Modules: Rename sops modules to sops-nix

system/modules/default.nix

@@ -7,6 +7,6 @@
     ./mime
     ./network
     ./polkit
-    ./sops
+    ./sops-nix
   ];
 }

system/modules/sops-nix/default.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  mylib,
+  pkgs,
+  username,
+  ...
+}: let
+  inherit (config.modules) sops-nix;
+in {
+  options.modules.sops-nix = import ./options.nix {inherit lib mylib;};
+
+  config = {
+    environment.systemPackages = with pkgs; [
+      sops
+      age
+      ssh-to-age
+    ];
+
+    sops = {
+      defaultSopsFile = ./secrets.yaml;
+
+      age = {
+        keyFile = "/home/${username}/.secrets/age/age.key";
+        generateKey = false;
+        sshKeyPaths = [];
+      };
+
+      secrets = let
+        mkSecret = name: {${name} = {};};
+      in
+        if (builtins.hasAttr "${username}" sops-nix.secrets)
+        then lib.mergeAttrsList (builtins.map mkSecret sops-nix.secrets.${username})
+        else {};
+    };
+  };
+}

system/modules/sops-nix/options.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  mylib,
+  ...
+}: {
+  secrets = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+    description = "The secrets to expose on this host";
+    example = ''
+      christoph = [
+        "docker-password"
+      ];
+    '';
+    default = [];
+  };
+}

system/modules/sops-nix/secrets.yaml

@@ -0,0 +1,20 @@
+docker-password: ENC[AES256_GCM,data:wUTViGGdu2tX6YbS7PuNj44uvixvUYBgNtumbhh1UU4=,iv:XIMLnEyNifD1nGfuFbqrxCBgfbPfC8ARP/eEzGo5McE=,tag:OwR++1BIGZ7obQcNAKhu0g==,type:str]
+heidi-discord-token: ENC[AES256_GCM,data:Nnt3mH5HCMog3b5Bz2vuaseCee7gA1HsBP16M7toXLs/TxZDlNWZQR4HMuJA/fwVjhd0WxzWzaX69lk=,iv:xhELYieQxBpecslhcpwTxJKJ/KEH2kDwqHMfO2VTdt8=,tag:JXYzgh4gMEwEkIUzf7gvRw==,type:str]
+kopia-server-username: ENC[AES256_GCM,data:9+PsrhKKcJJp,iv:dRTclwpZmfL8ixaUSzqgZXPbO+wTXcVJIKlQCky3tZg=,tag:ntLvlsxVuPvwr9D2YRGrtw==,type:str]
+kopia-server-password: ENC[AES256_GCM,data:B32JJPg=,iv:LZtud43b2/hotB2/TGQvp5ENBXXy5eGpJg4fUF3ymSM=,tag:CdKddcv7TDMBSH/nkmOAXg==,type:str]
+kopia-user-password: ENC[AES256_GCM,data:aHK2NZATutKxaQ==,iv:vWUK9QoOOszHqRrhZHwWhFC8VBcBnJY/GiVRkbPFyyg=,tag:qioUwrdiwBBTliFXxzda0g==,type:str]
+sops:
+    age:
+        - recipient: age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTXEyQlVTZnpoL2paTXhx
+            eVF2M1JDNkdOUDRwMkEzNE5lRWJma2Z3Q0RFCnJCa2ZvU3hMNm1wRUxpRFg3QmR5
+            UXZOS241UTEwYTF2WGdxdW1WMU9QTnMKLS0tIG1IeUdjSGxuT0JWYUd4ci85WHFq
+            ZEc2MFA5VG9QbFhzYmp3c3B5MzMwTjAKYBcvUmD00oUUllNbqqi9wouoaffMjaxN
+            nYFhzbgK8n0a5+9ZKTQGgDnl2W0M7uKuADTN8DF7JtepIeQYGWi2sQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-09T15:08:08Z"
+    mac: ENC[AES256_GCM,data:0B6GHJaqzONxtGqI14iEYvx/6Kjg2NnnxLyaecdrQ9klu4Ee4/SKA8ZlgLx8+953iXGgkDHzG0nCe/1TTjMjzW4AucdynMTJmgL68lQfLeVgkhrCVGpkH0LHIFokrnWy2++0aGvrsYCA0OXDdts+b9nU9kfRAZ4OIUQ1RjB5vX4=,iv:7s/SJtqfz3/pdmnP/SGSyM5/PY1UGn+P9c1/uz679SU=,tag:vo0IxNlOPwocJl3d+B9hgg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2

system/modules/sops-nix/sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &christoph age14ph8vrj657e7s35d60xehzuq46t9zd6pzcm6pw4jragzrvf6xs9s77usnm
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+      - age:
+        - *christoph

system/modules/sops/default.nix

@@ -1,15 +0,0 @@
-{
-  config,
-  lib,
-  mylib,
-  pkgs,
-  ...
-}: let
-  inherit (config.modules) sops;
-in {
-  options.modules.sops = import ./options.nix {inherit lib mylib;};
-
-  config = {
-    environment.systemPackages = [pkgs.sops];
-  };
-}

system/modules/sops/options.nix

@@ -1,6 +0,0 @@
-{
-  lib,
-  mylib,
-  ...
-}: {
-}

system/modules/sops/secrets.yaml

@@ -1,24 +0,0 @@
-kopia:
-    server-password: ENC[AES256_GCM,data:D2yE4j4=,iv:j96uk5MuHrrEf8y6c3HWBB822fBjC5ilhO6GMnruU6o=,tag:YmqD3Id7jD4sPAu2ncFJaQ==,type:str]
-    user-password: ENC[AES256_GCM,data:Trv39FNFSzvb2g==,iv:Bqvv8UipTIWd7zkYCZNe8Wjj+zdt2b8J+86g2gRKfvY=,tag:Jb6E76hj1bkSmqxPu6c+mA==,type:str]
-dockerhub:
-    password: ENC[AES256_GCM,data:7q6WsQ2rVIAC7HeLqYUK1g9WmTAEu8vvplpe/Kmt7Ns=,iv:x3b3eoj3UuRK3XZAN6KyYcVlXjm7sidtoqaByPdl90s=,tag:vZKO5gxtFG5nSiRQxxfCGQ==,type:str]
-heidi:
-    discord-token: ENC[AES256_GCM,data:lhG/5UHsgJX6dF8x29GlPJ0SL3WVRd72NgiTAIqJOGODlzDqjqRG+vM+FR2Rn2QPt9MatqDWH4c9hxQ=,iv:hd2DFftCaPnDO74n0SKsOEstRoUdgRshUPliFhtjSEc=,tag:nJs/PYDj4f7g4gdiEGrStQ==,type:str]
-sops:
-    lastmodified: "2025-07-09T14:23:23Z"
-    mac: ENC[AES256_GCM,data:Q7TiCljoWvzTsfmHc3xjh2rc4KKtw4rhxm0IkeZlUv0lshgjfrNpLxZVDnACavWG8ez379vpauuIhwZdZIaoO8Vtd2RfCS6bIOr4LdO8c89fVMhKSWa00a1uKsjjKTra9uAWoZZjBcZjLzAeIJWEHfcjQqqDNZl9thMAlguIr+Y=,iv:w41vmyiBrkzPzCZKzkAEF7jVyhOOTCgoEkAxYYa+VZc=,tag:Qw/asLEK/dms9GD+rJp4aA==,type:str]
-    pgp:
-        - created_at: "2025-07-09T14:12:43Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hF4DqfTzg9CqtWESAQdAu4+RjWQkFhZACL8agIDAfDRl7SGwkerlYB/JVwbTvF4w
-            Aka16C3y25sjOegyLfuHm0omD1ojca9LgfEDPIh3sUTlUcMttPDYbmraW6MDMM/W
-            0lwB+1YoPkhaT0AhwmFG+1PnVGtCaOaV3yaBsEv6KBrQ6D9PkgAgN1sNmVgRevXo
-            pMjdAsFTRXeJyCAtvAwYet0IhhZ5NqMvvkmjU5Mo3eV/eil4w8WafYq4qOamfw==
-            =Cs9+
-            -----END PGP MESSAGE-----
-          fp: 2D77520CF698928A855E0B9A2AB59FDA7728388B
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2

system/modules/sops/sops.yaml

@@ -1,8 +0,0 @@
-keys:
-  # sops-nix public gpg key fingerprint
-  - &christoph 2D77520CF698928A855E0B9A2AB59FDA7728388B
-creation_rules:
-  - path_regex: secrets.yaml$
-    key_groups:
-      - pgp:
-        - *christoph