feat(modules/secrets): init sops-nix

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &admin age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *admin

flake.lock

@@ -151,7 +151,8 @@
         "impermanence": "impermanence",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs",
-        "snowfall-lib": "snowfall-lib"
+        "snowfall-lib": "snowfall-lib",
+        "sops-nix": "sops-nix"
       }
     },
     "snowfall-lib": {
@@ -176,6 +177,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746485181,
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -10,6 +10,8 @@
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
     nix-index-database.url = "github:nix-community/nix-index-database";
     nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = inputs: 
@@ -20,6 +22,7 @@
 		systems.modules.nixos = with inputs; [
 			disko.nixosModules.disko
 			impermanence.nixosModules.impermanence
+			sops-nix.nixosModules.sops
 		];
 		homes.modules = with inputs; [
 impermanence.homeManagerModules.impermanence

homes/x86_64-linux/rafiq/default.nix

@@ -9,6 +9,7 @@
   home.persistence."/persist/home/rafiq" = {
 	directories = [
 	".ssh"
+	".config/sops/age"
 	"repos"
 	];
 	allowOther = true;

modules/nixos/system/default.nix

@@ -5,6 +5,7 @@
     ./users.nix
     ./localisation.nix
     ./nix-config.nix
+    ./secrets.nix
   ];
 
   options.system = {

modules/nixos/system/secrets.nix

@@ -0,0 +1,10 @@
+{ config, lib, ... }:
+{
+  sops = {
+    defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
+    age.sshKeyPaths = ["/persist/home/rafiq/.ssh/id_ed25519"];
+    secrets ={
+      "rafiq/hashedPassword".neededForUsers = true;
+    };
+  };
+}

secrets/secrets.yaml

@@ -0,0 +1,17 @@
+rafiq:
+    hashedPassword: ENC[AES256_GCM,data:SzzSPg5Ze4H+fVl6ZvAULO9FDfRehusmP6uldT4Ok2/9ZeOp9r4LgjKajoiw2A1DWD1zQ1GQwMCHKpeZjCC4rBUNWW5DMcBUJA==,iv:KktKuqr0JNhjeJIlIgkoAv6mP2dQlfQrXiIOASLPkbw=,tag:g9LarkT6EjDrH+dXSjMwPg==,type:str]
+sops:
+    age:
+        - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUDN6TFlTVHdlWCsrWkFn
+            R1g5UjVLVk1NQzJRRE9NbDZlRVVJUjVvbmlnCk93NFhSRS9vbDUzNVd6Q3RuTEtZ
+            cFZvY0JML2tDSUZIbkcyVWVWWVFMY0UKLS0tIDlCbmxhUThUaHRGNkgySEp2QTB1
+            WXFKbjNMWDF0LzNyekJJMGFva2diemcKQTc8ODuK6IWqRhulHiCF92aU+3p23riY
+            M94Nzh+VT6QTFOgb3J7bBJMLhRH/fkQb6L6ia2n9QrVXFyYYMJ0oBw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-18T14:48:00Z"
+    mac: ENC[AES256_GCM,data:ZXqR1G5h1airqlLPi/yyRgVycqk8aMEBKihOqTXpeKIXev5upA5P5+I4ZQtVXTtSkwzIiRRhkzQfGnASjEGWezNRoPZffjIbMn7RkssyUcz+lFKinec1ZZJxc51lOGP22gP/qrcGjmtqDgVDfWsjTtaZjlr3qmL5e6MK7RbhO5g=,iv:kGRvTNcPjsxvsP3EXVpnsQunCXXpYirAFsMEnVx0kR4=,tag:JVHIlhRW2x50M0gGgXy3oQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2