Switch from agenix to sops-nix

2024-01-31 20:03:00 +01:00 · 2024-01-31 20:03:00 +01:00 · bd03871ece
parent ced418a65b
commit bd03871ece
23 changed files with 194 additions and 180 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,21 @@
 keys:
  - &users:
    - &prescientmoon age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
  - &hosts:
    - &tethys age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
    - &lapetus age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
 creation_rules:
  - path_regex: hosts/nixos/common/secrets.yaml
    key_groups:
      - age: 
        - *prescientmoon
        - *tethys
        - *lapetus
  - path_regex: home/features/desktop/wakatime/secrets.yaml
    key_groups:
      - age:
        - *prescientmoon
  - path_regex: home/features/cli/productivity/smos/secrets.yaml
    key_groups:
      - age:
        - *prescientmoon
--- a/README.md
+++ b/README.md
@ -7,7 +7,7 @@ In case you are not familiar with nix/nixos, this is a collection of configurati
 ## Features this repository includes:
 - Consistent base16 theming using [stylix](https://github.com/danth/stylix)
- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) based secret management
+- [sops-nix](https://github.com/Mic92/sops-nix) based secret management
 - Sets up all the apps I use — including git, neovim, fish, tmux, starship, hyprland, anyrun, discord, zathura, wezterm & much more.
 The current state of this repo is a refactor of my old, messy nixos config, based on the structure of [this template](https://github.com/Misterio77/nix-starter-configs).
@ -33,7 +33,7 @@ This repo's structure is based on the concept of hosts - individual machines con
 | [overlays](./overlays)       | Nix overlays                                        |
 | [pkgs](./pkgs)               | Nix packages                                        |
 | [flake.nix](./flake.nix)     | Nix flake entrypoint!                               |
-| [secrets.nix](./secrets.nix) | Agenix entrypoint                                   |
+| [.sops.yaml](./.sops.yaml)   | Sops entrypoint                                     |
 | [stylua.toml](./stylua.toml) | Lua formatter config for the repo                   |
 ## Points of interest
@ -52,7 +52,7 @@ Here's some things you might want to check out:
 - [Nixos](http://nixos.org/) — nix based operating system
 - [Home-manager](https://github.com/nix-community/home-manager) — manage user configuration using nix
 - [Impernanence](https://github.com/nix-community/impermanence) — see the article about [erasing your darlings](https://grahamc.com/blog/erase-your-darlings)
- [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — secret management
+- [Sops-nix](https://github.com/Mic92/sops-nix) — secret management
 - [Slambda](https://github.com/Mateiadrielrafael/slambda) — custom keyboard chording utility
 - [disko](https://github.com/nix-community/disko) — format disks using nix
  - [zfs](https://openzfs.org/wiki/Main_Page) — filesystem
@ -101,6 +101,7 @@ Here's some things you might want to check out:
 Includes links to stuff which used to be in the previous section but is not used anymore. Only created this section in June 2023, so stuff I used earlier might not be here. Sorted with the most recently dropped things at the top.
 - [Agenix](https://github.com/ryantm/agenix) & [homeage](https://github.com/jordanisaacs/homeage) — I switched to [sops-nix](https://github.com/Mic92/sops-nix)
 - [Mind.nvim](https://github.com/phaazon/mind.nvim) — self management tree editor. The project got archived, so I switched to [Smos](https://github.com/NorfairKing/smos).
 - [Null-ls](https://github.com/jose-elias-alvarez/null-ls.nvim) — general purpose neovim LSP. The project got archived, so I switched to [formatter.nvim](https://github.com/mhartington/formatter.nvim).
 - [Wofi](https://sr.ht/~scoopta/wofi/) — program launcher. I switched to [Anyrun](https://github.com/Kirottu/anyrun).
--- a/flake.lock
+++ b/flake.lock
@ -1,27 +1,5 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1701216516,
        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "anyrun": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -386,28 +364,6 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "dekking": {
      "flake": false,
      "locked": {
@ -1351,27 +1307,6 @@
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682203081,
        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@ -1392,7 +1327,7 @@
        "type": "github"
      }
    },
-    "home-manager_3": {
+    "home-manager_2": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
@ -1411,7 +1346,7 @@
        "type": "github"
      }
    },
-    "home-manager_4": {
+    "home-manager_3": {
      "inputs": {
        "nixpkgs": "nixpkgs_9"
      },
@ -1430,26 +1365,6 @@
        "type": "github"
      }
    },
    "homeage": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1669234151,
        "narHash": "sha256-TwT87E3m2TZLgwYJESlype14HxUOrRGojPM5C2akrMg=",
        "owner": "jordanisaacs",
        "repo": "homeage",
        "rev": "02bfe4ca06962d222e522fff0240c93946b20278",
        "type": "github"
      },
      "original": {
        "owner": "jordanisaacs",
        "repo": "homeage",
        "type": "github"
      }
    },
    "hyprland": {
      "inputs": {
        "hyprland-protocols": "hyprland-protocols",
@ -1556,7 +1471,7 @@
        "dekking": "dekking",
        "fast-myers-diff": "fast-myers-diff",
        "haskell-dependency-graph-nix": "haskell-dependency-graph-nix",
-        "home-manager": "home-manager_3",
+        "home-manager": "home-manager_2",
        "linkcheck": "linkcheck",
        "mergeless": "mergeless",
        "nixpkgs": "nixpkgs_2",
@ -2081,6 +1996,22 @@
      }
    },
    "nixpkgs-stable_5": {
      "locked": {
        "lastModified": 1705957679,
        "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "9a333eaa80901efe01df07eade2c16d183761fa3",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable_6": {
      "locked": {
        "lastModified": 1685801374,
        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -2096,7 +2027,7 @@
        "type": "github"
      }
    },
-    "nixpkgs-stable_6": {
+    "nixpkgs-stable_7": {
      "locked": {
        "lastModified": 1685801374,
        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -2538,7 +2469,7 @@
        "flake-utils": "flake-utils_10",
        "gitignore": "gitignore_4",
        "nixpkgs": "nixpkgs_15",
-        "nixpkgs-stable": "nixpkgs-stable_5"
+        "nixpkgs-stable": "nixpkgs-stable_6"
      },
      "locked": {
        "lastModified": 1685970613,
@ -2560,7 +2491,7 @@
        "flake-utils": "flake-utils_11",
        "gitignore": "gitignore_5",
        "nixpkgs": "nixpkgs_16",
-        "nixpkgs-stable": "nixpkgs-stable_6"
+        "nixpkgs-stable": "nixpkgs-stable_7"
      },
      "locked": {
        "lastModified": 1700064067,
@ -2594,15 +2525,13 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "anyrun": "anyrun",
        "anyrun-nixos-options": "anyrun-nixos-options",
        "catppuccin-base16": "catppuccin-base16",
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "grub2-themes": "grub2-themes",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
        "homeage": "homeage",
        "hyprland": "hyprland",
        "hyprland-contrib": "hyprland-contrib",
        "impermanence": "impermanence",
@ -2621,6 +2550,7 @@
        "rosepine-base16": "rosepine-base16",
        "slambda": "slambda",
        "smos": "smos",
        "sops-nix": "sops-nix",
        "spicetify-nix": "spicetify-nix",
        "stylix": "stylix",
        "tickler": "tickler",
@ -2851,7 +2781,7 @@
        "fuzzy-time": "fuzzy-time",
        "get-flake": "get-flake",
        "haskell-dependency-graph-nix": "haskell-dependency-graph-nix_2",
-        "home-manager": "home-manager_4",
+        "home-manager": "home-manager_3",
        "ical": "ical",
        "linkcheck": "linkcheck_2",
        "looper": "looper",
@ -2899,6 +2829,27 @@
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable_5"
      },
      "locked": {
        "lastModified": 1706410821,
        "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=",
        "owner": "Mic92",
        "repo": "sops-nix",
        "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef",
        "type": "github"
      },
      "original": {
        "owner": "Mic92",
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "spicetify-nix": {
      "inputs": {
        "flake-utils": "flake-utils_9",
--- a/flake.nix
+++ b/flake.nix
@ -25,13 +25,6 @@
    firefox-addons.inputs.nixpkgs.follows = "nixpkgs";
    # }}}
    # {{{ Nix-related tooling
    # {{{ Secret management
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    homeage.url = "github:jordanisaacs/homeage";
    homeage.inputs.nixpkgs.follows = "nixpkgs";
    # }}}
    # {{{ Storage 
    impermanence.url = "github:nix-community/impermanence";
@ -46,6 +39,9 @@
    nix-index-database.url = "github:Mic92/nix-index-database";
    nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
    korora.url = "github:adisbladis/korora";
    # Nix language server
--- a/home/features/cli/default.nix
+++ b/home/features/cli/default.nix
@ -38,7 +38,6 @@
    ouch # Unified compression / decompression tool
    mkpasswd # Hash passwords
    jq # Json maniuplation
    inputs.agenix.packages.${pkgs.system}.agenix # Secret encryption
    # }}}
  ];
--- a/home/features/cli/productivity/smos/default.nix
+++ b/home/features/cli/productivity/smos/default.nix
@ -2,6 +2,7 @@
 let workflowDir = "${config.home.homeDirectory}/productivity/smos";
 in
 {
  # {{{ Smos config 
  programs.smos = {
    inherit workflowDir;
@ -10,19 +11,21 @@ in
    github = {
      enable = true;
-      oauth-token-file = config.homeage.file.smos.path;
+      oauth-token-file = config.sops.secrets.smos_github_token.path;
    };
  };
-
+  # }}}
  # {{{ Storage & secrets 
  satellite.persistence.at.data.apps.smos.directories = [
    config.programs.smos.workflowDir
  ];
-  homeage.file.smos = {
+  sops.secrets.smos_github_token = {
-    source = ./smos_github_oauth.age;
+    sopsFile = ./secrets.yaml;
    path = "${config.xdg.dataHome}/smos/.github_token";
  };
-
+  # }}}
  # {{{ Add desktop entry
  home.packages =
    # Start smos with a custom class so our WM can move it to the correct workspace
    let smosgui = pkgs.writeShellScriptBin "smosgui" ''
@ -37,4 +40,5 @@ in
    exec = "smosgui";
    terminal = false;
  };
  # }}}
 }
--- a/home/features/cli/productivity/smos/secrets.yaml
+++ b/home/features/cli/productivity/smos/secrets.yaml
@ -0,0 +1,21 @@
 smos_github_token: ENC[AES256_GCM,data:kqy5mQf96DoPN1iEt2akJWFfD3IJWdSkvZa0MeAyF0WJ/+V5P5C4iQ==,iv:QwmIdV/vzGTLE89XJVi3prgfmXqRa/OYcp9CA7KJDYc=,tag:+S1EZBcxoOQO2ADjDx9STQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwYkx3eWhxZUpTRVR3R1R4
            Vm9hMTVsbXBnU0tFU093amU3TTNjalhsVHdvCmZURElTY2Q0eTQvR3M1V3AzTVl4
            VkR2NXRHR2FiTURqNUp5Y3VDWFQ1UjgKLS0tIEVlRWs3YUFaZzdvd1Q5bmFwazJi
            Y2E3bmM1TkZoOEN0anJqYUNSQUN5ZDAKtobUBBKbfaUeiPtKN4/oTNaxY3C2joCK
            8h4FlRLXd+CGnAyjN2p4FliWzLgmOg4HFNmZSmYLpIh4E9yqadNSSg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-31T18:33:00Z"
    mac: ENC[AES256_GCM,data:HMJ9K1Ox0GPFgi7yG+Kb7ogHCQHXhj0hZEWGs0gLFHw0qqXBAUpAZfqVDd5DvNQSK7m4lRoxZC+wyc2ni0o95QGoDM1wA83npalvTEZyRI+9N0TAsrO03JHq+1uSawwLEhmHjvcVsX8W3d5hJzY+/Tq21D14SBKMqXxgHwHsH2E=,iv:dEyBbXDHboP/x0Bqo7p3YHh8gJWWfmTNLAZhUYeqkfc=,tag:WduTOOkgox6GRtLkm2Zkdw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/home/features/cli/productivity/smos/smos_github_oauth.age
+++ b/home/features/cli/productivity/smos/smos_github_oauth.age
@ -1,8 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 UUF9JQ 8KhqQ8dEHYLDM89d+glRT9xtId2umJM2O8Vj6oWM0zY
 UAZ+pzFuL+wKSFY+yG1t1U9l0knA/VpupVBr6m2/+eY
 -> Q7U4ZXW4-grease S8&{':OI EQs~v%Gq zp_"?LJ* z@)Y
 mmb3Yi9moBnueYa4AeMJwAA0A6lZAo9+L4zYgnxyjLBOUwQMPO/zDPmHqQ
 --- HMqzE5ekHYLWxdxpC7J9NMdrfx4VJYVwwnvhq6JAtmI
 c¤ÞµŒûF ;úU¶KFçtö2üÚ_†}¦èns3µ„¼oYCn…ìŽª8Œ‰¾0Ã¡è ¦@»"Aìjµ©³QÌ`
--- a/home/features/cli/ssh.nix
+++ b/home/features/cli/ssh.nix
@ -1,6 +1,7 @@
 {
  programs.ssh.enable = true;
  # TODO: age persistence
  satellite.persistence.at.state.apps.ssh.directories = [ ".ssh" ];
  # Makes it easy to copy ssh keys at install time without messing up permissions
--- a/home/features/desktop/wakatime/default.nix
+++ b/home/features/desktop/wakatime/default.nix
@ -1,9 +1,7 @@
 { pkgs, config, ... }: {
-  homeage.file.wakatime = {
+  sops.secrets.wakatime_config = {
-    source = ./wakatime_config.age;
+    sopsFile = ./secrets.yaml;
-    symlinks = [
+    path = "${config.home.homeDirectory}/.wakatime.cfg";
      "${config.home.homeDirectory}/.wakatime.cfg"
    ];
  };
  home.packages = [ pkgs.wakatime ];
--- a/home/features/desktop/wakatime/secrets.yaml
+++ b/home/features/desktop/wakatime/secrets.yaml
@ -0,0 +1,21 @@
 wakatime_config: ENC[AES256_GCM,data:IgGcMQNf8u2KXjgI60zPKZ6M7oxibbQK+in/9jrnEzk20WA1JM122zICXYuLfuQgNd2CMoEeu4LivQHv/D79tw==,iv:HoS00ihAX+SCw58kgcnvqAy4ILdS+/RPMqQwXusTqYU=,tag:0sSaZTrjO43PB7g215wwUA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0RmdFIxNFJpQTdGYXlq
            bkZrNktMaFlrOEZtSXh6Y1l6NTN0REN6N2dnCmNMRUk2TXA3RWhtZVlnbTg2aE00
            eFVwejBTcWRaTUhGWFFIS1RlVkhhQ28KLS0tIEdWWGRWSDZOQW9pQkdCRFFncTM2
            cURjWFplY1pyMzY4a0h6cTRLS2I2ZW8KqGtYjCsdriSWdKhC+kGBAMSY9WVDL3tE
            oMxyhrgDMtWndZEGv1+J3XLLmatDKmEcJO2k0CXZlCWWj17O4Rm+eA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-31T18:29:11Z"
    mac: ENC[AES256_GCM,data:PmKn6D+olZSKrjY0i9zZ3YZxi+k39CS7ckUF7YaVINqZlCBNe12T+FnPyHhH/vDujA61ZzalsY14SHwSkOwMNVTJ9tdvOEfpEtwq0wKn+5TQmz8LfWNBUazRefhY0hKZN/k/akRjRh65wOvMZfah+L6A9wA7vW1OrCbLtAKExsY=,iv:9vGJAzjRN6MxRG7EeYKKft3YElkicu0XX8Q28Ua2n3M=,tag:eyg5yUH2ME2annShaFQAqg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/home/features/desktop/wakatime/wakatime_config.age
+++ b/home/features/desktop/wakatime/wakatime_config.age
--- a/home/global.nix
+++ b/home/global.nix
@ -4,12 +4,12 @@ let
  imports = [
    # {{{ flake inputs
    inputs.stylix.homeManagerModules.stylix
    inputs.homeage.homeManagerModules.homeage
    inputs.nur.nixosModules.nur
    inputs.impermanence.nixosModules.home-manager.impermanence
    inputs.spicetify-nix.homeManagerModules.spicetify
    inputs.anyrun.homeManagerModules.default
    inputs.nix-index-database.hmModules.nix-index
    inputs.sops-nix.homeManagerModules.sops
    # {{{ self management
    # NOTE: using `pkgs.system` before `module.options` is evaluated
@ -58,8 +58,8 @@ in
  # Nicely reload system units when changing configs
  systemd.user.startServices = lib.mkForce "sd-switch";
-  # Where homeage should look for our ssh key
+  # Tell sops-nix to use ssh keys for decrypting secrets
-  homeage.identityPaths = [ "~/.ssh/id_ed25519" ];
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
  # Allow root to read persistent files from this user.
  home.persistence."/persist/home/adrielus".allowOther = true;
--- a/hosts/nixos/common/global/default.nix
+++ b/hosts/nixos/common/global/default.nix
@ -6,10 +6,10 @@ let
    # {{{ flake inputs 
    # inputs.hyprland.nixosModules.default
    inputs.disko.nixosModules.default
    inputs.agenix.nixosModules.default
    inputs.stylix.nixosModules.stylix
    inputs.nur.nixosModules.nur
    inputs.slambda.nixosModule
    inputs.sops-nix.nixosModules.sops
    # {{{ self management 
    # NOTE: using `pkgs.system` before `module.options` is evaluated
@ -38,6 +38,9 @@ in
  # Import all modules defined in modules/nixos
  imports = builtins.attrValues outputs.nixosModules ++ imports;
  # Tell sops-nix to use the host keys for decrypting secrets
  sops.age.sshKeyPaths = [ "/persist/state/etc/ssh/ssh_host_ed25519_key" ];
  # {{{ ad-hoc options
  # Customize tty colors
  stylix.targets.console.enable = true;
--- a/hosts/nixos/common/global/wireless/default.nix
+++ b/hosts/nixos/common/global/wireless/default.nix
@ -1,6 +1,5 @@
 { config, ... }: {
-  # Wireless secrets stored through agenix
+  sops.secrets.wireless.sopsFile = ../../secrets.yaml;
  age.secrets.wireless.file = ./wifi_passwords.age;
  # https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/networking/wpa_supplicant.nix
  networking.wireless = {
@ -8,7 +7,7 @@
    fallbackToWPA2 = false;
    # Declarative
-    environmentFile = config.age.secrets.wireless.path;
+    environmentFile = config.sops.secrets.wireless.path;
    networks = {
      "Neptune".psk = "@ENCELADUS_HOTSPOT_PASS@";
@ -51,13 +50,6 @@
  # Ensure group exists
  users.groups.network = { };
  # Persist imperative config
  environment.persistence."/persist/state".files = [
    # TODO: investigate why this doesn't work
    # "/etc/wpa_supplicant.conf"
  ];
  # The service seems to fail if this file does not exist
  systemd.tmpfiles.rules = [ "f /etc/wpa_supplicant.conf" ];
 }
--- a/hosts/nixos/common/global/wireless/wifi_passwords.age
+++ b/hosts/nixos/common/global/wireless/wifi_passwords.age
--- a/hosts/nixos/common/secrets.yaml
+++ b/hosts/nixos/common/secrets.yaml
@ -0,0 +1,40 @@
 wireless: ENC[AES256_GCM,data:QKM3llNba24/3Hfjph9JFpOF+G4aGuGDfhlwE/bfvvAX7G/dYRZ5GMZtUIifREviacCywtqYcmLe+IIA9/NtLom3JkgXV5VEoaNym78fMaY5fVvsjqOgzp1O0XXu70UYvHgtA1pDZrCQEv/q7slkBS7mYP+g8NaRff9eIzs6zMWIl3HzqQbdwb5TOzsKzPNZgNp8f9nTmxm6EVdEHx0fhBLepXw6uDGA2Op12XDvR9UDkzwOkyy7oxEhKiPhqi5in8OqfhBGmQ73WV+g38pUNobp5cGL0YjjxHIWKEbX0N6ov2DH4QkeQhJgWNtEsTuGugjWkPvoAgfARMirt+PFZotFPBib1/xZHB7H,iv:TruRRS9fAGjkQU4zs2cOs1olxUYkOOypMmpxOIw9N9o=,tag:Yd4t0DKVpaUul4CrA8hYPA==,type:str]
 adrielus_password: ENC[AES256_GCM,data:lREgbcKwzAJQ3PPTWt7LXmgAsrKFCN+baQx4Q2YrHlu16yvKpmaZzPHJ/C5IjucUNbdceTs6Ef99IWzju0d8Hl5Z5UTMspYIhQ==,iv:JqnL3zfCd/xMRqTciA/Q6nYmFKzJkBqda4zucsE5KFw=,tag:RGZ/0/NEpdchj9h/l3Z7Ig==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age14mga4r0xa82a2uus3wq5q7rqnvflms3jmhknz4f3hsda8wttk9gsv2k9fs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzNLcXFBcTlIM3hjZTN0
            bTFZUDJnS3lROExSREVkd0FMeHU3RGVWdzJnCkszOVROZlBmZWl2cjFkcTZ1OWZw
            eThXSTliNmxHM3o3NzhUOUkvU0YzNzgKLS0tIHBWSmRTTlJBdmlKQy9YWHR0NGds
            ak5kUFRJK3JCcUYvSFY2eGtIOTk3RkkKl3yBZjjBExU9RoZbaKBixfsywqFWFnq4
            n7olhkNMVIC+BcLYno0oIT2oILASMkE3NbH85IHlYZY2qQvFKDbG7w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1avsekqqyr62urdwtpfpt0ledzm49wy0rq7wcg3rnsprdx22er5usp0jxgs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aExaRC9SclVvT1g4WFI0
            N1grVzZWWmpPaGEwRmx3TjUyK0dvL0RNdmhjClY5UmI0eWZOTXZqbGFxT05OSnk1
            RTAyYStRN0NsRnZlWk03eXIrajdiRjQKLS0tIHlMdzBVNFEzR2FuVFZEWStFY1hh
            MnFiSGt3dWZxWnF3M2FkbTJzSTA2VTAKtD40Gp12vB24Wnr8NvY7/ZWr9XVDF9Bl
            FUL34R1mpgweNJ1IowFPgQbxsyMTG7iYB4jC50JZNOKJxe9NaeOUlQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jem6jfkmfq54wzhqqhrnf786jsn5dmx82ewtt4vducac8m2fyukskun2p4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK0pFcWlheEwzV3N3bVFQ
            K3EwNXI5MXQyYld6Z3J1aVNHWlQ4UjlxSzIwCktDbG9iMFRVQnJBenhWVFhLa2N1
            SWRMR3JLajJscWFqMy84aGNFcy9UK1UKLS0tIEZoT0d2bVJpV3ByWmV0eENZVjM3
            WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U
            sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-31T18:18:48Z"
    mac: ENC[AES256_GCM,data:9kYBMib8MuIdcJK0Lxh3sYP4OrlFCn3DZP8X82mSvnK15l8rVXFu2xfIbt1nviDj9IFhsZ3+2qzUnPq650erG6JpuHdzdmxIE49nU8BqmqtiQ4SAFAdC7zEbWaWk3SKmm1ouarBuHWtfvN3uw/ULpdExxt8Or8kvgvoVPX2L85E=,iv:wDWg/ba89AqW5bwqVydLZdfhPFgkNLRTKx1caER6SmI=,tag:1JY/HsipandxtmCmYXuavQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/nixos/common/users/adrielus.nix
+++ b/hosts/nixos/common/users/adrielus.nix
@ -1,7 +1,9 @@
 { pkgs, outputs, config, lib, ... }:
 {
-  # Password file stored through agenix
+  sops.secrets.adrielus_password = {
-  age.secrets.adrielusPassword.file = ./adrielus_password.age;
+    sopsFile = ../secrets.yaml;
    neededForUsers = true;
  };
  users = {
    # Configure users through nix only
@ -12,12 +14,6 @@
      # Adds me to some default groups, and creates the home dir 
      isNormalUser = true;
      # File containing my password, managed by agenix
      hashedPasswordFile = config.age.secrets.adrielusPassword.path;
      # Set default shell
      shell = pkgs.fish;
      # Picked up by our persistence module
      homeMode = "755";
@ -31,6 +27,9 @@
        "syncthing" # syncthing!
      ];
      hashedPasswordFile = config.sops.secrets.adrielus_password.path;
      shell = pkgs.fish;
      openssh.authorizedKeys.keyFiles =
        (import ./common.nix).authorizedKeys { inherit outputs lib; };
    };
--- a/hosts/nixos/common/users/adrielus_password.age
+++ b/hosts/nixos/common/users/adrielus_password.age
@ -1,14 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 qgVaDQ sYn14+1vJEk4dnYdHQ58q36LTMS7tU5V3V/3xswLWHk
 mnr7r/IJOmVtnsSiIq9B8GvO6xnNs3r7jiz0yLAAL8Q
 -> ssh-ed25519 3gahUA kpYU2sudkfqfCGrqjeNsU61IEal7AGJLJuXE8Wyo0Ro
 m3Z6vZGG+h3lvtT7zYl1lIb+z9tVzRw0Tpr17LHE1NA
 -> ssh-ed25519 UUF9JQ MzmLpgpJ/t4XrLFUk8xUhyO+W2if+aCG7t7aHv3Tqkw
 Yf51xXY5pzC+txLTIiK4PwZksjeaTDlPIwGhghaAQPg
 -> <jAUJ|5-grease )*]+{]30 T_Hy 8I jR@u$
 clZ4bFz5PYI24Ddnvg4saB9XQu/hmUa7b4eiTEs1o6/IPh5sgQyNTDjcVh+b3M2R
 BynXRA0VmzlXj4fr0mgM7X0t+w510aS5IJxM8XK3HkrCb32y40lv7VcJeSA
 --- dj4NWvivR9a4Spob27oag9Hgx5T5169brKAmr6MqWfM
 ÿø»fu¸¬–Äò.<ËÞù1T4~™î’¯ÓáÿOCoåÆ1åAúúJÈÇ©‚\gF&!eŽàQ:ç®3”÷½Ð~/ûr
 ¬Øò‘	QÓW
 v<EFBFBD>²
Oœ¯ Z†ËÝlÖ".ßšs2NAn,·#
--- a/scripts/age-public-key.sh
+++ b/scripts/age-public-key.sh
@ -0,0 +1,2 @@
 #!/usr/bin/env bash
 nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"
--- a/scripts/emergency-lapetus.sh
+++ b/scripts/emergency-lapetus.sh
@ -1,4 +1,4 @@
-#!/usr/bin/env nix-shell
+#!/usr/bin/env nix-shellge
 #!nix-shell ../devshells/bootstrap/shell.nix
 #!nix-shell -i bash
--- a/scripts/ssh-to-age.sh
+++ b/scripts/ssh-to-age.sh
@ -0,0 +1,6 @@
 #!/usr/bin/env bash
 echo "📁 Creating sops directory"
 mkdir -p ~/.config/sops/age
 echo "🔑 Converting ssh key to age"
 nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
 echo "🚀 All done"
--- a/secrets.nix
+++ b/secrets.nix
@ -1,19 +0,0 @@
 let
  tethys = builtins.readFile ./hosts/nixos/tethys/keys/ssh_host_ed25519_key.pub;
  lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/ssh_host_ed25519_key.pub;
  adrielus_tethys = builtins.readFile ./hosts/nixos/tethys/keys/id_ed25519.pub;
  adrielus_lapetus = builtins.readFile ./hosts/nixos/lapetus/keys/id_ed25519.pub;
  all_hosts = [ tethys lapetus ];
 in
 {
  # Scoped for entire systems
  "./hosts/nixos/common/global/wireless/wifi_passwords.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
  "./hosts/nixos/common/users/adrielus_password.age".publicKeys = all_hosts ++ [ adrielus_tethys ];
  # Scoped for the user
  # TODO: perhaps move this into `pass`?.
  "./home/features/desktop/wakatime/wakatime_config.age".publicKeys = [ adrielus_tethys ];
  "./home/features/cli/productivity/smos/smos_github_oauth.age".publicKeys = [ adrielus_tethys ];
 }
		`@ -0,0 +1,2 @@`
							`#!/usr/bin/env bash`
							`nix-shell -p age --run "age-keygen -y ~/.config/sops/age/keys.txt"`