✨ Finish sops-nix configuration, update README and more

.sops.yaml

@@ -2,19 +2,30 @@ keys:
   - &jo age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d
   - &absolutesolver age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini|cfg)$
+  - path_regex: secrets/[^/]+\.(yaml|json|env|cfg)$
     key_groups:
     - age:
       - *jo
       - *absolutesolver
 
-  - path_regex: systems/[^/]+/absolutesolver/secrets/.*\.(yaml|env|json|ini|cfg)$
+  - path_regex: systems/[^/]+/absolutesolver/secrets/.*\.(yaml|env|json|cfg)$
     key_groups:
     - age:
       - *jo
       - *absolutesolver
 
-  - path_regex: systems/[^/]+/puzzlevision/secrets/.*\.(yaml|env|json|ini|cfg)$
+  - path_regex: systems/[^/]+/puzzlevision/secrets/.*\.(yaml|env|json|cfg)$
     key_groups:
     - age:
       - *jo
+
+  - path_regex: homes/[^/]+/jo/secrets/.*\.(yaml|env|json|cfg)$
+    key_groups:
+    - age:
+      - *jo
+
+  - path_regex: homes/[^/]+/cyn/secrets/.*\.(yaml|env|json|cfg)$
+    key_groups:
+    - age:
+      - *jo
+      - *absolutesolver

README.md

@@ -50,6 +50,16 @@ Additionally, the following command may be used to create a new sops secret file
 nix-shell -p sops --run "sops secrets/example.yaml"
 ```
 
+You may also encrypt arbitrary binary formats, like .cfg, using the following command:
+
+> [!IMPORTANT]
+> The original file location also HAS to match one of the sops creation rules, not just the output.
+> Yes, I know this is stupid, and yes, I've wasted way too much time dealing with this :3
+
+```sh
+nix-shell -p sops --run "sops -e original_file.cfg > secrets/encrypted_file.cfg"
+```
+
 Lastly, when adding new systems, make sure to update any required secret files with the following command:
 
 ```sh

homes/x86_64-linux/jo/default.nix

@@ -1,8 +1,18 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
   puzzlevision = {
     themes.catppuccin.enable = true;
   };
 
+  sops.secrets.wakatime-cfg = {
+    format = "binary";
+    sopsFile = ./secrets/wakatime.cfg;
+    path = "${config.home.homeDirectory}/.wakatime.cfg";
+  };
+
   home.packages = with pkgs; [
     ## GENERAL
     youtube-music

homes/x86_64-linux/jo/secrets/wakatime.cfg

@@ -0,0 +1,19 @@
+{
+	"data": "ENC[AES256_GCM,data:NaNu0ytz8Ji7WJ4gDinY2Tsny+MzgG9vV/7xnZY/dQzB0jMHBxIRAcrzH1A+aqsANeeZPD0XGXC2qIpYUlMKBcfMxkqmlj7XnpvDiXQ9RciCNp8l1xs0wvoxjYghbD8nsL57UQ==,iv:qa1SPnWCShIiz7l4EW6tCT2gJO0qNNcDk05F5hS8H7U=,tag:zArwz8R3/uegsO1ShLjfwg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJS0EySk4wMGVzaUtOZWlN\nUE15SXNVOUtqUDQxV29tNGpBRkdLek5icWg0Cnd5b1FmT3VQTTBDdEtCYzQxNVdk\nWVpQMFpmTXpOcFFlMG5MQjFLTXZRUGsKLS0tIHBvakR1Q0dYdkRqVTJtLzRORzBP\nNU55UEtWUXhBdGN0M0lMQktaVmhSK00KA93LFut6jiYtlndm9Oq0ferFPT4IlBQ1\nDmnD4hWz7NLimWED7RiJ2lSO9IRgQBhLHeiLums/ZPxjFGnnO6sicg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTHh4eExqN1lmUWhOd0tF\ndzVUYXpWblVlem5QcndUQVRRSnZsS0dNK3lVCnpJQUVyRDRiNTFyb3RnSFZnQW9D\nV2sxRlZDcE1yQjI5Yzk3Tmh2ZkdxZ00KLS0tIGlKYUVnZXZtYTJPNEhEVEVhVlI4\na1hGbjJ3VDE0WDZKd0FGYUZzZUp5SEkKp043TYYglP+SWD7IdK/rnSJ4jfqvpGSY\njIDWMZmFTIcPoeVSQrxi7PD9Cd4Q56lhPhCYZR4czk5EdeIEWS9Z6w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-21T22:54:54Z",
+		"mac": "ENC[AES256_GCM,data:vYmgUvgyQ1i+gih/6YMWX1vqkWzcAn8zgNspICF6KxTYE08i61LGJSaM2R5rh2r/xWY9zKYv8EKH2GSVyJ+hGgSsS0qY8BOKetKMHZEWuWtWSbjO/iKPlmqZXxmPPiPlYUXjlfXB1rzi7RXwDzwVpD1nQTuiK8t2rYJjGgH0kRM=,iv:EEepXDQ/1zy1sO8eXl5LXTHI5OUPFca6WwuYTkHuyEs=,tag:MHA262l7qa8Ngy0tuggPpw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

modules/flake/default.nix

@@ -1,11 +1,11 @@
 {
   imports = [
-    # Exposes nixosModules and homeModules on flake outputs.
-    ./modules.nix
-
     # Automagically imports libs from "/lib/lib-name" and exposes them to the `flake.lib` output.
     ./lib.nix
 
+    # Exposes nixosModules and homeModules on flake outputs.
+    ./modules.nix
+
     # Automagically imports systems from "/systems/arch-classname/system-name".
     ./systems.nix
   ];

modules/home/app/zed/default.nix

@@ -3,7 +3,6 @@
   pkgs,
   self,
   config,
-  osConfig,
   ...
 }: let
   inherit (lib) mkEnableOption mkIf;
@@ -16,12 +15,6 @@ in {
   };
 
   config = mkIf cfg.enable {
-    sops.secrets.wakatime-cfg = {
-      format = "binary";
-      sopsFile = "${self.outPath}/x86_64-nixos/${osConfig.networking.hostname}/secrets/wakatime.cfg";
-      path = "/home/${config.home.homeDirectory}/.wakatime.cfg";
-    };
-
     home.packages = with pkgs; [
       alejandra
     ];

modules/home/security/sops/default.nix

@@ -1,5 +1,5 @@
 {config, ...}: {
   sops = {
-    age.keyFile = "/home/${config.home.username}/.sops-nix/key.txt";
+    age.keyFile = "/home/${config.home.username}/sops-nix/key.txt";
   };
 }

modules/nixos/archetypes/workstation/default.nix

@@ -14,6 +14,11 @@ in {
   };
 
   config = mkIf cfg.enable {
+    environment.sessionVariables = {
+      MOZ_ENABLE_WAYLAND = "1"; # Firefox native Wayland support
+      NIXOS_OZONE_WL = "1"; # Native Wayland in Chromium and Electron based applications
+    };
+
     ${namespace} = {
       # Basic system functionality
       system = {

modules/nixos/system/nix/default.nix

@@ -38,6 +38,8 @@ in {
       package = mkIf cfg.use-lix pkgs.lix; # Enable LIX
     };
 
+    nixpkgs.config.allowUnfree = true;
+
     # Dynamic libraries for unpackaged programs
     programs.nix-ld = mkIf cfg.use-nixld {
       enable = true;

modules/nixos/users/default.nix

@@ -21,6 +21,7 @@
       isSystemUser = self.lib.mkBool false "Whether this user is considered a system user.";
       initialPassword = self.lib.mkOpt (types.nullOr types.str) null "Plaintext insecure initial user password, only recommended for testing.";
       password = self.lib.mkOpt (types.nullOr types.str) null "Plaintext insecure user password, only recommended for testing.";
+      hashedPasswordFile = self.lib.mkOpt (types.nullOr types.str) null "Secure, hashed user password stored in a separate file, recommended for production.";
       extraGroups = self.lib.mkOpt (types.listOf types.str) [] "List of additional groups this user belongs to.";
     };
   };
@@ -48,6 +49,7 @@ in {
     users.users = lib.mapAttrs (username: userConfig:
       mkIf userConfig.enable {
         name = username;
+        hashedPasswordFile = userConfig.hashedPasswordFile;
         inherit (userConfig) isNormalUser isSystemUser initialPassword password extraGroups;
       })
     cfg;

systems/x86_64-nixos/puzzlevision/default.nix

@@ -1,12 +1,27 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
   imports = [
     ./hardware.nix
   ];
 
+  # Todo: automate this globally for all workstation and server archetypes!
+  # Configure Sops
+  sops.defaultSopsFile = ./secrets/users.yaml;
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+
+  # Todo: automate this import in users module!
+  # Require user password secrets for users
+  sops.secrets."users/jo/password_hash" = {
+    neededForUsers = true;
+  };
+
   puzzlevision = {
     users.jo = {
       enable = true;
-      password = "jo"; # For testing only, replace with sops secret before production use
+      hashedPasswordFile = config.sops.secrets."users/jo/password_hash".path; # For testing only, replace with sops secret before production use
       extraGroups = ["wheel"];
     };
 

systems/x86_64-nixos/puzzlevision/secrets/users.yaml

@@ -0,0 +1,27 @@
+users:
+    jo:
+        password_hash: ENC[AES256_GCM,data:uL+bcgY09s6X1QGgRF9QjCYzba/vPp2mUmEtMWnOID8lmn7rBrYB5pQ1HL/vXtUQUnrnxoXiy5l4nRlT7vxbmIMOgzSiu6fQvQ==,iv:v5ags2roqXyMEQiYdryt+G8/yp1NFT4zlS07BBErGlY=,tag:AedjvcTidDT2EzFipBkxqw==,type:str]
+sops:
+    age:
+        - recipient: age1qcjcwh9tq8pzf2yr7m3hm2n3n3y5rlc30fpkr0eytju9w57ucgcsgcy79d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvSEdxL2pyZHRiVlFqOE1i
+            MWpScjRSdEJJZjRmQ0dsRTBYSlFsSncyd1FnCjNDWEI1cHNuVGd4dEJDMXF2NnlI
+            SFA3NFU3SkpGLzZMNjZtc1JHajhEeXMKLS0tIGhaSDVqSGxaZEwrdFZ6ZDF6a0cw
+            ZmluTzlkNGFSTmZLNlVYdFBOWTQ2cDgKJL4o95JLEKFI3FUQ2+g4N0GWGohRtmW7
+            fn7zxQhRFf8U9yE4gI3OBTEweoyJQh+m/JH6XCg7H5jrJjze5miSUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ajkq0lalyc75tjhdtpx2yshw5y3wt85fwjy24luf69rvpavg33vqw6c3tc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjdkFCaFZkZjJuc0dHdE03
+            Z2N5ZnZrMnFIQ0R5U2NqMjFoWWZSNUl5Mm1FCmxIMDFNSGtOamhtZDJjdi82Ty9h
+            VU0xN1pza2VpSDA1N01oN3FTUHNxcGcKLS0tIFZhVWFuQ1VXS2dyUEF6NHliNW9I
+            N21SUVFML3Z3Y3FMV3RiV2pGOUJMd00KyoA9/4gSxQTIInRsiF0gdOqYHoI8s2cG
+            DozFpSRzkrev6sSxEDJC8N/BmpVm2v8Wzpg572i1trEBQIjZMqqhJA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-21T23:53:55Z"
+    mac: ENC[AES256_GCM,data:cFcxewPQLyf6w6UlJrPqeZBqIO745gBUaeYbpe4OW+ZnhH54/fsneotceVMT2svUUzwzZbwuwe+wzg6UIR+hEve5XBjxMohKDJqt37R/Q2LkGiabYfxbF0sc8Tdt1W4tYTk1BjkhK0oBIZxmgZCej9kD4iVZH5G2Ku1nOfaiZpo=,iv:x4sG46l7msbt5mhn4O4yv3k+LhBbKqC0nBpsq+MF844=,tag:C8xxYVSKND4DTD3u3Ln27A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2