From b1369d9233626c6891b86bb4505dd2f8aa85f4cf Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <me@fi33.buzz>
Date: Tue, 24 Feb 2026 22:48:30 +1100
Subject: [PATCH] feat(git): add signing key to secrets store and sign all
 commits by default

---
 modules/home-manager/features/git.nix |  27 ++++++++++++++++++--------
 secrets/git_signing_key.age           | Bin 0 -> 831 bytes
 secrets/git_signing_key.pub.age       |  10 ++++++++++
 secrets/secrets.nix                   |   2 ++
 4 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 secrets/git_signing_key.age
 create mode 100644 secrets/git_signing_key.pub.age

diff --git a/modules/home-manager/features/git.nix b/modules/home-manager/features/git.nix
index 8bffb72..7be9e6c 100644
--- a/modules/home-manager/features/git.nix
+++ b/modules/home-manager/features/git.nix
@@ -1,15 +1,12 @@
+{
+  userName,
+  ...
+}:
 {
   programs.git = {
     enable = true;
     settings = {
-      init.defaultBranch = "main";
-      core.editor = "nvim";
-      push.autoSetupRemote = true;
-      pull.rebase = true;
-      user = {
-        name = "wi11-holdsworth";
-        email = "83637728+wi11-holdsworth@users.noreply.github.com";
-      };
+      # keep-sorted start block=yes
       aliases = {
         # keep-sorted start
         a = "add";
@@ -30,6 +27,20 @@
         s = "status -s";
         # keep-sorted end
       };
+      core.editor = "nvim";
+      init.defaultBranch = "main";
+      pull.rebase = true;
+      push.autoSetupRemote = true;
+      user = {
+        name = "Will Holdsworth";
+        email = "me@fi33.buzz";
+      };
+      # keep-sorted end
+    };
+    signing = {
+      key = "/home/${userName}/.ssh/git_signature.pub";
+      format = "ssh";
+      signByDefault = true;
     };
   };
 }
diff --git a/secrets/git_signing_key.age b/secrets/git_signing_key.age
new file mode 100644
index 0000000000000000000000000000000000000000..d3a4680ae7605e2344c388ab6db32944a419f9fc
GIT binary patch
literal 831
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH^a;^+2~<dQ^$GN=
zG)heLs7eox@G=f5$uBbr&M!4h3Quy?*ER|)s&w~F40CqO4&{mr$}dY!Pp{Coa1RVJ
zF7nF@cS|-7^{evG&q+=;HVr9G56pG5G|4G6%SX4(T)QHuGEgDY#4^XV*dWl{)j&JT
zFsLZREIF~bEX+Km%D>ReH8?-0IK3*syR<OZD3Z(HFe<{rBD5^T(!bItr!dDN$s^Iy
zq%u!CD%8{>!&E;iq|hL(DACBk(-++~pAv7&%0PugGpC?ZXESFX3vY8*L$64SlFG{L
zki<~S%m^Q!$Q14H6qizq{QN|ph<q-$3RjCNi`-1@G`~C}Lx0mK|FYDaY!@FNeT&4T
z;?StvKqrIJoT{SCP){yhU0nqeZ^tC_RHy8qOp^dVm$a%7-@K5(675Xy{H)+aCyy{c
z=K}u}(*W0;GGDGA)BhhTcm24>=1s12;oa-A?|EKlo2RKGRwmr1dg)eg+@;vR-{kzd
zzn$Ll_waGfWt&)kJG?gc?i9Pjc;t@l<$d;Z^{2=tDu%e3ESs-CYr3Jou8w*``mgOP
zLIrbzZhhG{V|EN<eo(3(i$bU1`U-BX4fazb1H{c*&T+e{KdQH{yB`)CwK!y=snBV4
z=7d}mhp&Z`B-<h^=AJm?C9vbGajp6en^>K6=KTxqsrg$oEI-JuuzS|Y|LfnD&o{dE
zmP_xOSrWsN1OH~`EO$Ekky~ey<kLfSD*Ny63$?DF_-t1avvS?s>1RWZHuaV!u+6%~
zby5AgM6&84|H6IgYkIg|#w(=0JzR4me!gyD=Z9*E`(NzTCjKa1(()u~>&EJy4K=6d
zI+-rGtH7qb`y8`HAZLHE^Y5u~azWivlIa&+R)^lIwu-j2o3&ppA}sV|cXvYhMb4$R
ze^&%-x7w)9vGw$X$=^6#`hOp+eslT!tgzqejUFQ2mJG9WrwYH)(plsY`(VnpWG{iQ
z9Fx1t^F(4V<sLj3)+mx|Vyk5SFW~Wm8Enb>4sdlmkG5=G$>lC-#4=sq?C<>h0D+cD
Ab^rhX

literal 0
HcmV?d00001

diff --git a/secrets/git_signing_key.pub.age b/secrets/git_signing_key.pub.age
new file mode 100644
index 0000000..f0b53bc
--- /dev/null
+++ b/secrets/git_signing_key.pub.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 qLT+DQ NMzN1Cll+cH5GgEQvCRpb8c1m7CDHWBtUZ5QNMluKkg
+H77YBVoCAZerRyoG90h9W6PKZbpjNBl2mfsW3Eco27w
+-> ssh-ed25519 7+xRyQ 67NFmrcLe9R5ni0HnvIiHcN0tlRVXpAiaVOQfIpqWzI
+H7jbIgVXVl+lENksb4KUfASeIKPBI/FtHhhlQzhXwik
+-> ssh-ed25519 LtK9yQ jvrWRlZF/H20QARL4lWWX0cDDoIK0Et5ZMxdsPJPXn0
+g+ZaDYycq65tBEBFuDpSl1BKuCTmxCJuYqG8kSCtL9U
+--- jZ2xp/oW3CgXPc8jriK53zTODB9lhDNZr8YfSYLAmio
+�A�Kw�;��2R
+֨����b��S�'��7/���/��kX�HӖ�����W†��<�P
p�Hc�T���G���	'�F待&�!��(��=�6���H�_ y����Tlj��Ub��1
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9b08c62..1004c24 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,6 +21,8 @@ in
   "copyparty.age".publicKeys = users;
   "firefly-db.age".publicKeys = users;
   "firefly.age".publicKeys = users;
+  "git_signing_key.age".publicKeys = users;
+  "git_signing_key.pub.age".publicKeys = users;
   "immich.age".publicKeys = users;
   "jellyfin.age".publicKeys = users;
   "karakeep.age".publicKeys = users;