From 05ea17564f9ab4573b3eaf494906e283b76930d4 Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Wed, 5 Nov 2025 21:13:54 -0600
Subject: [PATCH] feat: set up declarative password with sops

---
 profiles/user0/default.nix          | 8 ++++++++
 secrets/secrets.yaml                | 6 ++++--
 systems/ceres/config/filesystem.nix | 7 ++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix
index 1e62ff6..5fee9b4 100755
--- a/profiles/user0/default.nix
+++ b/profiles/user0/default.nix
@@ -14,12 +14,20 @@ let
   hostname = config.networking.hostName;
 in
 {
+
+  sops.secrets = {
+    "passwords/user0" = {
+      neededForUsers = true;
+    };
+  };
+
   users = {
     users.${user0} = {
       description = name;
       name = user0;
       isNormalUser = true;
       shell = pkgs.nushell;
+      hashedPasswordFile = config.sops.secrets."passwords/user0".path;
       extraGroups = [
         "adbusers"
         "caddy"
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 0113790..fcf6cb2 100755
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -48,6 +48,8 @@ firefly-iii-pass: ENC[AES256_GCM,data:gy7CuAy2PqKyr/+fHjHuKosj7Mi2cfOop4bLew0vZt
 firefly-iii-data: ENC[AES256_GCM,data:EY/CNiSrnmUjotIshk4KqJ2P7IMpiXYyBr7NeYcI69k=,iv:bocGJHNLMAfHFjs3/6wwxwYqq0qar/uNrwppK+MQjBg=,tag:2H5TD6bd9PUgN7BWkwNuzA==,type:str]
 firefly-iii-smtp: ENC[AES256_GCM,data:suCsPpd5acpasLLJPcgf9gUQlz4geqm/fNlw5b1+zMo=,iv:63o2Jtrn1T+CSeB9YZ9Zr0873zxgAdBDklwdNuC2bT4=,tag:L4smPSDq/FHMQzS39ege1Q==,type:str]
 roundcube-pass: ENC[AES256_GCM,data:vLvNVgiOQKIIoBhFD2if4Ct/1qugwe6i9OG8rB4sv4o=,iv:iJJlzgIocPe3ty67C39MF09FkU+p7hqd+GLnE0PBJAA=,tag:kzPVQP55YwMeYHrrsHFHJQ==,type:str]
+passwords:
+    user0: ENC[AES256_GCM,data:q+yH7s5pUmMZcX2HmcwxtdXQJHUK1bQXhGoog1cRMIFtk+KkLWygzBm74xKzqWI4f1cf9uHeNZniiZX8LnkdC6e6Purl7qyjJBw=,iv:5MTvFZoELBrZxIto8vJUJPo8Kd0rjjnCAYUt2tEngxA=,tag:u2kCFjM7v2KYLGL9h5ff/Q==,type:str]
 sops:
     age:
         - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0
@@ -59,7 +61,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-04T20:22:31Z"
-    mac: ENC[AES256_GCM,data:mL+7OjHRuSpGFaBAyNA1VP5GtwaL97uGVZo6eMduPNSy2bAkE6PhFwzVKLUikKCjOdYut1xF9aVRa0Sj1CiOTHoJdRlzpF02XSeTGJ/uxYFap29F7PruGzv24Xy7zfHQQYDO/ypBUSDgS8yO73zjjqBqlIT5NQD9X1M0TDT/QUk=,iv:g8JAT9B+irTZiH7e7hlp6x+gjlDUztlSe7FUPKcJ2Fg=,tag:OSQlvguKpQmG1r90fDWemA==,type:str]
+    lastmodified: "2025-11-06T02:54:32Z"
+    mac: ENC[AES256_GCM,data:WHBK6LzbBy8h4qjYcem0P871ltIEmaOWHjO+d9+E2aPg57BsgcpEWqMEpPmOoyujiRDu4p/eWMM5yHIBLkwuFJfQMCQ1Iwtl2Ei47Yf9DABjOfR2VslTq+Khpb13xaewxYEsNF15HJGi/bAxK9YWuwGa1ruNlmRH6rmF7OabqqE=,iv:Rv7QZKBkqBtlDkUDuDVzN79Wzc1nocbTLgTmXg8BTzU=,tag:qaIa0R8z9wLmrcYkoeW+Yg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix
index ffeeee4..2492e6d 100755
--- a/systems/ceres/config/filesystem.nix
+++ b/systems/ceres/config/filesystem.nix
@@ -8,6 +8,7 @@ let
   inherit (flake.config.people) user0;
 
   rootDevice = "/dev/disk/by-uuid/df9868a4-2dd1-40d5-9f5f-c56ceac62216";
+  bootDevice = "/dev/disk/by-uuid/DF19-AD99";
 in
 {
   fileSystems = {
@@ -37,7 +38,7 @@ in
     };
 
     "/boot" = {
-      device = "/dev/disk/by-uuid/DF19-AD99";
+      device = bootDevice;
       fsType = "vfat";
       options = [
         "fmask=0077"
@@ -49,6 +50,10 @@ in
       device = "/dev/disk/by-label/storage";
       fsType = "ext4";
     };
+
+    "/etc/ssh" = {
+      neededForBoot = true;
+    };
   };
   boot.initrd.postResumeCommands = lib.mkAfter ''
     mkdir /btrfs_tmp