From b05b20746292fac09966cd2f806aba8dbdb47a73 Mon Sep 17 00:00:00 2001
From: Christoph Urlacher <christoph.urlacher@protonmail.com>
Date: Wed, 9 Jul 2025 15:12:40 +0200
Subject: [PATCH] Flake: Add sops-nix

---
 flake.lock         | 23 ++++++++++++++++++++-
 flake.nix          | 50 ++++++++++++++++++++++++----------------------
 system/default.nix | 12 +++++------
 3 files changed, 53 insertions(+), 32 deletions(-)

diff --git a/flake.lock b/flake.lock
index 0a138872..6fd2cae9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -602,7 +602,28 @@
         "nixpkgs": "nixpkgs_2",
         "nixvim": "nixvim",
         "nps": "nps",
-        "nur": "nur"
+        "nur": "nur",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751606940,
+        "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index 29bb1659..1d7fe4fb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,10 +16,14 @@
     home-manager.url = "github:nix-community/home-manager";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
 
-    # Agenix
+    # Manage secrets with agenix
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
 
+    # Manage secrets with sops
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+
     # Nix User Repository (e.g. Firefox addons)
     nur.url = "github:nix-community/NUR";
     nur.inputs.nixpkgs.follows = "nixpkgs";
@@ -141,6 +145,15 @@
     publicKeys.christoph = {
       ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAoJac+GdGtzblCMA0lBfMdSR6aQ4YyovrNglCFGIny christoph.urlacher@protonmail.com";
     };
+
+    # Extra NixOS system modules for all hosts.
+    # HM modules are passed through home/modules/default.nix instead.
+    commonModules = [
+      inputs.agenix.nixosModules.default
+      inputs.sops-nix.nixosModules.sops
+
+      # TODO: inputs.nix-topology.nixosModules.default
+    ];
   in {
     # Local shell for NixFlake directory
     devShells."${system}".default = import ./shell.nix {inherit pkgs;};
@@ -176,47 +189,36 @@
         hostname = "nixinator";
         username = "christoph";
         headless = false;
-
-        # Extra NixOS system modules.
-        # HM modules are passed through home/modules/default.nix
-        extraModules = [
-          # TODO:
-          # inputs.nix-topology.nixosModules.default
-          inputs.agenix.nixosModules.default
-        ];
+        extraModules =
+          []
+          ++ commonModules;
       };
       nixtop = mylib.nixos.mkNixosConfigWithHomeManagerModule {
         inherit system mylib publicKeys;
         hostname = "nixtop";
         username = "christoph";
         headless = false;
-        extraModules = [
-          # TODO:
-          # inputs.nix-topology.nixosModules.default
-          inputs.agenix.nixosModules.default
-        ];
+        extraModules =
+          []
+          ++ commonModules;
       };
       servenix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
         inherit system mylib publicKeys;
         hostname = "servenix";
         username = "christoph";
         headless = true;
-        extraModules = [
-          # TODO:
-          # inputs.nix-topology.nixosModules.default
-          inputs.agenix.nixosModules.default
-        ];
+        extraModules =
+          []
+          ++ commonModules;
       };
       thinknix = mylib.nixos.mkNixosConfigWithHomeManagerModule {
         inherit system mylib publicKeys;
         hostname = "thinknix";
         username = "christoph";
         headless = true;
-        extraModules = [
-          # TODO:
-          # inputs.nix-topology.nixosModules.default
-          inputs.agenix.nixosModules.default
-        ];
+        extraModules =
+          []
+          ++ commonModules;
       };
 
       # These configurations don't include HM.
diff --git a/system/default.nix b/system/default.nix
index ac1ddd04..2ae1507d 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -271,13 +271,11 @@ with mylib.networking; {
     neovim.enable = true;
     nix-ld.enable = true; # Load dynamically linked executables
 
-    gnupg = {
-      agent = {
-        enable = true;
-        enableBrowserSocket = true;
-        enableExtraSocket = true;
-        enableSSHSupport = true;
-      };
+    gnupg.agent = {
+      enable = true;
+      enableBrowserSocket = true;
+      enableExtraSocket = true;
+      enableSSHSupport = true;
     };
 
     hyprland = {