Secret management via sops-nix.

common/global/default.nix

@@ -10,6 +10,7 @@
     ./nix.nix
     ./packages.nix
     ./show-changelog.nix
+    ./sops.nix
     ./sudo.nix
     ./tailscale.nix
   ];

common/global/packages.nix

@@ -1,9 +1,12 @@
 { pkgs, ... }:
 {
   environment.systemPackages = with pkgs; [
+    age
     file
     lm_sensors # TODO: this shouldn't be installed on cloud nodes
     nodejs_20 # TODO: this is for one job on nomad, it should just be a dependency there
     neovim
+    sops
+    ssh-to-age
   ];
 }

common/global/sops.nix

@@ -0,0 +1,5 @@
+{
+  sops = {
+    defaultSopsFile = ./../../secrets/secrets.yaml;
+  };
+}

common/user-ppetru.nix

@@ -1,6 +1,7 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   programs.fish.enable = true;
+  sops.secrets.ppetru-password.neededForUsers = true;
   users.users.ppetru = {
     isNormalUser = true;
     extraGroups = [
@@ -10,7 +11,7 @@
 
     shell = pkgs.fish;
 
-    hashedPassword = "$y$j9T$RStwCKefSqHTIiRo6u6Q50$Pp2dNUeJeUMH0HJdDoM/vXMQa2jqyTTPvvIzACHZhVB";
+    hashedPasswordFile = config.sops.secrets.ppetru-password.path;
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdZ9dHN+DamoyRAIS8v7Ph85KyJ9zYdgwoqkp7F+smEJEdDKboHE5LA49IDQk4cgkR5xNEMtxANpJm+AXNAhQOPVl/w57vI/Z+TBtSvDoj8LuAvKjmmrPfok2iyD2IIlbctcw8ypn1revZwDb1rBFefpbbZdr5h+75tVqqmNebzxk6UQsfL++lU8HscWwYKzxrrom5aJL6wxNTfy7/Htkt4FHzoKAc5gcB2KM/q0s6NvZzX9WtdHHwAR1kib2EekssjDM9VLecX75Xhtbp+LrHOJKRnxbIanXos4UZUzaJctdNTcOYzEVLvV0BCYaktbI+uVvJcC0qo28bXbHdS3rTGRu8CsykFneJXnrrRIJw7mYWhJSTV9bf+6j/lnFNAurbiYmd4SzaTgbGjj2j38Gr/CTsyv8Rho7P3QUWbRRZnn4a7eVPtjGagqwIwS59YDxRcOy2Wdsw35ry/N2G802V7Cr3hUqeaAIev2adtn4FaG72C8enacYUeACPEhi7TYdsDzuuyt31W7AQa5Te4Uda20rTa0Y9N5Lw85uGB2ebbdYWlO2CqI/m+xNYcPkKqL7zZILz782jDw1sxWd/RUbEgJNrWjsKZ7ybiEMmhpw5vLiMGOeqQWIT6cBCNjocmW0ocU+FBLhhioyrvuZOyacoEZLoklatsL0DMkvvkbT0Ew== petru@paler.net"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+QbeQG/gTPJ2sIMPgZ3ZPEirVo5qX/carbZMKt50YN petru@happy"