From fcee2c62502593418dbb4f75e988c4c22bef3689 Mon Sep 17 00:00:00 2001
From: Shahab Dogar <shahab@dogar.dev>
Date: Sun, 2 Feb 2025 17:58:24 +0500
Subject: [PATCH] feat: NixOS | use sops-nix to get user password from
 nix-secrets

---
 flake.lock              | 42 ++++++++++++++++++++++++++++++++++++++++-
 flake.nix               |  6 ++++++
 nixos/configuration.nix | 23 ++++++++++++++++++++--
 3 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index ca67e80..63f2387 100644
--- a/flake.lock
+++ b/flake.lock
@@ -402,6 +402,24 @@
         "type": "github"
       }
     },
+    "nix-secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1738498247,
+        "narHash": "sha256-xMq5P/UOmLy5iaQo6/5X4JK1MNnmL7EJAfWqPmjtRMQ=",
+        "ref": "main",
+        "rev": "270597e8706aead70607fbed0a78366ed9c2b3c5",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@git.dogar.dev/shahab/nix-secrets"
+      },
+      "original": {
+        "ref": "main",
+        "shallow": true,
+        "type": "git",
+        "url": "ssh://git@git.dogar.dev/shahab/nix-secrets"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1738471961,
@@ -539,8 +557,10 @@
         "home-manager": "home-manager",
         "hyprland": "hyprland",
         "lanzaboote": "lanzaboote",
+        "nix-secrets": "nix-secrets",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
       }
     },
     "rust-overlay": {
@@ -564,6 +584,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738291974,
+        "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1689347949,
diff --git a/flake.nix b/flake.nix
index 227cff9..9c0c1cc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -32,6 +32,12 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    # Secrets
+    nix-secrets = {
+      url = "git+ssh://git@git.dogar.dev/shahab/nix-secrets?shallow=1&ref=main";
+      flake = false;
+    };
   };
 
   outputs = {
diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 5b07ac0..da93f79 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -2,8 +2,11 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ lib, inputs, pkgs, hostname, ... }:
+{ config, lib, inputs, pkgs, hostname, ... }:
 
+let
+  secretspath = builtins.toString inputs.nix-secrets;
+in
 {
   # Bootloader.
   boot = {
@@ -134,6 +137,8 @@
     id = ["24353659"];
   };
 
+  users.mutableUsers = false;
+
   # Define a user account. Don't forget to set a password with ‘mkpasswd’.
   users.users.shahab = {
     shell = pkgs.zsh;
@@ -144,7 +149,21 @@
     isNormalUser = true;
     description = "Shahab Dogar";
     extraGroups = [ "networkmanager" "wheel" "input" "libvirtd" ];
-    hashedPassword = "$6$.ZlYnf2cZph4tCbM$E/JJUDirRV8MZrgX4Rh.Pi1q95tev1ZxcKjPA1I.uURv56qoWcC39MJWO9S2T5MlkPVbSLGiM8Ihfz9mERImo/";
+    hashedPasswordFile = config.sops.secrets.shahab_passwd.path;
+  };
+
+  sops = {
+    defaultSopsFile = "${secretspath}/secrets.yaml";
+    age = {
+      sshKeyPaths = ["/home/shahab/.ssh/id_ed25519"];
+      keyFile = "/home/shahab/.config/sops/age/key.txt";
+      generateKey = true;
+    };
+    secrets = {
+      shahab_passwd = {
+        neededForUsers = true;
+      };
+    };
   };
 
   # Allow unfree packages