feat: set up declarative password with sops

profiles/user0/default.nix

@@ -16,22 +16,23 @@ in
 {
 
   sops.secrets = {
-    "passwords/user0" = {
+    "password-user0" = {
       neededForUsers = true;
+      sopsFile = ../../secrets/secrets.yaml;
     };
   };
 
   users = {
     users = {
       "root" = {
-        hashedPasswordFile = config.sops.secrets."passwords/user0".path;
+        hashedPasswordFile = config.sops.secrets."password-user0".path;
       };
       ${user0} = {
         description = name;
         name = user0;
         isNormalUser = true;
         shell = pkgs.nushell;
-        hashedPasswordFile = config.sops.secrets."passwords/user0".path;
+        hashedPasswordFile = config.sops.secrets."password-user0".path;
         extraGroups = [
           "adbusers"
           "caddy"

secrets/secrets.yaml

@@ -48,8 +48,7 @@ firefly-iii-pass: ENC[AES256_GCM,data:gy7CuAy2PqKyr/+fHjHuKosj7Mi2cfOop4bLew0vZt
 firefly-iii-data: ENC[AES256_GCM,data:EY/CNiSrnmUjotIshk4KqJ2P7IMpiXYyBr7NeYcI69k=,iv:bocGJHNLMAfHFjs3/6wwxwYqq0qar/uNrwppK+MQjBg=,tag:2H5TD6bd9PUgN7BWkwNuzA==,type:str]
 firefly-iii-smtp: ENC[AES256_GCM,data:suCsPpd5acpasLLJPcgf9gUQlz4geqm/fNlw5b1+zMo=,iv:63o2Jtrn1T+CSeB9YZ9Zr0873zxgAdBDklwdNuC2bT4=,tag:L4smPSDq/FHMQzS39ege1Q==,type:str]
 roundcube-pass: ENC[AES256_GCM,data:vLvNVgiOQKIIoBhFD2if4Ct/1qugwe6i9OG8rB4sv4o=,iv:iJJlzgIocPe3ty67C39MF09FkU+p7hqd+GLnE0PBJAA=,tag:kzPVQP55YwMeYHrrsHFHJQ==,type:str]
-passwords:
-    user0: ENC[AES256_GCM,data:q+yH7s5pUmMZcX2HmcwxtdXQJHUK1bQXhGoog1cRMIFtk+KkLWygzBm74xKzqWI4f1cf9uHeNZniiZX8LnkdC6e6Purl7qyjJBw=,iv:5MTvFZoELBrZxIto8vJUJPo8Kd0rjjnCAYUt2tEngxA=,tag:u2kCFjM7v2KYLGL9h5ff/Q==,type:str]
+password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str]
 sops:
     age:
         - recipient: age19dpncsdphdt2tmknjs99eghk527pvdrw0m29qjn2z2gg3et5tdtqycqhl0
@@ -61,7 +60,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-06T02:54:32Z"
-    mac: ENC[AES256_GCM,data:WHBK6LzbBy8h4qjYcem0P871ltIEmaOWHjO+d9+E2aPg57BsgcpEWqMEpPmOoyujiRDu4p/eWMM5yHIBLkwuFJfQMCQ1Iwtl2Ei47Yf9DABjOfR2VslTq+Khpb13xaewxYEsNF15HJGi/bAxK9YWuwGa1ruNlmRH6rmF7OabqqE=,iv:Rv7QZKBkqBtlDkUDuDVzN79Wzc1nocbTLgTmXg8BTzU=,tag:qaIa0R8z9wLmrcYkoeW+Yg==,type:str]
+    lastmodified: "2025-11-06T05:11:00Z"
+    mac: ENC[AES256_GCM,data:pdRMReKbgR+gLToBrYc+Tf/i1jywvNPvPq3it8YZb49pE634haifD8PoP1Olnnm2/s7zY9ZMfDNIONDv6Es9ASZduh+nilgEy6u2o1P8fA4Bd1Hkmezbsld02OsVSDvNxhEqzRWCBEysKaJcKX8MCkoh71l7psM/n41nRANc9sA=,iv:0h9ZHptwYmB2ehaebpijYwcklQeQJxD2jn/+R3RB1f8=,tag:FBRxhPrHsIF+48PxOPyf9g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

systems/ceres/config/filesystem.nix

@@ -85,11 +85,6 @@ in
     directories = [
       "/var/cache"
       "/var/lib"
-      "/etc/passwd"
-      "/etc/shadow"
-      "/etc/group"
-      "/etc/subuid"
-      "/etc/subgid"
       {
         directory = "/etc/ssh";
         mode = "u=rwx,g=rx,o=rx";

systems/deimos/config/filesystem.nix

@@ -59,13 +59,13 @@ in
         fsType = "vfat";
         options = deimos.boot.options;
       };
-    }
-    // (builtins.listToAttrs (
-      builtins.concatMap (drive: map (folder: sambaMounts drive folder) remoteFolders) sambaDrives
-    ))
-    // (builtins.listToAttrs (
-      builtins.concatMap (drive: map (folder: sshfsMounts drive folder) remoteFolders) remoteDrives
-    ));
+    };
+  # // (builtins.listToAttrs (
+  #   builtins.concatMap (drive: map (folder: sambaMounts drive folder) remoteFolders) sambaDrives
+  # ))
+  # // (builtins.listToAttrs (
+  #   builtins.concatMap (drive: map (folder: sshfsMounts drive folder) remoteFolders) remoteDrives
+  # ));
 
   swapDevices = [
     { device = "/dev/disk/by-uuid/027a1efb-6c4e-4c1a-9956-91c7513950b4"; }