feat[work]: prepare for sk keys

modules/nixos/common/home-manager-secrets.nix

@@ -4,6 +4,7 @@ let
   inherit (config.repo.secrets.common.emacs) radicaleUser;
 
   certsSopsFile = self + /secrets/repo/certs.yaml;
+  workSopsFile = self + /secrets/work/secrets.yaml;
 in
 {
   config = { } // lib.optionalAttrs withHomeManager {
@@ -29,6 +30,8 @@ in
           github-forge-token = { owner = mainUser; };
         }) // (lib.optionalAttrs (modules ? optional-work) {
           harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
+          yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; };
+          ucKey = { sopsFile = workSopsFile; owner = mainUser; };
         }) // (lib.optionalAttrs (modules ? optional-noctalia) {
           radicale-token = { owner = mainUser; };
         }) // (lib.optionalAttrs modules.anki {

modules/nixos/common/pii.nix

@@ -1,5 +1,5 @@
 # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
-{ config, inputs, lib, nodes, globals, ... }:
+{ config, inputs, lib, homeLib, nodes, globals, ... }:
 let
   # If the given expression is a bare set, it will be wrapped in a function,
   # so that the imported file can always be applied to the inputs, similar to
@@ -53,7 +53,7 @@ in
 
       secrets = lib.mkOption {
         readOnly = true;
-        default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
+        default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
         type = lib.types.unspecified;
         description = "Exposes the loaded repo secrets. This option is read-only.";
       };