + access-token-secret = "{env[GALLERY_DL_TUMBLR_ACCESS_TOKEN_SECRET]}"; external = true; inline = true; posts = "all"; reblogs = false; parent-directory = true; - api-key = "uhBUtgPaX9gl7eaD8suGWW6ZInRedQoVT6xsZzopljy0jXHqm5"; - api-secret = "D3FDj1INyPzXikVpp4jmzSqjlC9czFUQ8oj2I883PSYJdqwURv"; + api-key = "{env[GALLERY_DL_TUMBLR_API_KEY]}"; + api-secret = "{env[GALLERY_DL_TUMBLR_API_SECRET]}"; directory = [ "{blog_name}" ]; }; deviantart = { - refresh-token = "4364d30b6f3777b3c5c1ab2c1c428b0245272ebe"; + refresh-token = "{env[GALLERY_DL_DEVIANTART_REFRESH_TOKEN]}"; include = "gallery,scraps"; flat = true; original = true; @@ -139,7 +139,7 @@ reddit = { user-agent = "Python:gallery-dl:v1.0 (by /u/captainjawz)"; client-id = "T7nZ6WZ3_onJWBhLP8r08g"; - refresh-token = "184157546842-UHdPQX1c7kG1kbO09NAHY2O2taEiwg"; + refresh-token = "{env[GALLERY_DL_REDDIT_REFRESH_TOKEN]}"; parent-directory = true; directory = [ "{author}" ]; }; @@ -162,7 +162,7 @@ ]; baraag.directory = [ "{account[username]}" ]; pixiv = { - refresh-token = "O4kc9tTzGItuuacDcfmevW6NELjm5CJdWiAbZdUv3Kk"; + refresh-token = "{env[GALLERY_DL_PIXIV_REFRESH_TOKEN]}"; directory = [ "{user[account]} - {user[id]}" ]; ugoira = true; favorite.directory = [ diff --git a/modules/shell/multimedia.nix b/modules/shell/multimedia.nix index ec1d29e..3407c68 100644 --- a/modules/shell/multimedia.nix +++ b/modules/shell/multimedia.nix @@ -7,6 +7,11 @@ { options.my.shell.multimedia.enable = lib.mkEnableOption "multimedia CLI tools and codecs"; config = lib.mkIf config.my.shell.multimedia.enable { + sops.secrets."gallery-dl/secrets" = { + sopsFile = ../../secrets/gallery.yaml; + owner = "jawz"; + mode = "0400"; + }; home-manager.users.jawz.programs = { yt-dlp = { enable = true; @@ -21,6 +26,15 @@ enable = true; settings = import ../../dotfiles/gallery-dl.nix; }; + ${config.my.shell.type} = { + initExtra = lib.mkAfter '' + if [ -r "${config.sops.secrets."gallery-dl/secrets".path}" ]; then + set -a # automatically export all variables + source "${config.sops.secrets."gallery-dl/secrets".path}" + set +a # stop automatically exporting + fi + ''; + }; }; users.users.jawz.packages = builtins.attrValues { inherit (pkgs) diff --git a/secrets/gallery.yaml b/secrets/gallery.yaml new file mode 100644 index 0000000..57a62b9 --- /dev/null +++ b/secrets/gallery.yaml @@ -0,0 +1,44 @@ +gallery-dl: + secrets: ENC[AES256_GCM,data:5K9B7XZ3dOL1BIXLUvlE5D9xLkKkagvh2mMkFtd+6gJUJqPDwerp9QDcATeqiJLz54DGB1JI6podlCm8N3qVbA3aMHroSiAd2YaldqvLkh76vGDhfI6pAfYWmjLYR7KR/Qy5sy7qhkNmvhwV34JiqXMdfDaWDE9y9Zgqq3lyS/8mYixNh0sz9Pc7ohcIHpwVNcESxaPW9BCpzHOwhtZKqqgLTUrHCyO14YR1+hB+nGXnmtaFcFVDjb0ctHsgL8+R5Kw1oAE7s8fM+ghnKNqPusSVomTaNIQI8VMbk0YQyPsHn9zKEocjUEpwX7WdWmNLNjuYl29+NnJS7VCSOsZmqhNlKJMIvQ3v19UNIQG5/hB3QlBIlEr615W8l5q8jdD+twzufGkEnCIfZzn+T9UDijNlmZhK19lhOpF+mdi7vpzyJFrIK0JfFfRYnyvXOHIcDKK4rsMFTT8U04WM9PpYrUxWDmMMlAZsJ+Jj6d0jpRYsoB4C5ODKRa5V27wnhp9DQiQOAqvfYnUtCAFnFEqVu7qaa5WcQhG211Nhdcpvtyp/8sDXgZBTT/E8JTtG8YbSNUZxw3xE7fyp4Bdnb+bxbdcgVRGkFwZShu2qWF1Ckj4Lr2xzaBu+fGtUDqPnMq0PgQeRIVP/NsbtavrlISWhB5Ctw4QSRvGMTi5JqvhmLEWi5wvimYzt91aGj2tm/k8AOTtwwjK4iZyWKxE1PsjwmKwiEJZvTRKLTySxomqHDg1TOKGmAcJK/wCG7kO9ETp+yZxv1Sv3L7ZeCfyzM4fupRiPytbIMfeJsq6PxTpJGlD7lDC0EXUjRKV8JD8vnP91F0HXoZQ3tyb27/1BmZ/nSx3iGcmXhlV7eLgLS3MIpBChjget8d7oE4NnxBGrX8YoVFJzAUH5UawVNFHa3y/rKqUsS51vn0Q0Wxl+uK3KtK90TdML6VNW8HywWiNer5tbIY+Kl6I=,iv:4Sa8LyNhp2EyarQpQ19jJZFUAINmfuw3EnUVhiYGCJg=,tag:o5rLdUbGjao+SJ9Cqtr+jA==,type:str] +sops: + age: + - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIY05VY1FPOU5FTFFnazlQ + RStQVExNdWIySE5qSVMxMFd3NFM0L2VCRWxzClhleTEzNTVOaVl1cGovM1hmWEoy + eGNxZ2E4U1pRNlBaTDZ0ZW4wbVZjT0EKLS0tIEJ0ZXR5blBlckIxSVlmT0hxY1Bz + TGVGRFgzaHI5VW5GdjJvcmswUWFvaWMKQCK47p7OQUXq45aYo9BkkcGrzmPKCJOI + OKu/+W4xYOnfIo03GGL6f4LrbCaKr1mdtsRnuHmaFXiXdaKbZFDEhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age17jlsydpgl35qx5ahc3exu44jt8dfa63chymt6xqp9xx0r6dh347qpg55cz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJb0MzQVZvY0ZCNlAwT2Qw + RnJOUXJISFg1Smt4VWdoYy9PT2hQNG1MNm5ZCmVhUFI5UGpQUkR4MTA4VktuVyt1 + TXlVZ3haNjd4OHNYNE4rVzd2MkNGTkEKLS0tICtkZDRvODBZaGRCTmdlUkRESjMv + bElZc21OSXJsZnZaSHF5ZTBDSlNXaHcKixDNfM98AqYagtidcYE3lgkFM9XTIrVg + gbYoSOk5rL9Hi2rvP+BCEgsrRSuExGKVvdqODYltD+nNfTI1zcnTFg== + -----END AGE ENCRYPTED FILE----- + - recipient: age15hx530yrqmhm80vsjmffyg9deq9gssj7hl5rsqdnsn3dwegj9qusv4sjf5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZncwdllnQjYyc284RXVm + VVVJTHI1Z25FWXBhY3o1SmgyVW01alRlcVVVCklDNDYvMktDU1U4L0RTMVgvaU0v + d0NlK3pqYzZ4NFRUd3V1WHZTTkVpK00KLS0tIHVQSmRDekcrK093QUJQVHNZcUg3 + WGVJQm5MdGhMbzd5RkNPU1VuNTZVeFkKQq/WyqLOOde86NNYnVq0Lw31YB2OcLY/ + h/HtFN4GynmBOYcTuqIvBJ/TksXs30kWFKW2XSY0jP0JSY7Yo0BxhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age13w4elx3x6afrte2d82lak59mwr2k25wfz3hx79tny6sfdk66lqjq989dzl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZU0zK3V6M2IyMkFOdm5U + UG1oVi9IMzM0SllUQUMwMlh4NkF2V2pCcWtvCk1kR0QxVWRPM1pyWmdVOE1UdWxs + NldjZXBOZU1uK1JELzF1blhTQy83Zm8KLS0tIFFVRjVScVVGa09sbEdBdjNXNTZR + d0YvYk8vNitDbzNCQ1VqS20xUWx6ZDgK+kIRATTtC0Vd7/uPf8E4pIans79Ksh6J + Y77+owFFw1AvQ3KvaI7QVfKW61MzxI+S1bWqI3ZNOJ19Qv4ZoVhnVg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-02T18:11:48Z" + mac: ENC[AES256_GCM,data:qKoRMXroUtMaH1yrgNQxUPX8FpUmLmNU29zyzfnKkmiLoPsWNsogHxNVkqosyvbW0y0w6XnQh4OrSd4FF3fi8ZuJfk54jDWO7jlXFRk+07OobPgngYvNXLw76BNkXnAtxcduV2cTuSY6XwnwE0LtxFDmkM8N/AxIC8jhKkGQtwY=,iv:n3yBotpOggFvSUnboAG1L7pJMMi1PfV8KsSHN3/Li8c=,tag:4D5TqqroQBZNKUYol/ZCHg==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2