sf

2026-03-16 16:41:46 -05:00
parent 742e1703d8
commit 7538f734f1
19 changed files with 259 additions and 851 deletions
--- a/homes/x86_64-linux/admin@jallen-nas/default.nix
+++ b/homes/x86_64-linux/admin@jallen-nas/default.nix
@@ -1,4 +1,9 @@
-{ pkgs, namespace, ... }:
+{
+  pkgs,
+  config,
+  namespace,
+  ...
+}:
 {
  home = {
    username = "admin";
@@ -25,6 +30,10 @@
    defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
    validateSopsFiles = false;
    secrets = {
+      # NOTE: add the following key to secrets/secrets.yaml via `sops secrets/secrets.yaml`
+      # before deploying:  hass-mcp/token: <your HA long-lived access token>
+      "hass-mcp/token" = { };
+
      "ssh-keys-public/jallen-nas" = {
        path = "/home/admin/.ssh/id_ed25519.pub";
        mode = "0644";
@@ -53,6 +62,15 @@
        mode = "0600";
      };
    };
+
+    templates."hass-mcp.env" = {
+      path = "/home/admin/.config/sops/hass-mcp.env";
+      mode = "0600";
+      content = ''
+        HA_URL=http://nuc-nixos.local:8123
+        HA_TOKEN=${config.sops.placeholder."hass-mcp/token"}
+      '';
+    };
  };

  programs = {
@@ -155,12 +173,13 @@
          ];
        };
        hass-mcp = {
-          command = "uvx";
-          args = [ "hass-mcp" ];
-          env = {
-            HA_URL = "http://nuc-nixos.local:8123";
-            HA_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI1ZDM2MTliNWNjMGY0ZGI2OWQzOTQ4Mjk0ZDFmNjAxMCIsImlhdCI6MTc3MDc2MjA1NywiZXhwIjoyMDg2MTIyMDU3fQ.P52jeX8GQcdGdzpbU3NCWZMUjkJZHFnOeR8--jy9dF8";
-          };
+          # Token is read at runtime from a sops-rendered env file.
+          # The wrapper script sources ~/.config/sops/hass-mcp.env before launching uvx.
+          command = "bash";
+          args = [
+            "-c"
+            "set -a; source ${"\${HOME}"}/.config/sops/hass-mcp.env; set +a; exec uvx hass-mcp"
+          ];
        };
        mcp-server-code-runner = {
          command = "npm";