From 4ff7b8e18fec24c8a2205dcc4ab4d550edd005b1 Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Mon, 7 Jul 2025 17:26:57 +0800
Subject: [PATCH] feat(nixos): add user password secrets to sops

This commit adds the user password secrets to sops.
It leverages the `userListToAttrs` lib function.
---
 flake.nix                |  2 +-
 nix/flake-parts/meta.nix | 17 +++++++++++------
 nix/modules/secrets.nix  |  9 +++------
 nix/modules/users.nix    | 11 +++++++++--
 secrets/users.yaml       | 18 ++++++++++++++++++
 5 files changed, 42 insertions(+), 15 deletions(-)
 create mode 100644 secrets/users.yaml

diff --git a/flake.nix b/flake.nix
index eafeae6..b719d88 100644
--- a/flake.nix
+++ b/flake.nix
@@ -61,7 +61,7 @@
       (inputs.import-tree ./nix)
       // {
         systems = import inputs.systems;
-        flake.root = ./.;
+        flake.paths.root = ./.;
       }
     );
 }
diff --git a/nix/flake-parts/meta.nix b/nix/flake-parts/meta.nix
index 4398cfb..ee694c3 100644
--- a/nix/flake-parts/meta.nix
+++ b/nix/flake-parts/meta.nix
@@ -18,17 +18,22 @@ in
       type = lazyAttrsOf raw;
       default = { };
     };
-    root = mkOption {
-      type = path;
-      default = "";
+    paths = {
+      root = mkOption { type = path; };
+      secrets = mkOption {
+        type = path;
+        readOnly = true;
+      };
     };
     admin = mkOption {
       type = lazyAttrsOf raw;
       default = { };
     };
   };
-
-  config.flake.admin = cfg.manifest.users.${username} // {
-    inherit username;
+  config.flake = {
+    paths.secrets = cfg.paths.root + "/secrets";
+    admin = cfg.manifest.users.${username} // {
+      inherit username;
+    };
   };
 }
diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix
index 5d76562..350fca9 100644
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@@ -16,12 +16,9 @@ in
     { config, ... }:
     {
       imports = [ inputs.sops-nix.nixosModules.sops ];
-      config.sops = {
-        defaultSopsFile = "${cfg.root}/secrets/secrets.yaml";
-        age.sshKeyPaths = [
-          "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
-        ];
-      };
+      config.sops.age.sshKeyPaths = [
+        "/persist${config.users.defaultUserHome}/${username}/.ssh/id_ed25519"
+      ];
     };
   perSystem =
     { pkgs, ... }:
diff --git a/nix/modules/users.nix b/nix/modules/users.nix
index c6e74e6..2c1a5c9 100644
--- a/nix/modules/users.nix
+++ b/nix/modules/users.nix
@@ -1,7 +1,7 @@
 { config, lib, ... }:
 let
   cfg = config.flake;
-  inherit (cfg.lib.modules) forAllUsers';
+  inherit (cfg.lib.modules) userListToAttrs forAllUsers';
   inherit (lib.lists) optional;
 in
 {
@@ -19,13 +19,20 @@ in
         mutableUsers = false;
         groups.users.gid = 100;
         users = forAllUsers' (
-          _: value: {
+          name: value: {
             isNormalUser = true;
+            hashedPasswordFile = config.sops.secrets."${name}/hashedPassword".path;
             extraGroups = optional (value.primary or false) "wheel";
             openssh.authorizedKeys.keys = [ value.pubkey ];
           }
         );
       };
+      sops.secrets = userListToAttrs (name: {
+        "${name}/hashedPassword" = {
+          neededForUsers = true;
+          sopsFile = cfg.paths.secrets + "/users.yaml";
+        };
+      });
       home-manager.users = forAllUsers' (
         name: _: {
           home.username = name;
diff --git a/secrets/users.yaml b/secrets/users.yaml
new file mode 100644
index 0000000..76fe7e0
--- /dev/null
+++ b/secrets/users.yaml
@@ -0,0 +1,18 @@
+rafiq:
+    password: ENC[AES256_GCM,data:8KAfatz+YSaNozd5VGo=,iv:LNRxt47iBKSWzMZuBHSxv/qDZ2h6JiTIPps7OK/o7uU=,tag:oiSfLyRVswb/wxSTE69QMA==,type:str]
+    hashedPassword: ENC[AES256_GCM,data:NogYQ3kR1TseC79HIXARrXhIncCnvxzf9zMF2QrUyTmojTffPXRGtMdjNpfMEFj5dkKfZujBL/QTIpPFFTm1py7Dreg5/9VSKQ==,iv:IwfZsrsJbLYG1ELte6aBHUtff6hIQu9rHT5tSvILIGQ=,tag:oav3paDcUY+cl4FJlZa90A==,type:str]
+sops:
+    age:
+        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVd09tYkhKUkVjNTBRdld6
+            a1RkUnZqdnRqMlFTSGgwUFVCZlRhL0tLTnpVCjNXVjZldzNUOE9DQ0ZGejhWakY2
+            TmRIZnpobE0ydDhNSDdJQUp2U3pSTzgKLS0tIDkxU3Fxa2lMUkhZY0g1Wm02T2ZE
+            UkQwOWZtVXVPSGJiRk1qRHVHYkN2cDgKLiYiA0q5se/oHfGRqvHLn3gRRDfmefEZ
+            z2U2N1Tjt0QgCfYOOXVfPV9F36a7PpabFva5ElSazawHgvI+Bot6og==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-07T08:56:26Z"
+    mac: ENC[AES256_GCM,data:2uGjIMxRgk7uWToQC4MrHpHFAt4bI7sEhaHvPU6Ae3bvRVH/TdJxZtikSPe95LEwReOuBmPajbcM580/d3Jt6VbA7nZzj1JduVscrRkSAFCzZp9Ti/mbOGITPJa6xWSGwVF1wSN3BnHXYIHDcKeSGtUdP7L7nBZr1KXPkok4NCo=,iv:+ELIes7lzb8M6CvOemAcyoq7Rx7L6NkNmHwntJN/RSc=,tag:ubyxO6VllH9cQK3VbvxiGg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2