From fee6830edc6830bd79803eef4d8f20fed3d701fb Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Wed, 5 Nov 2025 23:36:54 -0600
Subject: [PATCH] feat: set up declarative password with sops

---
 profiles/user0/default.nix           |  7 ++++---
 secrets/secrets.yaml                 |  7 +++----
 systems/ceres/config/filesystem.nix  |  5 -----
 systems/deimos/config/filesystem.nix | 14 +++++++-------
 4 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix
index 58c104f..8dd38c9 100755
--- a/profiles/user0/default.nix
+++ b/profiles/user0/default.nix
@@ -16,22 +16,23 @@ in
 {
 
   sops.secrets = {
-    "passwords/user0" = {
+    "password-user0" = {
       neededForUsers = true;
+      sopsFile = ../../secrets/secrets.yaml;
     };
   };
 
   users = {
     users = {
       "root" = {
-        hashedPasswordFile = config.sops.secrets."passwords/user0".path;
+        hashedPasswordFile = config.sops.secrets."password-user0".path;
       };
       ${user0} = {
         description = name;
         name = user0;
         isNormalUser = true;
         shell = pkgs.nushell;
-        hashedPasswordFile = config.sops.secrets."passwords/user0".path;
+        hashedPasswordFile = config.sops.secrets."password-user0".path;
         extraGroups = [
           "adbusers"
           "caddy"
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index fcf6cb2..d44b466 100755
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -48,8 +48,7 @@ firefly-iii-pass: ENC[AES256_GCM,data:gy7CuAy2PqKyr/+fHjHuKosj7Mi2cfOop4bLew0vZt
 firefly-iii-data: ENC[AES256_GCM,data:EY/CNiSrnmUjotIshk4KqJ2P7IMpiXYyBr7NeYcI69k=,iv:bocGJHNLMAfHFjs3/6wwxwYqq0qar/uNrwppK+MQjBg=,tag:2H5TD6bd9PUgN7BWkwNuzA==,type:str]
 firefly-iii-smtp: ENC[AES256_GCM,data:suCsPpd5acpasLLJPcgf9gUQlz4geqm/fNlw5b1+zMo=,iv:63o2Jtrn1T+CSeB9YZ9Zr0873zxgAdBDklwdNuC2bT4=,tag:L4smPSDq/FHMQzS39ege1Q==,type:str]
 roundcube-pass: ENC[AES256_GCM,data:vLvNVgiOQKIIoBhFD2if4Ct/1qugwe6i9OG8rB4sv4o=,iv:iJJlzgIocPe3ty67C39MF09FkU+p7hqd+GLnE0PBJAA=,tag:kzPVQP55YwMeYHrrsHFHJQ==,type:str]
-passwords:
-    user0: ENC[AES256_GCM,data:q+yH7s5pUmMZcX2HmcwxtdXQJHUK1bQXhGoog1cRMIFtk+KkLWygzBm74xKzqWI4f1cf9uHeNZniiZX8LnkdC6e6Purl7qyjJBw=,iv:5MTvFZoELBrZxIto8vJUJPo8Kd0rjjnCAYUt2tEngxA=,tag:u2kCFjM7v2KYLGL9h5ff/Q==,type:str]
+password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str]
 sops:
     age:
         - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0
@@ -61,7 +60,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-06T02:54:32Z"
-    mac: ENC[AES256_GCM,data:WHBK6LzbBy8h4qjYcem0P871ltIEmaOWHjO+d9+E2aPg57BsgcpEWqMEpPmOoyujiRDu4p/eWMM5yHIBLkwuFJfQMCQ1Iwtl2Ei47Yf9DABjOfR2VslTq+Khpb13xaewxYEsNF15HJGi/bAxK9YWuwGa1ruNlmRH6rmF7OabqqE=,iv:Rv7QZKBkqBtlDkUDuDVzN79Wzc1nocbTLgTmXg8BTzU=,tag:qaIa0R8z9wLmrcYkoeW+Yg==,type:str]
+    lastmodified: "2025-11-06T05:11:00Z"
+    mac: ENC[AES256_GCM,data:pdRMReKbgR+gLToBrYc+Tf/i1jywvNPvPq3it8YZb49pE634haifD8PoP1Olnnm2/s7zY9ZMfDNIONDv6Es9ASZduh+nilgEy6u2o1P8fA4Bd1Hkmezbsld02OsVSDvNxhEqzRWCBEysKaJcKX8MCkoh71l7psM/n41nRANc9sA=,iv:0h9ZHptwYmB2ehaebpijYwcklQeQJxD2jn/+R3RB1f8=,tag:FBRxhPrHsIF+48PxOPyf9g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix
index 8407371..a375523 100755
--- a/systems/ceres/config/filesystem.nix
+++ b/systems/ceres/config/filesystem.nix
@@ -85,11 +85,6 @@ in
     directories = [
       "/var/cache"
       "/var/lib"
-      "/etc/passwd"
-      "/etc/shadow"
-      "/etc/group"
-      "/etc/subuid"
-      "/etc/subgid"
       {
         directory = "/etc/ssh";
         mode = "u=rwx,g=rx,o=rx";
diff --git a/systems/deimos/config/filesystem.nix b/systems/deimos/config/filesystem.nix
index 8377a05..227423a 100755
--- a/systems/deimos/config/filesystem.nix
+++ b/systems/deimos/config/filesystem.nix
@@ -59,13 +59,13 @@ in
         fsType = "vfat";
         options = deimos.boot.options;
       };
-    }
-    // (builtins.listToAttrs (
-      builtins.concatMap (drive: map (folder: sambaMounts drive folder) remoteFolders) sambaDrives
-    ))
-    // (builtins.listToAttrs (
-      builtins.concatMap (drive: map (folder: sshfsMounts drive folder) remoteFolders) remoteDrives
-    ));
+    };
+  # // (builtins.listToAttrs (
+  #   builtins.concatMap (drive: map (folder: sambaMounts drive folder) remoteFolders) sambaDrives
+  # ))
+  # // (builtins.listToAttrs (
+  #   builtins.concatMap (drive: map (folder: sshfsMounts drive folder) remoteFolders) remoteDrives
+  # ));
 
   swapDevices = [
     { device = "/dev/disk/by-uuid/027a1efb-6c4e-4c1a-9956-91c7513950b4"; }