refactor: move password secrets to subdir

modules/networking.nix

@@ -63,8 +63,10 @@
     ];
     interfaces.enp12s0.wakeOnLan.enable = true;
   };
-  services.openssh.enable = true;
+  services.openssh = {
-  services.openssh.settings.PrintMotd = true;
+    enable = true;
+    settings.PrintMotd = true;
+  };
   services.tailscale = {
     enable = true;
     authKeyFile = config.sops.secrets.ts_auth_key.path;

modules/secrets/secrets.yaml

@@ -1,13 +1,10 @@
-password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str]
 ts_auth_key: ENC[AES256_GCM,data:2/pabfBT8KAGLKDytTMrhSBX8xr/TyJbX0mAsMlzmniyK9GT0xTAq3LsRfNLyCitSVauWIXwPYFia78NCw==,iv:PBDp4+SP9yVRJtmMmvJxUQju6qTOB7cJGSQZIbRSLm8=,tag:ZYDRlMrmmwwvxs71IV3dmQ==,type:str]
 cwp_jira_link: ENC[AES256_GCM,data:7YwR5ajQDcyZgUGgMonajBV7DG/wlxsbxpiagMaPCBk=,iv:loFSGCV4no/azjIRYxjZHDkrrJmH0nzGlF8t0o0yfo4=,tag:pQYLLq4fu7T8Z03GvrJ+3A==,type:str]
 cwp_jira_pat: ENC[AES256_GCM,data:+4VnPikwuSPHdPj9xihuFeht1FPYdZHcHxYNjKMwU2MU7VC4cOUA9vpcEgk=,iv:8f8Z/V9LnuTFdCsqJhaa55BL0ibgSW8PUQoW7FxAOZE=,tag:XL/Xf1QaNLiLT2m/dWcrKw==,type:str]
 gemini_api_key: ENC[AES256_GCM,data:Kh1Kya8O6lqN0MMK1OMn/BHw51XDOAroSrOL3h4K8r6VorAwHTZw,iv:Gxg13mHBID7Gv4du+484IF1q7LFOCvtyzWMHG+IBUVM=,tag:jcjmKveybkET4RFOV4F8PQ==,type:str]
+rafiq:
+    password: ENC[AES256_GCM,data:jzCXis5eIJpbWjsPMDVNZvMCbqp7QCUd7Drya0Al3QO0ExsoE6CNVzrbw4AyvKEgiUd0y9a5rKiwUBwGUoYVwxK0tkrOnB37+g==,iv:SsQIUB8OxgnxvjAyrfZzgEdGbaGGrL7zVwO5Of9D/Xw=,tag:iHNY8+nI9RnuM58SmGrV6Q==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6
           enc: |
@@ -45,8 +42,7 @@ sops:
             TktUSFpxTXdKMUhFQ1BOMmR1VVFWNVkKwy3T9QCsg6gXZilufMtbls0HB5of38Pr
             YPzVeadsYlglg3/gBtDP4WyKBwYOQks2BbMTijqlMXBIl5JP7odVuw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-29T20:50:17Z"
+    lastmodified: "2025-04-06T08:16:09Z"
-    mac: ENC[AES256_GCM,data:fJ0UbSeQQzDAScXAOpYDD5aiOLNVLBhuAmJE3gwmT1Lm48UbncWfBKcvBfWElH3CTFaeuXshH7sRnUkKig5PKU0EVrpvWFic5TIjwk2G+fqLvzamuhk5y+4/VjUHA6Y3vXHRBV7XClblXqHa3LWk/l5eCtbiWEF1uNlz9h9JRbU=,iv:CCJMj5eYaTl2u8oq+s6yr9Xd83vIjBMMOfCVD5O54eQ=,tag:NzMDZTi9kVuWLsVSPaedBQ==,type:str]
+    mac: ENC[AES256_GCM,data:yQKGknVO8HEfYqmbINBro7gXePyjInx7jGhLTbsAoXLyxJuUQHAbieswAeLkTLgBqyfeAQHjYHro+s9eDPDitEi+/5fP/uLHK1HqyqZC9cAH35+8Th70hKxP7GAie9FQGkgcHYZYGe9nqFKHWwqu//l3UmdIdsnnxgC5dxnX2PI=,iv:E2a4GHVfXI6aGEsmkU9p7LRktPPJRUnYBgM9Qd3VayE=,tag:ot1AgSR+wzSD1orOnhROQQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.1

modules/security.nix

@@ -6,9 +6,9 @@
 
   sops = {
     defaultSopsFile = ./secrets/secrets.yaml;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    age.sshKeyPaths = [ "/home/rafiq/.ssh/id_ed25519" ];
     secrets = {
-      password.neededForUsers = true;
+      "rafiq/password".neededForUsers = true;
       ts_auth_key = { };
       cwp_jira_link = { };
       cwp_jira_pat = { };

modules/users.nix

@@ -29,7 +29,7 @@
     users.rafiq = {
       isNormalUser = true;
       description = "rafiq";
-      hashedPasswordFile = config.sops.secrets.password.path;
+      hashedPasswordFile = config.sops.secrets."rafiq/password".path;
       uid = 1000;
       extraGroups = [
         "networkmanager"