From bd03871ecec67fc62982f59234e2e0be04925490 Mon Sep 17 00:00:00 2001
From: Matei Adriel <rafaeladriel11@gmail.com>
Date: Wed, 31 Jan 2024 20:03:00 +0100
Subject: [PATCH] Switch from `agenix` to `sops-nix`

---
 .sops.yaml                                    |  21 +++
 README.md                                     |   7 +-
 flake.lock                                    | 141 ++++++------------
 flake.nix                                     |  10 +-
 home/features/cli/default.nix                 |   1 -
 .../cli/productivity/smos/default.nix         |  14 +-
 .../cli/productivity/smos/secrets.yaml        |  21 +++
 .../productivity/smos/smos_github_oauth.age   |   8 -
 home/features/cli/ssh.nix                     |   1 +
 home/features/desktop/wakatime/default.nix    |   8 +-
 home/features/desktop/wakatime/secrets.yaml   |  21 +++
 .../desktop/wakatime/wakatime_config.age      | Bin 339 -> 0 bytes
 home/global.nix                               |   6 +-
 hosts/nixos/common/global/default.nix         |   5 +-
 .../nixos/common/global/wireless/default.nix  |  12 +-
 .../common/global/wireless/wifi_passwords.age | Bin 794 -> 0 bytes
 hosts/nixos/common/secrets.yaml               |  40 +++++
 hosts/nixos/common/users/adrielus.nix         |  15 +-
 .../nixos/common/users/adrielus_password.age  |  14 --
 scripts/age-public-key.sh                     |   2 +
 scripts/emergency-lapetus.sh                  |   2 +-
 scripts/ssh-to-age.sh                         |   6 +
 secrets.nix                                   |  19 ---
 23 files changed, 194 insertions(+), 180 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 home/features/cli/productivity/smos/secrets.yaml
 delete mode 100644 home/features/cli/productivity/smos/smos_github_oauth.age
 create mode 100644 home/features/desktop/wakatime/secrets.yaml
 delete mode 100644 home/features/desktop/wakatime/wakatime_config.age
 delete mode 100644 hosts/nixos/common/global/wireless/wifi_passwords.age
 create mode 100644 hosts/nixos/common/secrets.yaml
 delete mode 100644 hosts/nixos/common/users/adrielus_password.age
 create mode 100755 scripts/age-public-key.sh
 create mode 100755 scripts/ssh-to-age.sh
 delete mode 100644 secrets.nix

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..14bdb13
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,21 @@
+keys:
+  - &users:
+    - &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+  - &hosts:
+    - &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
+    - &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+creation_rules:
+  - path_regex: hosts/nixos/common/secrets.yaml
+    key_groups:
+      - age: 
+        - *prescientmoon
+        - *tethys
+        - *lapetus
+  - path_regex: home/features/desktop/wakatime/secrets.yaml
+    key_groups:
+      - age:
+        - *prescientmoon
+  - path_regex: home/features/cli/productivity/smos/secrets.yaml
+    key_groups:
+      - age:
+        - *prescientmoon
diff --git a/README.md b/README.md
index 07537c5..de8bb17 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ In case you are not familiar with nix/nixos, this is a collection of configurati
 ## Features this repository includes:
 
 - Consistent base16 theming using [stylix](https://github.com/danth/stylix)
-- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) based secret management
+- [sops-nix](https://github.com/Mic92/sops-nix) based secret management
 - Sets up all the apps I use — including git, neovim, fish, tmux, starship, hyprland, anyrun, discord, zathura, wezterm & much more.
 
 The current state of this repo is a refactor of my old, messy nixos config, based on the structure of [this template](https://github.com/Misterio77/nix-starter-configs).
@@ -33,7 +33,7 @@ This repo's structure is based on the concept of hosts - individual machines con
 | [overlays](./overlays)       | Nix overlays                                        |
 | [pkgs](./pkgs)               | Nix packages                                        |
 | [flake.nix](./flake.nix)     | Nix flake entrypoint!                               |
-| [secrets.nix](./secrets.nix) | Agenix entrypoint                                   |
+| [.sops.yaml](./.sops.yaml)   | Sops entrypoint                                     |
 | [stylua.toml](./stylua.toml) | Lua formatter config for the repo                   |
 
 ## Points of interest
@@ -52,7 +52,7 @@ Here's some things you might want to check out:
 - [Nixos](http://nixos.org/) — nix based operating system
 - [Home-manager](https://github.com/nix-community/home-manager) — manage user configuration using nix
 - [Impernanence](https://github.com/nix-community/impermanence) — see the article about [erasing your darlings](https://grahamc.com/blog/erase-your-darlings)
-- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — secret management
+- [Sops-nix](https://github.com/Mic92/sops-nix) — secret management
 - [Slambda](https://github.com/Mateiadrielrafael/slambda) — custom keyboard chording utility
 - [disko](https://github.com/nix-community/disko) — format disks using nix
   - [zfs](https://openzfs.org/wiki/Main_Page) — filesystem
@@ -101,6 +101,7 @@ Here's some things you might want to check out:
 
 Includes links to stuff which used to be in the previous section but is not used anymore. Only created this section in June 2023, so stuff I used earlier might not be here. Sorted with the most recently dropped things at the top.
 
+- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — I switched to [sops-nix](https://github.com/Mic92/sops-nix)
 - [Mind.nvim](https://github.com/phaazon/mind.nvim) — self management tree editor. The project got archived, so I switched to [Smos](https://github.com/NorfairKing/smos).
 - [Null-ls](https://github.com/jose-elias-alvarez/null-ls.nvim) — general purpose neovim LSP. The project got archived, so I switched to [formatter.nvim](https://github.com/mhartington/formatter.nvim).
 - [Wofi](https://sr.ht/~scoopta/wofi/) — program launcher. I switched to [Anyrun](https://github.com/Kirottu/anyrun).
diff --git a/flake.lock b/flake.lock
index bd6496e..f71642f 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,27 +1,5 @@
 {
   "nodes": {
-    "agenix": {
-      "inputs": {
-        "darwin": "darwin",
-        "home-manager": "home-manager",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1701216516,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
-        "owner": "ryantm",
-        "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
-        "type": "github"
-      },
-      "original": {
-        "owner": "ryantm",
-        "repo": "agenix",
-        "type": "github"
-      }
-    },
     "anyrun": {
       "inputs": {
         "flake-parts": "flake-parts",
@@ -386,28 +364,6 @@
         "type": "github"
       }
     },
-    "darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1673295039,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "master",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "dekking": {
       "flake": false,
       "locked": {
@@ -1351,27 +1307,6 @@
       }
     },
     "home-manager": {
-      "inputs": {
-        "nixpkgs": [
-          "agenix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1682203081,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager_2": {
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
@@ -1392,7 +1327,7 @@
         "type": "github"
       }
     },
-    "home-manager_3": {
+    "home-manager_2": {
       "inputs": {
         "nixpkgs": "nixpkgs"
       },
@@ -1411,7 +1346,7 @@
         "type": "github"
       }
     },
-    "home-manager_4": {
+    "home-manager_3": {
       "inputs": {
         "nixpkgs": "nixpkgs_9"
       },
@@ -1430,26 +1365,6 @@
         "type": "github"
       }
     },
-    "homeage": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1669234151,
-        "narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=",
-        "owner": "jordanisaacs",
-        "repo": "homeage",
-        "rev": "02bfe4ca06962d222e522fff0240c93946b20278",
-        "type": "github"
-      },
-      "original": {
-        "owner": "jordanisaacs",
-        "repo": "homeage",
-        "type": "github"
-      }
-    },
     "hyprland": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",
@@ -1556,7 +1471,7 @@
         "dekking": "dekking",
         "fast-myers-diff": "fast-myers-diff",
         "haskell-dependency-graph-nix": "haskell-dependency-graph-nix",
-        "home-manager": "home-manager_3",
+        "home-manager": "home-manager_2",
         "linkcheck": "linkcheck",
         "mergeless": "mergeless",
         "nixpkgs": "nixpkgs_2",
@@ -2081,6 +1996,22 @@
       }
     },
     "nixpkgs-stable_5": {
+      "locked": {
+        "lastModified": 1705957679,
+        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_6": {
       "locked": {
         "lastModified": 1685801374,
         "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@@ -2096,7 +2027,7 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable_6": {
+    "nixpkgs-stable_7": {
       "locked": {
         "lastModified": 1685801374,
         "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@@ -2538,7 +2469,7 @@
         "flake-utils": "flake-utils_10",
         "gitignore": "gitignore_4",
         "nixpkgs": "nixpkgs_15",
-        "nixpkgs-stable": "nixpkgs-stable_5"
+        "nixpkgs-stable": "nixpkgs-stable_6"
       },
       "locked": {
         "lastModified": 1685970613,
@@ -2560,7 +2491,7 @@
         "flake-utils": "flake-utils_11",
         "gitignore": "gitignore_5",
         "nixpkgs": "nixpkgs_16",
-        "nixpkgs-stable": "nixpkgs-stable_6"
+        "nixpkgs-stable": "nixpkgs-stable_7"
       },
       "locked": {
         "lastModified": 1700064067,
@@ -2594,15 +2525,13 @@
     },
     "root": {
       "inputs": {
-        "agenix": "agenix",
         "anyrun": "anyrun",
         "anyrun-nixos-options": "anyrun-nixos-options",
         "catppuccin-base16": "catppuccin-base16",
         "disko": "disko",
         "firefox-addons": "firefox-addons",
         "grub2-themes": "grub2-themes",
-        "home-manager": "home-manager_2",
-        "homeage": "homeage",
+        "home-manager": "home-manager",
         "hyprland": "hyprland",
         "hyprland-contrib": "hyprland-contrib",
         "impermanence": "impermanence",
@@ -2621,6 +2550,7 @@
         "rosepine-base16": "rosepine-base16",
         "slambda": "slambda",
         "smos": "smos",
+        "sops-nix": "sops-nix",
         "spicetify-nix": "spicetify-nix",
         "stylix": "stylix",
         "tickler": "tickler",
@@ -2851,7 +2781,7 @@
         "fuzzy-time": "fuzzy-time",
         "get-flake": "get-flake",
         "haskell-dependency-graph-nix": "haskell-dependency-graph-nix_2",
-        "home-manager": "home-manager_4",
+        "home-manager": "home-manager_3",
         "ical": "ical",
         "linkcheck": "linkcheck_2",
         "looper": "looper",
@@ -2899,6 +2829,27 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable_5"
+      },
+      "locked": {
+        "lastModified": 1706410821,
+        "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "spicetify-nix": {
       "inputs": {
         "flake-utils": "flake-utils_9",
diff --git a/flake.nix b/flake.nix
index 0b902d0..f6e50d0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -25,13 +25,6 @@
     firefox-addons.inputs.nixpkgs.follows = "nixpkgs";
     # }}}
     # {{{ Nix-related tooling
-    # {{{ Secret management
-    agenix.url = "github:ryantm/agenix";
-    agenix.inputs.nixpkgs.follows = "nixpkgs";
-
-    homeage.url = "github:jordanisaacs/homeage";
-    homeage.inputs.nixpkgs.follows = "nixpkgs";
-    # }}}
     # {{{ Storage 
     impermanence.url = "github:nix-community/impermanence";
 
@@ -46,6 +39,9 @@
     nix-index-database.url = "github:Mic92/nix-index-database";
     nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
 
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
     korora.url = "github:adisbladis/korora";
 
     # Nix language server
diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix
index 88b023c..2f80c70 100644
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@@ -38,7 +38,6 @@
     ouch # Unified compression / decompression tool
     mkpasswd # Hash passwords
     jq # Json maniuplation
-    inputs.agenix.packages.${pkgs.system}.agenix # Secret encryption
     # }}}
   ];
 
diff --git a/home/features/cli/productivity/smos/default.nix b/home/features/cli/productivity/smos/default.nix
index 7a2dca9..bd7228b 100644
--- a/home/features/cli/productivity/smos/default.nix
+++ b/home/features/cli/productivity/smos/default.nix
@@ -2,6 +2,7 @@
 let workflowDir = "${config.home.homeDirectory}/productivity/smos";
 in
 {
+  # {{{ Smos config 
   programs.smos = {
     inherit workflowDir;
 
@@ -10,19 +11,21 @@ in
 
     github = {
       enable = true;
-      oauth-token-file = config.homeage.file.smos.path;
+      oauth-token-file = config.sops.secrets.smos_github_token.path;
     };
   };
-
+  # }}}
+  # {{{ Storage & secrets 
   satellite.persistence.at.data.apps.smos.directories = [
     config.programs.smos.workflowDir
   ];
 
-  homeage.file.smos = {
-    source = ./smos_github_oauth.age;
+  sops.secrets.smos_github_token = {
+    sopsFile = ./secrets.yaml;
     path = "${config.xdg.dataHome}/smos/.github_token";
   };
-
+  # }}}
+  # {{{ Add desktop entry
   home.packages =
     # Start smos with a custom class so our WM can move it to the correct workspace
     let smosgui = pkgs.writeShellScriptBin "smosgui" ''
@@ -37,4 +40,5 @@ in
     exec = "smosgui";
     terminal = false;
   };
+  # }}}
 }
diff --git a/home/features/cli/productivity/smos/secrets.yaml b/home/features/cli/productivity/smos/secrets.yaml
new file mode 100644
index 0000000..ce4d25e
--- /dev/null
+++ b/home/features/cli/productivity/smos/secrets.yaml
@@ -0,0 +1,21 @@
+smos_github_token: ENC[AES256_GCM,data:kqy5mQf96DoPN1iEt2akJWFfD3IJWdSkvZa0MeAyF0WJ/+V5P5C4iQ==,iv:QwmIdV/vzGTLE89XJVi3prgfmXqRa/OYcp9CA7KJDYc=,tag:+S1EZBcxoOQO2ADjDx9STQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4
+            Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4
+            VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi
+            Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK
+            8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-31T18:33:00Z"
+    mac: ENC[AES256_GCM,data:HMJ9K1Ox0GPFgi7yG+Kb7ogHCQHXhj0hZEWGs0gLFHw0qqXBAUpAZfqVDd5DvNQSK7m4lRoxZC+wyc2ni0o95QGoDM1wA83npalvTEZyRI+9N0TAsrO03JHq+1uSawwLEhmHjvcVsX8W3d5hJzY+/Tq21D14SBKMqXxgHwHsH2E=,iv:dEyBbXDHboP/x0Bqo7p3YHh8gJWWfmTNLAZhUYeqkfc=,tag:WduTOOkgox6GRtLkm2Zkdw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/home/features/cli/productivity/smos/smos_github_oauth.age b/home/features/cli/productivity/smos/smos_github_oauth.age
deleted file mode 100644
index f86ad51..0000000
--- a/home/features/cli/productivity/smos/smos_github_oauth.age
+++ /dev/null
@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 UUF9JQ 8KhqQ8dEHYLDM89d+glRT9xtId2umJM2O8Vj6oWM0zY
-UAZ+pzFuL+wKSFY+yG1t1U9l0knA/VpupVBr6m2/+eY
--> Q7U4ZXW4-grease S8&{':OI EQs~v%Gq zp_"?LJ* z@)Y
-mmb3Yi9moBnueYa4AeMJwAA0A6lZAo9+L4zYgnxyjLBOUwQMPO/zDPmHqQ
---- HMqzE5ekHYLWxdxpC7J9NMdrfx4VJYVwwnvhq6JAtmI
-
-c�޵���F�;�U�KF�t�2��_�}��ns3���oYCn�쎪8���0����@�"A
�j���Q�`
\ No newline at end of file
diff --git a/home/features/cli/ssh.nix b/home/features/cli/ssh.nix
index f702010..2d240ff 100644
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@@ -1,6 +1,7 @@
 {
   programs.ssh.enable = true;
 
+  # TODO: age persistence
   satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
 
   # Makes it easy to copy ssh keys at install time without messing up permissions
diff --git a/home/features/desktop/wakatime/default.nix b/home/features/desktop/wakatime/default.nix
index bb555e8..22dbf85 100644
--- a/home/features/desktop/wakatime/default.nix
+++ b/home/features/desktop/wakatime/default.nix
@@ -1,9 +1,7 @@
 { pkgs, config, ... }: {
-  homeage.file.wakatime = {
-    source = ./wakatime_config.age;
-    symlinks = [
-      "${config.home.homeDirectory}/.wakatime.cfg"
-    ];
+  sops.secrets.wakatime_config = {
+    sopsFile = ./secrets.yaml;
+    path = "${config.home.homeDirectory}/.wakatime.cfg";
   };
 
   home.packages = [ pkgs.wakatime ];
diff --git a/home/features/desktop/wakatime/secrets.yaml b/home/features/desktop/wakatime/secrets.yaml
new file mode 100644
index 0000000..6c6d93b
--- /dev/null
+++ b/home/features/desktop/wakatime/secrets.yaml
@@ -0,0 +1,21 @@
+wakatime_config: ENC[AES256_GCM,data:IgGcMQNf8u2KXjgI60zPKZ6M7oxibbQK+in/9jrnEzk20WA1JM122zICXYuLfuQgNd2CMoEeu4LivQHv/D79tw==,iv:HoS00ihAX+SCw58kgcnvqAy4ILdS+/RPMqQwXusTqYU=,tag:0sSaZTrjO43PB7g215wwUA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq
+            bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00
+            eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2
+            cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE
+            oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-31T18:29:11Z"
+    mac: ENC[AES256_GCM,data:PmKn6D+olZSKrjY0i9zZ3YZxi+k39CS7ckUF7YaVINqZlCBNe12T+FnPyHhH/vDujA61ZzalsY14SHwSkOwMNVTJ9tdvOEfpEtwq0wKn+5TQmz8LfWNBUazRefhY0hKZN/k/akRjRh65wOvMZfah+L6A9wA7vW1OrCbLtAKExsY=,iv:9vGJAzjRN6MxRG7EeYKKft3YElkicu0XX8Q28Ua2n3M=,tag:eyg5yUH2ME2annShaFQAqg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/home/features/desktop/wakatime/wakatime_config.age b/home/features/desktop/wakatime/wakatime_config.age
deleted file mode 100644
index c0521365eed23ac674b0c32ac6878c60f7854c4f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 339
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+4Ry2h3REcfNHZ=<
zuJTFuD$C3?s45Iju{80j3MxxCGd4|haxP5{_bT^H1d>K3T!zU3?up?>9-&5tQ9)52
zd1YpKZlwjjp$54jNruJw`mU~Jl}7nlQHlD2Alvl3s~k0S(~D9Qi&GUGO#A~QBe<#z
z3{BF^ib}Fm0|Uzo3oN{H%N#>Y&AiL?qk@A19n1ZLyn;*Jin(-kbrpQwQY}0}{Igv%
z{heJ6vMpR3JxU{-3JP2-&4CUs$W4s&Of56;@W@Va<<j4|O)gQ{ooU)W$;tcVHePmS
zP<-{@QT?^xgVu+C{5Cc(`kF1*TdMysxyqdNsPT19rkUMKmSumM_R4sbb8;Wo9mj;c
j=5udWRu-2wb(|ICIrC*_qmay_7koC)W}Rz|yXyx4vebN{

diff --git a/home/global.nix b/home/global.nix
index dfea2e1..b143591 100644
--- a/home/global.nix
+++ b/home/global.nix
@@ -4,12 +4,12 @@ let
   imports = [
     # {{{ flake inputs
     inputs.stylix.homeManagerModules.stylix
-    inputs.homeage.homeManagerModules.homeage
     inputs.nur.nixosModules.nur
     inputs.impermanence.nixosModules.home-manager.impermanence
     inputs.spicetify-nix.homeManagerModules.spicetify
     inputs.anyrun.homeManagerModules.default
     inputs.nix-index-database.hmModules.nix-index
+    inputs.sops-nix.homeManagerModules.sops
 
     # {{{ self management
     # NOTE: using `pkgs.system` before `module.options` is evaluated
@@ -58,8 +58,8 @@ in
   # Nicely reload system units when changing configs
   systemd.user.startServices = lib.mkForce "sd-switch";
 
-  # Where homeage should look for our ssh key
-  homeage.identityPaths = [ "~/.ssh/id_ed25519" ];
+  # Tell sops-nix to use ssh keys for decrypting secrets
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
 
   # Allow root to read persistent files from this user.
   home.persistence."/persist/home/adrielus".allowOther = true;
diff --git a/hosts/nixos/common/global/default.nix b/hosts/nixos/common/global/default.nix
index 65f4f04..8f71930 100644
--- a/hosts/nixos/common/global/default.nix
+++ b/hosts/nixos/common/global/default.nix
@@ -6,10 +6,10 @@ let
     # {{{ flake inputs 
     # inputs.hyprland.nixosModules.default
     inputs.disko.nixosModules.default
-    inputs.agenix.nixosModules.default
     inputs.stylix.nixosModules.stylix
     inputs.nur.nixosModules.nur
     inputs.slambda.nixosModule
+    inputs.sops-nix.nixosModules.sops
 
     # {{{ self management 
     # NOTE: using `pkgs.system` before `module.options` is evaluated
@@ -38,6 +38,9 @@ in
   # Import all modules defined in modules/nixos
   imports = builtins.attrValues outputs.nixosModules ++ imports;
 
+  # Tell sops-nix to use the host keys for decrypting secrets
+  sops.age.sshKeyPaths = [ "/persist/state/etc/ssh/ssh_host_ed25519_key" ];
+
   # {{{ ad-hoc options
   # Customize tty colors
   stylix.targets.console.enable = true;
diff --git a/hosts/nixos/common/global/wireless/default.nix b/hosts/nixos/common/global/wireless/default.nix
index aa1404e..1753601 100644
--- a/hosts/nixos/common/global/wireless/default.nix
+++ b/hosts/nixos/common/global/wireless/default.nix
@@ -1,6 +1,5 @@
 { config, ... }: {
-  # Wireless secrets stored through agenix
-  age.secrets.wireless.file = ./wifi_passwords.age;
+  sops.secrets.wireless.sopsFile = ../../secrets.yaml;
 
   # https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix
   networking.wireless = {
@@ -8,7 +7,7 @@
     fallbackToWPA2 = false;
 
     # Declarative
-    environmentFile = config.age.secrets.wireless.path;
+    environmentFile = config.sops.secrets.wireless.path;
     networks = {
       "Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@";
 
@@ -51,13 +50,6 @@
   # Ensure group exists
   users.groups.network = { };
 
-  # Persist imperative config
-  environment.persistence."/persist/state".files = [
-    # TODO: investigate why this doesn't work
-    # "/etc/wpa_supplicant.conf"
-  ];
-
-
   # The service seems to fail if this file does not exist
   systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ];
 }
diff --git a/hosts/nixos/common/global/wireless/wifi_passwords.age b/hosts/nixos/common/global/wireless/wifi_passwords.age
deleted file mode 100644
index adf81cb505bbc7c3781a68863ea8b3a96cd97931..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 794
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHOb<(R2~;o%Pc<?O
zNvra9boTelF!Cx&sWQq4_tXvx56=$`_Xu(FP7O9K^$5=jP3FpV^K<ubtjdfGEiFyY
zaCPy{$*xF>3^EP$N)HZB2?;YTEAaA;EUmIA%0{=%I6W~V)KQ_-CCnu?s?4xF*`vra
z!!pU&)Fjj^$T=WU+uXU(#N4MU)yJ#MG||{HD3r@A+c?;uydcxx$5=nxyTmZGG9tjk
zF)%7h-`u<+(L6~z%)-+kE4jeM-xJ-o&`>u^uRsOY$S~J%4_7ni0DTLOl#0}1ztrFi
zw=j2?ByBI_z@+4~oK$aTZS!O&H(xIObeHtBd>3QG;(WuhsK{_Hx1hxGR8v#atTLm5
zEH^XLfE?pAFQdew00WS18M^63sfop@3QAFK_FM)Y8HVm<RUX;-Wyxhx<+=Hm#@c3<
zN!t2Rfu;pnsczxUnSt7cMgf@xnZDUorX}G<RhcD0=Kg_E$;OHK{uW#TuBD-#UIvE1
zP!HkK)zwu<j4<=FG|q5zvkXl1P4YDi@bdF__bp2`@buPCak4b?%+U7BOw8~L$nxY`
z8m-e<f5@_qp)E9aYju+g7w1R!Ew%HG`fR>DZ>x07VL7d-C5Ju=WhG2lR&(K)P^Y?E
zs`J%WQ!z=QCl&sw*Ct!odwlw~Fgt0*{g~~FY`U`~PdntkxV3M2i#dx+vs?Pkf`1>@
z%L|7r>RSHuPNU$IG~U90+JRzs(@VZT*IwHFa%tqJRf<86xCPEB@BJGnni~0%$w+p3
zW{R!t%ix&#)rS4YuHSDrUn0sTf8Rpvv)SUuJtBEOraKiCJ`Bt5ked~!>J;bbC-led
zW7_QB)!K~TY<|ztJJHa#)MQD!(bncO-Ey&E!VBK%d~>Us@o!1b&55i#J30@vO<1?<
z*YBLjlzm5fRX*BqFZm|T`dhX+R6&j1U`k?V{H-TfRJJ*!9QNOPUT4V_zv5?J&vOb?
GuK@siEh@<X

diff --git a/hosts/nixos/common/secrets.yaml b/hosts/nixos/common/secrets.yaml
new file mode 100644
index 0000000..735a672
--- /dev/null
+++ b/hosts/nixos/common/secrets.yaml
@@ -0,0 +1,40 @@
+wireless: ENC[AES256_GCM,data:QKM3llNba24/3Hfjph9JFpOF+G4aGuGDfhlwE/bfvvAX7G/dYRZ5GMZtUIifREviacCywtqYcmLe+IIA9/NtLom3JkgXV5VEoaNym78fMaY5fVvsjqOgzp1O0XXu70UYvHgtA1pDZrCQEv/q7slkBS7mYP+g8NaRff9eIzs6zMWIl3HzqQbdwb5TOzsKzPNZgNp8f9nTmxm6EVdEHx0fhBLepXw6uDGA2Op12XDvR9UDkzwOkyy7oxEhKiPhqi5in8OqfhBGmQ73WV+g38pUNobp5cGL0YjjxHIWKEbX0N6ov2DH4QkeQhJgWNtEsTuGugjWkPvoAgfARMirt+PFZotFPBib1/xZHB7H,iv:TruRRS9fAGjkQU4zs2cOs1olxUYkOOypMmpxOIw9N9o=,tag:Yd4t0DKVpaUul4CrA8hYPA==,type:str]
+adrielus_password: ENC[AES256_GCM,data:lREgbcKwzAJQ3PPTWt7LXmgAsrKFCN+baQx4Q2YrHlu16yvKpmaZzPHJ/C5IjucUNbdceTs6Ef99IWzju0d8Hl5Z5UTMspYIhQ==,iv:JqnL3zfCd/xMRqTciA/Q6nYmFKzJkBqda4zucsE5KFw=,tag:RGZ/0/NEpdchj9h/l3Z7Ig==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0
+            bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw
+            eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds
+            ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4
+            n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0
+            N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1
+            RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh
+            MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl
+            FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ
+            K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1
+            SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3
+            WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U
+            sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-31T18:18:48Z"
+    mac: ENC[AES256_GCM,data:9kYBMib8MuIdcJK0Lxh3sYP4OrlFCn3DZP8X82mSvnK15l8rVXFu2xfIbt1nviDj9IFhsZ3+2qzUnPq650erG6JpuHdzdmxIE49nU8BqmqtiQ4SAFAdC7zEbWaWk3SKmm1ouarBuHWtfvN3uw/ULpdExxt8Or8kvgvoVPX2L85E=,iv:wDWg/ba89AqW5bwqVydLZdfhPFgkNLRTKx1caER6SmI=,tag:1JY/HsipandxtmCmYXuavQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/hosts/nixos/common/users/adrielus.nix b/hosts/nixos/common/users/adrielus.nix
index 7bf9135..0c22bcd 100644
--- a/hosts/nixos/common/users/adrielus.nix
+++ b/hosts/nixos/common/users/adrielus.nix
@@ -1,7 +1,9 @@
 { pkgs, outputs, config, lib, ... }:
 {
-  # Password file stored through agenix
-  age.secrets.adrielusPassword.file = ./adrielus_password.age;
+  sops.secrets.adrielus_password = {
+    sopsFile = ../secrets.yaml;
+    neededForUsers = true;
+  };
 
   users = {
     # Configure users through nix only
@@ -12,12 +14,6 @@
       # Adds me to some default groups, and creates the home dir 
       isNormalUser = true;
 
-      # File containing my password, managed by agenix
-      hashedPasswordFile = config.age.secrets.adrielusPassword.path;
-
-      # Set default shell
-      shell = pkgs.fish;
-
       # Picked up by our persistence module
       homeMode = "755";
 
@@ -31,6 +27,9 @@
         "syncthing" # syncthing!
       ];
 
+      hashedPasswordFile = config.sops.secrets.adrielus_password.path;
+      shell = pkgs.fish;
+
       openssh.authorizedKeys.keyFiles =
         (import ./common.nix).authorizedKeys { inherit outputs lib; };
     };
diff --git a/hosts/nixos/common/users/adrielus_password.age b/hosts/nixos/common/users/adrielus_password.age
deleted file mode 100644
index ab17351..0000000
--- a/hosts/nixos/common/users/adrielus_password.age
+++ /dev/null
@@ -1,14 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 qgVaDQ sYn14+1vJEk4dnYdHQ58q36LTMS7tU5V3V/3xswLWHk
-mnr7r/IJOmVtnsSiIq9B8GvO6xnNs3r7jiz0yLAAL8Q
--> ssh-ed25519 3gahUA kpYU2sudkfqfCGrqjeNsU61IEal7AGJLJuXE8Wyo0Ro
-m3Z6vZGG+h3lvtT7zYl1lIb+z9tVzRw0Tpr17LHE1NA
--> ssh-ed25519 UUF9JQ MzmLpgpJ/t4XrLFUk8xUhyO+W2if+aCG7t7aHv3Tqkw
-Yf51xXY5pzC+txLTIiK4PwZksjeaTDlPIwGhghaAQPg
--> <jAUJ|5-grease )*]+{]30 T_Hy 8I jR@u$
-clZ4bFz5PYI24Ddnvg4saB9XQu/hmUa7b4eiTEs1o6/IPh5sgQyNTDjcVh+b3M2R
-BynXRA0VmzlXj4fr0mgM7X0t+w510aS5IJxM8XK3HkrCb32y40lv7VcJeSA
---- dj4NWvivR9a4Spob27oag9Hgx5T5169brKAmr6MqWfM
-���fu�����.<���1T4~����OCo��1�A��J�ǩ�\gF&!e��Q:�3����~/�r
-���	Q�W
-v��
O���Z���l�".ߚs2NAn,�#
\ No newline at end of file
diff --git a/scripts/age-public-key.sh b/scripts/age-public-key.sh
new file mode 100755
index 0000000..c6298ed
--- /dev/null
+++ b/scripts/age-public-key.sh
@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"
diff --git a/scripts/emergency-lapetus.sh b/scripts/emergency-lapetus.sh
index 19797cf..cfb6b76 100755
--- a/scripts/emergency-lapetus.sh
+++ b/scripts/emergency-lapetus.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env nix-shell
+#!/usr/bin/env nix-shellge
 #!nix-shell ../devshells/bootstrap/shell.nix
 #!nix-shell -i bash
 
diff --git a/scripts/ssh-to-age.sh b/scripts/ssh-to-age.sh
new file mode 100755
index 0000000..2fcfe2d
--- /dev/null
+++ b/scripts/ssh-to-age.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+echo "📁 Creating sops directory"
+mkdir -p ~/.config/sops/age
+echo "🔑 Converting ssh key to age"
+nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
+echo "🚀 All done"
diff --git a/secrets.nix b/secrets.nix
deleted file mode 100644
index 1bd2211..0000000
--- a/secrets.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-let
-  tethys = builtins.readFile ./hosts/nixos/tethys/keys/ssh_host_ed25519_key.pub;
-  lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/ssh_host_ed25519_key.pub;
-
-  adrielus_tethys = builtins.readFile ./hosts/nixos/tethys/keys/id_ed25519.pub;
-  adrielus_lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/id_ed25519.pub;
-
-  all_hosts = [ tethys lapetus ];
-in
-{
-  # Scoped for entire systems
-  "./hosts/nixos/common/global/wireless/wifi_passwords.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
-  "./hosts/nixos/common/users/adrielus_password.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
-
-  # Scoped for the user
-  # TODO: perhaps move this into `pass`?.
-  "./home/features/desktop/wakatime/wakatime_config.age".publicKeys = [ adrielus_tethys ];
-  "./home/features/cli/productivity/smos/smos_github_oauth.age".publicKeys = [ adrielus_tethys ];
-}