diff --git a/.sops.yaml b/.sops.yaml index aaf3e03..e10bd39 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &muho age1v4s4hg7u3vjjkarvrk7v6ev7w3wja2r5xm7f4t06culw3fuq7qns8sfju7 - &mups age1n7qz2w3hkf7fcdv92kxw9k6uef487na2tlc87486rcjwj8lyfuws5q46gn - &murk age1mgjhkqy9x27gv2t2xvq46dxcajkr9c8zes7rr3dj0ac7md2j6vas43dftp + - &musk age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc creation_rules: - path_regex: modules/nixos/sops/secrets.ya?ml$ @@ -12,6 +13,7 @@ creation_rules: - *muho - *mups - *murk + - *musk - path_regex: modules/home/sops/secrets.ya?ml$ key_groups: @@ -20,3 +22,4 @@ creation_rules: - *muho - *mups - *murk + - *musk diff --git a/modules/home/sops/default.nix b/modules/home/sops/default.nix index 01b2b21..791fab8 100644 --- a/modules/home/sops/default.nix +++ b/modules/home/sops/default.nix @@ -17,5 +17,7 @@ in secrets.atuin-auth = {}; secrets.hr-password = {}; secrets.sops-key = {}; + secrets.google-db-test = {}; + secrets.google-db-prod = {}; }; } diff --git a/modules/home/sops/secrets.yaml b/modules/home/sops/secrets.yaml index 81d63e7..5ee893b 100644 --- a/modules/home/sops/secrets.yaml +++ b/modules/home/sops/secrets.yaml @@ -2,6 +2,8 @@ zipline-auth: ENC[AES256_GCM,data:RkJI6GuH7RzdcSlKn32gMGojjB6rkdDcnNUvsi/BTfJk2s atuin-auth: ENC[AES256_GCM,data:LDkiXWIwxor8Ro383gonJCyqu+nyxS7DrI2J8uo4Cqu2X61rBUlnpNR6YirUZS/lYAnWYJhZM7sR0G7ZNh9EgQ==,iv:UEs2KW8ImMnaQrSLrIGbVXEq86QiVPAPNIXBZpa3jFI=,tag:N0rhnPbasFzkoI3CJ9CV+Q==,type:str] hr-password: ENC[AES256_GCM,data:QZuzAnTJ2KgPnffHvdCWrJEM5d/FXxhX3dA1,iv:FgDw6aXDY0jCpJiYc9WOobR96TXNtnvN7neJu8drxMM=,tag:YT82wryVy3V+41w0YbMOrA==,type:str] sops-key: ENC[AES256_GCM,data:msX0EJqJauteOBICUsLcVgqNxqGcqvD+Xi/B2EhUX2OAoyBH5oDae8XWlQCi2RdOm4NtnrSTnG8FRQXfkXO+tne0VEfYTCjeVtU=,iv:qxpvofr56Ey17xcPpju/mQgiz+0cOYED5caAHs3myXw=,tag:oDFXh0rlc0tmV2IUJ1ezBQ==,type:str] +google-db-test: ENC[AES256_GCM,data:ZMm/BF/k+XnZZkHMDSV/fk3ds0LAOHAmag==,iv:tmfJ7ju5yAO6Oco3jXYNyqzJr7cgshyd/SkjfYnEl6U=,tag:jMD2N6TsgbRwefhJ/XYhtg==,type:str] +google-db-prod: ENC[AES256_GCM,data:fIPL9XKk9sAmpVsQBubSVbh3DlEEKadG9g==,iv:R34zkCIUDlk5/wg8eU8RZIanGayL+nX+7ZhyVmbcQC0=,tag:lu24b28742O46fjUaw2UBA==,type:str] sops: age: - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc @@ -40,7 +42,7 @@ sops: a0V1N2VjUDE4Z3R5MGxMQVNmOVp0bVUK9cppJW33tKFOSvbIn/2Dga8k7/McaTpK m7M+83guMzNoOlpJ/WYU1BaePcM974AgjVR0WD/v+xGBvGKubKHqtw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-04T07:58:56Z" - mac: ENC[AES256_GCM,data:aJw3KK4GMj5/Q06v1C5rdSerdO21cNxpTIJYoxmfhBKudzD7lSL6l+d47kWoB0U4J5jtbs9obWz2MH3CvyPBapjJaSFnYEXk1JuGihf8GK3QrqLAt+dmF2ZD1FBLpQELripueneyHkzT32180hpXGnppNlgOuATlIMSPosvlpVI=,iv:SpGAyTqqbpuxcLkMq7VnLQUoR6oW0ERgnyPaqVHpaN8=,tag:OSNGT8/5E+PRhoR8dIyaSA==,type:str] + lastmodified: "2026-01-21T14:37:21Z" + mac: ENC[AES256_GCM,data:bxr3U1Ig0qjuOcxHeOlOrXO0xtZs0vKTuXn8GE1dJGCFDjVgakbIwiW6+2WNYUbIpipCAwdecgb0jBngwt3zKGS4PMzapUXxl7RoCr5DWCh6kSD4CCUH4v8guuy0k8SMQXDO3CdbUd/5/asIPfxlvEESCQL54X2OJlt5xpE7PsU=,iv:m/lrHHFYXFKCVEOK462II8bcFvw7k4rKEuMOHHmzT/8=,tag:jgEQso2bAShLJERsOHhrKw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/modules/home/terminal/hr/default.nix b/modules/home/terminal/hr/default.nix index eef1a98..887f9b7 100644 --- a/modules/home/terminal/hr/default.nix +++ b/modules/home/terminal/hr/default.nix @@ -6,11 +6,53 @@ }: let cfg = config.mods.terminal; - hr = pkgs.writeShellScriptBin "hr" (builtins.readFile ./hr.sh); + test-port = "5436"; + prod-port = "5437"; in { options.mods.terminal.hr.enable = lib.mkEnableOption "Hefring (Work Tooling)"; config = lib.mkIf cfg.hr.enable { - home.packages = [hr]; + programs.starship.settings.custom.project_id = { + command = "if echo \"$PROJECT_ID\" | grep -q \"prod\"; then printf \"\\033[1;33m \\033[1;34m$PROJECT_ID\\033[0m\"; else printf \"\\033[1;34m$PROJECT_ID\\033[0m\"; fi"; + when = "test -n \"$PROJECT_ID\""; + format = "on $output "; + }; + + programs.zsh.initExtra = + '' + export MK2_TEST_SQL_INSTANCE_USER=gijs + export MK2_TEST_SQL_INSTANCE_PASSWORD="$(cat ${config.sops.secrets.google-db-test.path})" + export MK2_TEST_SQL_INSTANCE_PORT=${test-port} + export MK2_TEST_SQL_INSTANCE_HOST=localhost + export MK2_PROD_SQL_INSTANCE_USER=gijs + export MK2_PROD_SQL_INSTANCE_PASSWORD="$(cat ${config.sops.secrets.google-db-prod.path})" + export MK2_PROD_SQL_INSTANCE_HOST=localhost + export MK2_PROD_SQL_INSTANCE_PORT=${prod-port} + '' + + builtins.readFile ./hr.sh; + + systemd.user.services = let + proxy-service = name: port: { + "google-db-proxy-${name}" = { + Unit = { + Description = "Google Cloud SQL Proxy (${name})"; + After = ["network.target"]; + }; + Service = { + Type = "simple"; + Environment = [ + "GOOGLE_APPLICATION_CREDENTIALS=${config.home.homeDirectory}/.config/gcloud/application_default_credentials.json" + ]; + ExecStart = "${pkgs.google-cloud-sql-proxy}/bin/cloud-sql-proxy mk2-${name}:europe-west1:mk2-${name}-sql-instance -p ${port}"; + Restart = "always"; + }; + Install = { + WantedBy = ["default.target"]; + }; + }; + }; + in +proxy-service "test" test-port + // proxy-service "prod" prod-port; }; } diff --git a/modules/home/terminal/hr/hr.sh b/modules/home/terminal/hr/hr.sh index cefeded..7cdffca 100644 --- a/modules/home/terminal/hr/hr.sh +++ b/modules/home/terminal/hr/hr.sh @@ -1,8 +1,19 @@ -#!/usr/bin/env bash +# Set default PROJECT_ID if not already set +if [[ -z "$PROJECT_ID" ]]; then + export PROJECT_ID="mk2-test" +fi -set -e +_hr_usage() { + echo "Usage: hr " + echo "Commands:" + echo " switch Switch PROJECT_ID between mk2-test and mk2-prod" + echo " call Call a Cloud Run service route" + echo " cf Call a Cloud Function" + echo " init py Initialize a python devenv environment (git-ignored)" + echo " freeze Freeze dependencies to requirements.txt" +} -if [ "$1" = "py" ] && [ "$2" = "init" ]; then +_hr_init_py() { echo "Initializing python devenv..." # 1. Init devenv @@ -15,7 +26,7 @@ if [ "$1" = "py" ] && [ "$2" = "init" ]; then echo "Direnv allowed" else echo "Error: devenv not found in path." - exit 1 + return 1 fi if [ -f .gitignore.bak ]; then @@ -91,11 +102,209 @@ EOF echo "Direnv allowed" else echo "Error: direnv not found in path." - exit 1 + return 1 + fi +} + +_hr_freeze() { + local extra_index_url="https://europe-west1-python.pkg.dev/mk2-prod/python-packages/simple/" + + # Install the auth plugin and keyring CLI + uv pip install keyrings.google-artifactregistry-auth==1.1.2 keyring + + # Install project dependencies using the subprocess keyring provider + uv pip install --no-cache -e ".[test]" --extra-index-url "${extra_index_url}" --keyring-provider subprocess + + # Generate requirements.txt + echo "--extra-index-url ${extra_index_url}" >requirements.txt + uv pip freeze --exclude-editable >>requirements.txt +} + +_hr_add_json_field() { + local json="$1" + local key="$2" + local value="$3" + local jq_opt="--arg" + + # Check if explicit boolean + if [[ "$value" == "true" || "$value" == "false" ]]; then + jq_opt="--argjson" + # Check if number (integer or float, no leading zeros unless just 0) + elif [[ "$value" =~ ^-?(0|[1-9][0-9]*)(\.[0-9]+)?$ ]]; then + jq_opt="--argjson" + # Check if object or array + elif [[ "$value" == "["* || "$value" == "{"* ]]; then + if echo "$value" | jq empty >/dev/null 2>&1; then + jq_opt="--argjson" + else + # Warn to stderr, but proceed as string + echo "Warning: Value for '$key' looks like JSON but is invalid. Treating as string." >&2 + fi fi -else - echo "Usage: hr py init" - echo " py init Initialize a python devenv environment (git-ignored)" - exit 1 -fi + # Apply the value at the path defined by the key (dot-notation supported) + # paths like items.0.id are converted to ["items", 0, "id"] + echo "$json" | jq --arg k "$key" $jq_opt v "$value" \ + 'setpath($k | split(".") | map(if test("^[0-9]+$") then tonumber else . end); $v)' +} + +_hr_call() { + local route_arg="$1" + shift + + if [[ -z "$route_arg" ]]; then + echo "Usage: hr call [/path] " + return 1 + fi + + local service_name + local url_path + + if [[ "$route_arg" == */* ]]; then + service_name="${route_arg%%/*}" + url_path="/${route_arg#*/}" + else + service_name="$route_arg" + url_path="" + fi + + local project_number + if [[ "$PROJECT_ID" == "mk2-prod" ]]; then + project_number="1013087376822" + else + project_number="322048751601" + fi + + if ! command -v jq >/dev/null; then + echo "Error: jq is required but not installed." + return 1 + fi + + local json_payload="{}" + + while [[ $# -gt 0 ]]; do + if [[ "$1" == -* ]]; then + local key="${1#-}" + if [[ -z "$2" || "$2" == -* ]]; then + echo "Error: Missing value for option $key" + return 1 + fi + local value="$2" + + json_payload=$(_hr_add_json_field "$json_payload" "$key" "$value") + shift 2 + else + echo "Error: Unexpected argument '$1'" + return 1 + fi + done + + local url="https://${service_name}-${project_number}.europe-west1.run.app${url_path}" + + echo "Calling $url..." + echo "$json_payload" + + curl "$url" \ + -H "Authorization: bearer $(gcloud auth print-identity-token)" \ + -H "Content-Type: application/json" \ + -d "$json_payload" +} + +_hr_cf() { + local function_name="$1" + shift + + if [[ -z "$function_name" ]]; then + echo "Usage: hr cf " + return 1 + fi + + if ! command -v jq >/dev/null; then + echo "Error: jq is required but not installed." + return 1 + fi + + local json_payload="{}" + + while [[ $# -gt 0 ]]; do + if [[ "$1" == -* ]]; then + local key="${1#-}" + if [[ -z "$2" || "$2" == -* ]]; then + echo "Error: Missing value for option $key" + return 1 + fi + local value="$2" + + json_payload=$(_hr_add_json_field "$json_payload" "$key" "$value") + shift 2 + else + echo "Error: Unexpected argument '$1'" + return 1 + fi + done + + local url="https://europe-west1-${PROJECT_ID}.cloudfunctions.net/${function_name}" + + echo "Calling $url..." + echo "$json_payload" + + curl "$url" \ + -H "Authorization: bearer $(gcloud auth print-identity-token)" \ + -H "Content-Type: application/json" \ + -d "$json_payload" +} + +hr() { + if [[ $# -eq 0 ]]; then + _hr_usage + return 1 + fi + + local command="$1" + shift + + if [[ "$command" == "switch" ]]; then + if [[ -z "$1" ]]; then + # Toggle between test and prod + if [[ "$PROJECT_ID" == "mk2-test" ]]; then + export PROJECT_ID="mk2-prod" + echo "Switched PROJECT_ID to mk2-prod" + else + export PROJECT_ID="mk2-test" + echo "Switched PROJECT_ID to mk2-test" + fi + elif [[ "$1" == "test" ]]; then + export PROJECT_ID="mk2-test" + echo "Set PROJECT_ID to mk2-test" + elif [[ "$1" == "prod" ]]; then + export PROJECT_ID="mk2-prod" + echo "Set PROJECT_ID to mk2-prod" + else + echo "Usage: hr switch [test|prod]" + return 1 + fi + return 0 + fi + + # Run original logic in a subshell to preserve set -e behavior without affecting current shell + ( + set -e + # Restore arguments for processing + set -- "$command" "$@" + + if [ "$1" = "init" ] && [ "$2" = "py" ]; then + _hr_init_py + elif [ "$1" = "freeze" ]; then + _hr_freeze + elif [ "$1" = "call" ]; then + shift + _hr_call "$@" + elif [ "$1" = "cf" ]; then + shift + _hr_cf "$@" + else + _hr_usage + exit 1 + fi + ) +}