feat(nix): add sops for secrets

.sops.yaml

@@ -0,0 +1,21 @@
+keys:
+  - &server_lappy age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n
+  - &server_tanzanite age1myy382gauvgg77lyaqmj4ty7a9pgzqu85pqufk2rytudg9g8edeq5rupzw
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_lappy
+  - path_regex: secrets/stitchynyan/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_lappy
+  - path_regex: secrets/nyadmin/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_tanzanite
+  - path_regex: secrets/email_accounts/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *server_tanzanite

flake.lock

@@ -344,7 +344,8 @@
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-quartus": "nixpkgs-quartus",
-        "nixpkgs-xr": "nixpkgs-xr"
+        "nixpkgs-xr": "nixpkgs-xr",
+        "sops-nix": "sops-nix"
       }
     },
     "rust-overlay": {
@@ -368,6 +369,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760998189,
+        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1689347949,

flake.nix

@@ -2,12 +2,13 @@
   description = "System Configuration Flake";
   outputs = inputs@{
     catppuccin,
+    home-manager,
     lanzaboote,
     nixpkgs,
     nixpkgs-xr,
     nixos-hardware,
     nixpkgs-quartus,
-    home-manager,
+    sops-nix,
     ...
   } : {
 
@@ -17,6 +18,7 @@
         specialArgs = { inherit inputs; };
         modules = [
           catppuccin.nixosModules.catppuccin
+          sops-nix.nixosModules.sops
 
           ./hosts/malachite/default.nix
           ./users/stitchynyan/default.nix
@@ -44,6 +46,7 @@
           catppuccin.nixosModules.catppuccin
           lanzaboote.nixosModules.lanzaboote
           nixos-hardware.nixosModules.framework-12th-gen-intel
+          sops-nix.nixosModules.sops
 
           ./hosts/lappy/default.nix
           ./users/stitchynyan/default.nix
@@ -87,6 +90,7 @@
         specialArgs = { inherit inputs; };
         modules = [
           catppuccin.nixosModules.catppuccin
+          sops-nix.nixosModules.sops
 
           ./hosts/tanzanite/default.nix
           ./users/nyadmin/default.nix
@@ -127,5 +131,9 @@
     nixpkgs-xr.url = "github:nix-community/nixpkgs-xr";
     nixos-hardware.url = "github:Nixos/nixos-hardware/master";
     nixpkgs-quartus.url = "github:nixos/nixpkgs/nixos-22.05";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 }

secrets/stitchynyan/secrets.yaml

@@ -0,0 +1,17 @@
+password-hash:
+    stitchynyan: ENC[AES256_GCM,data:bYrGWN3qhak742yo5fP+R767NrCDlc91ngxKA/e68uIXesx+J9od0C9VwBYtK6VfqUHT/3CkGRPxj9r73wrnSkYgpzZZ41syqg==,iv:uD1BBpzcRpGZpWEjxWT9cqDJfBqtj336/FOmVkEASE4=,tag:zEc0QlQPaKUfQpxwfbp68A==,type:str]
+sops:
+    age:
+        - recipient: age1ew0qvrhjafqcdluupf0etgchh7h7987kgqnfvh7plxe44k8xy94qw9pe5n
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4MFdlSFQ4WjVwbFExUFdD
+            c05BOTJTSkdXM3hzdkdVTXN1bGh6bk92TFdJCjB5OUZyWDdqalU3akRKaHV4a3FE
+            YkdVUW9SRHA5NDJoT01wa1VOQTZGTGsKLS0tIGMwWVpGMHJEWDhpSVNLV1liWUhj
+            ZW1XSm9Td0JVODhBYnFpcnlNMHFvWkUKz0GCB+DYOXO5szkAtVhjnzjzPgMvAvc1
+            NuQRV9uI5OPElhkucxhO9QhQQ8OLl/5rv4UYJHuEaGbz9ijMOdrvFQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-30T05:24:37Z"
+    mac: ENC[AES256_GCM,data:+XXEIMIWoPhJFWQ4D8CFLNFL5ZjHya9tFrVlW6rUb7/NXEkN3UoqtnUxOJFw6dGjU7L9vX6p5dSYnGejhRFgZPXWGJywDoJiNg/A63HPhQNECNO7xKrHsB238PsNzBCC0p47R0XELywd77zZ8BHtezty6+8x5x6md7+kE5sDzgU=,iv:+MZKzxv5oYCldq7SQxl7kYwPb9IoDKp0im8yoU7KsSw=,tag:FXrj7o1Y6n9Ir9V03aLyww==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

users/stitchynyan/default.nix

@@ -54,11 +54,16 @@
     xserver.enable = true;
   };
 
+  sops.secrets."password-hash/stitchynyan" = {
+    neededForUsers = true;
+    sopsFile = ../../secrets/stitchynyan/secrets.yaml;
+  };
+
   users.users.stitchynyan = {
     description = "Personal user";
     extraGroups = [ "audio" "dialout" "docker" "kvm" "libvirtd" "networkmanager" "plugdev" "wireshark" "wheel" ];
     home = "/home/stitchynyan";
-    initialHashedPassword = "$y$j9T$rvySCWHYE4AO4A9J0Vf20.$x5hpBNsOWovQFtNfFUIt17OAH5MJFwFBGjxbaEIagJ3";
+    hashedPasswordFile = config.sops.secrets."password-hash/stitchynyan".path;
     isNormalUser = true;
     shell = pkgs.zsh;
   };