{ config, lib, ... }: let account = config.repo.account; in { flake.modules.homeManager.git = { config, osConfig, ... }: let machine = osConfig.meta.machine; allowedSignersFile = "${config.xdg.configHome}/git/allowed_signers"; mkScope = scope: let email = account.emails.${scope}.address; key = lib.attrByPath [ scope ] null machine.sshKeys; hasSigningKey = key != null; in { allowedSigners = lib.optional hasSigningKey "${email} ${key.publicKey}"; git = { user = { name = account.realName; inherit email; } // lib.optionalAttrs hasSigningKey { signingKey = "${key.privateKeyPath}.pub"; }; } // lib.optionalAttrs hasSigningKey { gpg.ssh.allowedSignersFile = allowedSignersFile; }; }; personal = mkScope "personal"; work = mkScope "work"; in { xdg.configFile."git/allowed_signers".text = lib.concatStringsSep "\n" ( personal.allowedSigners ++ work.allowedSigners ++ [ "" ] ); programs.git = { enable = true; signing.format = "ssh"; ignores = [ ".claude/" ".codex" ]; settings = { init.defaultBranch = "main"; user = { name = account.realName; email = account.emails.personal.address; }; }; includes = [ { condition = "gitdir:${account.nixosConfigurationPath}/"; contents = personal.git; } { condition = "gitdir:${config.xdg.userDirs.projects}/"; contents = personal.git; } { condition = "gitdir:${config.home.homeDirectory}/work/"; contents = work.git; } ]; }; programs.gh = { enable = true; settings.git_protocol = "ssh"; }; }; }