add sops-nix

.sops.yaml

@@ -0,0 +1,17 @@
+# This example uses YAML anchors which allows reuse of multiple keys
+# without having to repeat yourself.
+# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
+# for a more complex example.
+keys:
+  - &admin_sckova 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A
+  - &user_sckova age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka
+  - &host_peach age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *admin_sckova
+      age:
+      - *user_sckova
+      - *host_peach

flake.lock

@@ -483,9 +483,30 @@
         "noctalia": "noctalia",
         "nur": "nur",
         "openmw": "openmw",
+        "sops-nix": "sops-nix",
         "tt-schemes": "tt-schemes"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1774910634,
+        "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -17,6 +17,11 @@
       flake = false;
     };
 
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -63,6 +68,7 @@
       apple-silicon,
       base16,
       tt-schemes,
+      sops-nix,
       home-manager,
       niri,
       noctalia,
@@ -72,14 +78,6 @@
       ...
     }:
     let
-      # All systems we want to support for the generic VM
-      # to run the vm:
-      # nixos-rebuild build-vm --flake ~/nix#$(nix eval --raw --impure --expr 'builtins.currentSystem')
-      supportedSystems = [
-        "x86_64-linux"
-        "aarch64-linux"
-      ];
-
       # Shared config for all package sets
       pkgConfig = {
         allowUnfree = true;
@@ -139,11 +137,6 @@
                     "root"
                     "sckova"
                   ];
-
-                  # Increase file descriptor limit for builds
-                  # sandbox = "relaxed";
-                  # extra-sandbox-paths = [ ];
-                  # build-users-group = "nixbld";
                 };
 
                 gc = {
@@ -164,23 +157,24 @@
                   "podman"
                   "pipewire"
                 ];
-                hashedPassword = "$6$bvwRUFaJNMpH8rm3$FGDWFN6tBScJ/2DynAjnlZE8JRfyADN78d6c4GawxpAjyNLNE/AjQzMA09tLRqpKX7WnN5PIUZLAm2bT9/RbG0";
                 openssh.authorizedKeys.keys = [
                   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCn/eXMq04vcXNqGVzlZOw2C2dQYBqzWsoigdFW09XqC2WPaGljbAIayzaD7Q1tIlPGGy10+nipAXAk1CHAnrQ2KSg4v/SwFphF48V3joeQmideC4vo0EIQEQibbMtj3oFezqRcRZINl/1hr4t0myZ3zkoTjh3HCkqJEMGUdArDMEVPA5mwcKSLsyshW9LMG/3C9YKKPU1/lVsoeDkj8AVZA0srhkApuRKF0IVu8KoPd6ldvSWgpQ1iuQ+MEMSeOUJytieBkzeY9zEVePaQ86oIMDUzqq8OTN37RyShiJKPskKyj12rJI2eFtI/viGaj8P6/yvKqMp3F4kAsPAuvMLLAIYCNa+139rDpkkIKB6lVtgq0jnJGRywaYXGIRyExNcVAr8I9wrNnNN2M4whVeYBxfLMzKZ+VvfK39AaGvnzPuFDLqUC87sN4c/1KZQo+TCtlaxcYvqowWylw5JHUt8uwFcO/dUebQxxAv8EdyPZGJ/54y19PsTbu9KyxSc2gIU= sckova"
                 ];
               };
             }
+            ./options.nix
+            ./sops.nix
             ./system
             ./system/searxng
-            ./system/torrenting
+            ./system/games
             ./system/widevine
             ./system/shell/fish.nix
             ./system/tailscale
             ./system/hosts/${hostname}
             ./hardware/${hostname}
             niri.nixosModules.niri
+            sops-nix.nixosModules.sops
             home-manager.nixosModules.home-manager
-            noctalia.nixosModules.default
             {
               home-manager = {
                 useGlobalPkgs = true;
@@ -189,15 +183,18 @@
                   imports = [
                     ./home
                     ./options.nix
-                    ./home/apps
+                    ./sops.nix
-                    ./home/games
+                    ./home/sckova
-                    ./home/hosts/${hostname}
+                    ./home/sckova/apps
-                    ./home/services
+                    ./home/sckova/games
-                    ./home/terminal
+                    ./home/sckova/hosts/${hostname}
-                    ./home/tiling
+                    ./home/sckova/services
+                    ./home/sckova/terminal
+                    ./home/sckova/tiling
                   ];
                 };
                 sharedModules = [
+                  sops-nix.homeManagerModules.sops
                   base16.nixosModule
                   (
                     { config, ... }:
@@ -216,6 +213,7 @@
                 };
               };
             }
+            noctalia.nixosModules.default
           ]
           ++ extraModules;
         };
@@ -238,8 +236,8 @@
           home.username = user;
           home.homeDirectory = "/home/${user}";
           modules = [
-            ./home
+            ./home/${user}
-            ./home/hosts/${hostname}.nix
+            ./home/${user}/hosts/${hostname}.nix
             home-manager.homeModules.home-manager
             niri.homeModules.default
             noctalia.homeModules.noctalia
@@ -266,14 +264,7 @@
             }
           ];
         };
-      }
+      };
-      // nixpkgs.lib.genAttrs supportedSystems (
-        system:
-        mkNixosSystem {
-          hostname = "vm-generic";
-          inherit system;
-        }
-      );
 
       homeConfigurations = {
         peach = mkHomeConfig {
@@ -286,14 +277,6 @@
           hostname = "alien";
           system = "x86_64-linux";
         };
-      }
+      };
-      // nixpkgs.lib.genAttrs supportedSystems (
-        system:
-        mkHomeConfig {
-          user = "sckova";
-          hostname = "vm-generic";
-          inherit system;
-        }
-      );
     };
 }

home/hosts/vm-generic/default.nix

@@ -1,11 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}:
-{
-  colors = {
-    scheme = "catppuccin-mocha";
-    accent = "base0B";
-  };
-}

home/sckova/default.nix

@@ -0,0 +1,10 @@
+{
+  # the user to activate
+  userOptions = {
+    name = "Sean Kovacs";
+    username = "sckova";
+    email = "kovacsmillio@gmail.com";
+  };
+
+  sops.age.keyFile = "/home/sckova/.config/sops/age/keys.txt";
+}

home/sckova/services/systemd.nix

@@ -1,7 +1,6 @@
 {
   config,
   pkgs,
-  lib,
   ...
 }:
 {
@@ -11,16 +10,11 @@
     XCURSOR_PATH = config.userOptions.cursor.path;
   };
 
-  xdg.configFile."rclone/synology.conf".text = ''
+  sops.templates."synology.conf".content = ''
     [synology]
-    type = sftp
+    type = smb
-    user = sckova
     host = nas.taila30609.ts.net
-    key_file = ~/.ssh/key
+    pass = ${config.sops.placeholder.rclone_synology}
-    shell_type = unix
-    root = home
-    md5sum_command = "${pkgs.coreutils}/bin/md5sum";
-    sha1sum_command = "${pkgs.coreutils}/bin/sha1sum";
   '';
 
   systemd.user.services.synology-mount = {
@@ -48,11 +42,11 @@
 
         # Mount rclone in foreground
         ${pkgs.rclone}/bin/rclone \
-          --config=$HOME/.config/rclone/synology.conf \
+          --config=${config.sops.templates."synology.conf".path} \
           --ignore-checksum \
           --log-level INFO \
           --rc --rc-serve \
-          mount "synology:" "$HOME/Synology"
+          mount "synology:home" "$HOME/Synology"
       ''}";
       ExecStop = "/run/wrappers/bin/fusermount -uz %h/Synology/%i";
       StandardOutput = "journal";

home/sckova/terminal/default.nix

@@ -66,6 +66,7 @@
         };
         core.pager = "${pkgs.bat}/bin/bat";
         commit.gpgsign = true;
+        init.defaultBranch = "main";
       };
     };
     bat = {

home/sckova/terminal/neovim.nix

@@ -5,7 +5,7 @@
   ...
 }:
 {
-  home.sessionVariables.EDITOR = lib.mkForce "kitty nvim";
+  home.sessionVariables.EDITOR = lib.mkForce "nvim";
 
   programs.nixvim = {
     enable = true;

home/sckova/tiling/noctalia.nix

@@ -348,7 +348,7 @@
         animationDisabled = false;
         animationSpeed = 1;
         autoStartAuth = false;
-        avatarImage = "/home/sckova/.face";
+        avatarImage = "/home/${config.userOptions.username}/.face";
         boxRadiusRatio = 1;
         clockFormat = "hh\\nmm";
         clockStyle = "custom";
@@ -559,7 +559,7 @@
 
       wallpaper = {
         automationEnabled = false;
-        directory = "/home/sckova/.local/share/wallpaper";
+        directory = "/home/${config.userOptions.username}/.local/share/wallpaper";
         enableMultiMonitorDirectories = false;
         enabled = false;
         fillColor = "#1e1e2e";

options.nix

@@ -19,24 +19,24 @@
     userOptions = {
       name = lib.mkOption {
         type = lib.types.str;
-        readOnly = true;
+        readOnly = false;
         default = "Sean Kovacs";
       };
       username = lib.mkOption {
         type = lib.types.str;
-        readOnly = true;
+        readOnly = false;
         default = "sckova";
       };
+      email = lib.mkOption {
+        type = lib.types.str;
+        readOnly = false;
+        default = "kovacsmillio@gmail.com";
+      };
       hostname = lib.mkOption {
         type = lib.types.str;
         readOnly = true;
         default = config.system.name;
       };
-      email = lib.mkOption {
-        type = lib.types.str;
-        readOnly = true;
-        default = "kovacsmillio@gmail.com";
-      };
       fontSans = {
         name = lib.mkOption {
           type = lib.types.str;

secrets/secrets.yaml

@@ -0,0 +1,42 @@
+#ENC[AES256_GCM,data:TggQPAlRHvMKs5nMF7arHHoXjj6+1c0n1DuIS5UFXuRob9E2AHn3JCObcPW/IH0JOcg=,iv:PFDAr1ZQMu158TglCPFqK548LfOtYHT+7zon83JN8IY=,tag:72fhZeqDG7yK+pv1k330zA==,type:comment]
+searxng_secret: ENC[AES256_GCM,data:j/PY84sAXdcP/WaekjhT+wYDa1Q9OBWchrAUKpW7ygSEMqbiIx5i/bmjyqjifnZqKvy/hgF/SA2ZbFKsQ5jjpQ==,iv:8Sv9WTjO+Vkrgmd+V6l7vdMPPtjBVkWfeG/DRsbhQYE=,tag:jc3HWlyAUUmkzZMnv8Kbmw==,type:str]
+#ENC[AES256_GCM,data:HBJEtuvZUeUD51q8/d+d6lQ4Yke1RfHDqo4P9l21mbvF2rrHp0KRNH0=,iv:cNpmj145TKmF/bNQN3wFeAXoqWkLxu0bqvEhydRQZcs=,tag:x02R5lfpYUMZw3eSRA5MIA==,type:comment]
+rclone_synology: ENC[AES256_GCM,data:2k9aYyXMDDYt740VUUvvTSUQ+ybK3PIkBetqw5wmCXYEumk=,iv:J3ZFY3iX7OHoriJNHbmCYHglwNeh+T1UP9q608wAXGU=,tag:QmyVZQiQzBhoB9jkOiruhw==,type:str]
+#ENC[AES256_GCM,data:CvsKAAXJQWM8t5bc0eInokZr,iv:YpEJYqyDNGydfrUBoLeUyJsnai/jMAo0PojRmpVPmN8=,tag:9DoQE+Wic5OnWcGIZNFsIg==,type:comment]
+sckova_password: ENC[AES256_GCM,data:JgXq8TyCGI072g==,iv:kPme4bkmAfj+np32LoAcDWoQA2qFnTdqnyTSwB2TvBk=,tag:hAPQ+dWW+7QstyEdvSvpGw==,type:str]
+sops:
+    age:
+        - recipient: age1k9zp37p9sejvpvwu688t7jkl8utkugrsch7a9ahufpq7uhj609gqsd3wka
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtK09BZUN6aUhIQ0oyOU9N
+            UW5SWXJoUEJ1U2NLNnl3UjFFajd1U3MwUnpvCjhYa1RES3RSTTVURVU2bVp5b3A1
+            dWVxRHQ1bGh5QUlxRmNhSXRnUDRUa1EKLS0tIHlnUFZDem9mdWFVNDNCQjM0OWND
+            OGF4VjkyTGt5ckl1T2RLRm8rUFUxQlUKSviKzkL/JLy/JTaKXCi5+hr5Cy6dtu+S
+            qOhPWCFcNVM6TaJnFNEik6r39E0+C6qmkzdxN1KLjLYzg+DEcxAOnA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1dx9rwrkhqj8sfr8vdfsgrqjwqefzmgtugsp6ykklpudfw4hcnuyqx9x20e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzeW5WcG5jY3loVUl0RG9o
+            RUxKWmtLcnF3djE2MEoxMTVtVlNJMkJFNmpBCnhjL25TaUl1ZHpIK3c3OW5lcFNS
+            MFg2eXRPVjRxUHdiMEVrNCs5SGhWMjQKLS0tIHVscFNybnROUTQrRlRYa3FuWkhs
+            RFExdjVKRi9aMFNWQzBORmFyanNVdWMKUcQ3h7pCLCIi7PaITuAGxv3qLyypDHhY
+            1HqXGNP82Xyu4coc6jWQ85dMvRfMkYar6zDNvJmPqHptiHfbDFcVTw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-03T13:51:22Z"
+    mac: ENC[AES256_GCM,data:jQtzEZWE6csGTQE939UAl3xA6ecqLD4aGRqw7KF7GqW0w3FTfC59uel1xM2Nl91Bg42TzYsO9WB3rox5daFAcUgoQE0TNMAbH+w/vkVc3NoJHrWQlV69j8zUAAiNgbAx30l1MIjLS/zJ6Xlt+jkj4FtPfK0d84V/O2KwCBAJ+uM=,iv:+u3muRmMuZJUcUNHJDOqzytxgK60YxxmawwQeUTm9aU=,tag:mR8lTA7dgfOqYqUvCAuYFQ==,type:str]
+    pgp:
+        - created_at: "2026-04-03T02:14:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DrD+TWkWMG9QSAQdAE1QnXASnQihE7xyQxHo48Dq5VBVG15vuyhPDeEPJsEsw
+            /oG3t56luiap+vilspLHdxzILvyHQfPpkEOlGvI4TD19t3gIKCOKDTHxMk8BW6p8
+            0lwBgKcqEZdEIHDj84CnG/6/9uK9ycuWiFN4PoTlrE10j+WVnFod1qHLV4ixbomE
+            kY50t/LrML5Q/oiqUrUk6h9+QrNPfpJ2ei06vpy23PYzrs43MLbAScWvyu9H+A==
+            =j6c/
+            -----END PGP MESSAGE-----
+          fp: 7622FD7E6AB9F1E9D2CEFE2700F325187C68651A
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2

sops-example.yaml

@@ -0,0 +1,7 @@
+# nix-shell -p openssl --run 'openssl rand -hex 32'
+searxng_secret:
+# echo 'secretpassword' | rclone obscure -
+rclone_synology:
+# sckova's password
+sckova_password:
+

sops.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    secrets = {
+      searxng_secret = { };
+      rclone_synology = { };
+    };
+  };
+}

system/default.nix

@@ -7,6 +7,16 @@
   ...
 }:
 {
+  # the user to activate
+  userOptions = {
+    name = "Sean Kovacs";
+    username = "sckova";
+    email = "kovacsmillio@gmail.com";
+  };
+
+  sops.secrets.sckova_password.neededForUsers = true;
+  users.users.sckova.hashedPasswordFile = config.sops.secrets.sckova_password.path;
+
   boot = {
     plymouth.enable = true;
     plymouth.logo = "${pkgs.nixos-icons}/share/icons/hicolor/64x64/apps/nix-snowflake-white.png";
@@ -49,19 +59,6 @@
   };
 
   programs = {
-    gamescope = {
-      enable = true;
-      capSysNice = false;
-      args = [
-        "--output-width 3840"
-        "--nested-width 3840"
-        "--output-height 2160"
-        "--nested-height 2160"
-        "--expose-wayland"
-        "--fullscreen"
-      ];
-    };
-    gamemode.enable = true;
     gnupg.agent = {
       enable = true;
       enableSSHSupport = true;
@@ -107,7 +104,7 @@
   services = {
     displayManager = {
       autoLogin.enable = true;
-      autoLogin.user = "sckova";
+      autoLogin.user = config.userOptions.username;
       defaultSession = "niri";
       sddm.enable = true;
       sddm.wayland.enable = true;
@@ -128,17 +125,6 @@
     upower.enable = true;
     power-profiles-daemon.enable = true;
     openssh.enable = true;
-    ananicy = {
-      enable = true;
-      package = pkgs.ananicy-cpp;
-      rulesProvider = pkgs.ananicy-cpp;
-      extraRules = [
-        {
-          "name" = "gamescope";
-          "nice" = -20;
-        }
-      ];
-    };
   };
 
   environment.systemPackages = with pkgs; [

system/games/default.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  programs = {
+    gamescope = {
+      enable = true;
+      capSysNice = false;
+      args = [
+        "--output-width 3840"
+        "--nested-width 3840"
+        "--output-height 2160"
+        "--nested-height 2160"
+        "--expose-wayland"
+        "--fullscreen"
+      ];
+    };
+    gamemode.enable = true;
+  };
+
+  services = {
+    ananicy = {
+      enable = true;
+      package = pkgs.ananicy-cpp;
+      rulesProvider = pkgs.ananicy-cpp;
+      extraRules = [
+        {
+          "name" = "gamescope";
+          "nice" = -20;
+        }
+      ];
+    };
+  };
+}

system/hosts/alien/default.nix

@@ -9,10 +9,15 @@
     ddcutil
     mangohud
     openrgb
+    p7zip
+    protontricks
+    zenity
+    wineWow64Packages.stable
+    wineWow64Packages.waylandFull
   ];
 
   # enable ddcutil
-  users.users.sckova.extraGroups = [ "i2c" ];
+  users.users.${config.userOptions.username}.extraGroups = [ "i2c" ];
   boot.extraModulePackages = [ config.boot.kernelPackages.ddcci-driver ];
   boot.kernelModules = [
     "i2c-dev"
@@ -73,7 +78,7 @@
   # i don't even remember what this does or why i added it
   systemd.tmpfiles.rules = [
     "L+ /var/lib/qemu/firmware - - - - ${pkgs.qemu}/share/qemu/firmware"
-    "d /mnt/storage 0775 sckova users - -"
+    "d /mnt/storage 0775 ${config.userOptions.username} users - -"
   ];
 
   services.factorio = {
@@ -85,6 +90,6 @@
     # bind = "[::]"; # support IPv6
     game-name = "kova's minecraft";
     game-password = "ThisIsASuperSecurePasswordThatNobodyWillGuess";
-    admins = [ "sckova" ];
+    admins = [ config.userOptions.username ];
   };
 }

system/hosts/peach/default.nix

@@ -1,4 +1,5 @@
 {
+  config,
   pkgs,
   lib,
   ...
@@ -46,7 +47,7 @@ in
       setSocketVariable = true;
     };
   };
-  users.users.sckova.extraGroups = [ "docker" ];
+  users.users.${config.userOptions.username}.extraGroups = [ "docker" ];
 
   hardware.asahi = {
     enable = true;

system/hosts/vm-generic/default.nix

@@ -1,17 +0,0 @@
-{ ... }:
-{
-  home-manager.users.sckova = {
-    imports = [ ];
-  };
-
-  services.spice-vdagentd.enable = true;
-
-  virtualisation.vmVariant = {
-    virtualisation = {
-      memorySize = 8192;
-      cores = 6;
-    };
-  };
-
-  security.sudo.wheelNeedsPassword = false;
-}

system/searxng/default.nix

@@ -1,21 +1,19 @@
 {
   lib,
-  pkgs,
   config,
   ...
 }:
 {
+  sops.templates."searxng.env".content = ''
+    SEARXNG_SECRET=${config.sops.placeholder.searxng_secret}
+  '';
 
   services.searx = {
     enable = true;
     redisCreateLocally = true;
+    environmentFile = config.sops.templates."searxng.env".path;
     settings = {
       server = {
-        secret_key = lib.removeSuffix "\n" (
-          builtins.readFile (
-            pkgs.runCommand "gen-key" { buildInputs = [ pkgs.openssl ]; } "openssl rand -hex 32 > $out"
-          )
-        );
         port = 5364;
         bind_address = "127.0.0.1";
       };

system/torrenting/default.nix

@@ -1,53 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-{
-  users.users.sckova.extraGroups = [ "qbittorrent" ];
-  services = {
-    qbittorrent = {
-      enable = false;
-      serverConfig = {
-        Preferences = {
-          Advanced.useSystemIconTheme = true;
-          General = {
-            CloseToTray = false;
-            CloseToTrayNotified = true;
-            ExitConfirm = false;
-            Locale = "en";
-          };
-          WebUI = {
-            Address = "*";
-            Enabled = true;
-            Port = 9697;
-            UseUPnP = false;
-          };
-          BitTorrent = {
-            SessionGlobalDLSpeedLimit = 0;
-            GlobalUPSpeedLimit = 0;
-            Port = 42578;
-            QueueingSystemEnabled = false;
-            SSL.Port = 63114;
-            StartPaused = false;
-          };
-        };
-      };
-    };
-    flaresolverr = {
-      enable = true;
-      port = 8191;
-    };
-    prowlarr = {
-      enable = true;
-      settings = {
-        server = {
-          urlbase = "localhost";
-          port = 9696;
-          bindaddress = "*";
-        };
-      };
-    };
-  };
-}