flake.lock: Update

Flake lock file updates:

• Updated input 'angrr':
    'github:linyinfeng/angrr/bc5852e4d7fcd9ffe2d1562f8a7030b81e0679d9' (2026-03-27)
  → 'github:linyinfeng/angrr/e1b066a0dbdd6ed3208dd5405e7d6cde91b7e20d' (2026-04-03)
• Updated input 'angrr/flake-parts':
    'github:hercules-ci/flake-parts/f20dc5d9b8027381c474144ecabc9034d6a839a3' (2026-03-01)
  → 'github:hercules-ci/flake-parts/3107b77cd68437b9a76194f0f7f9c55f2329ca5b' (2026-04-01)
• Updated input 'angrr/nix-darwin':
    'github:nix-darwin/nix-darwin/da529ac9e46f25ed5616fd634079a5f3c579135f' (2026-03-08)
  → 'github:nix-darwin/nix-darwin/06648f4902343228ce2de79f291dd5a58ee12146' (2026-04-01)
• Updated input 'angrr/treefmt-nix':
    'github:numtide/treefmt-nix/71b125cd05fbfd78cab3e070b73544abe24c5016' (2026-03-12)
  → 'github:numtide/treefmt-nix/75925962939880974e3ab417879daffcba36c4a3' (2026-04-02)
• Updated input 'home-manager':
    'github:nix-community/home-manager/7afd8cebb99e25a64a745765920e663478eb8830' (2026-03-30)
  → 'github:nix-community/home-manager/0d02ec1d0a05f88ef9e74b516842900c41f0f2fe' (2026-04-05)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/f4c4c2c0c923d7811ac2a63ccc154767e4195337' (2026-03-31)
  → 'github:NixOS/nixos-hardware/80afbd13eea0b7c4ac188de949e1711b31c2b5f0' (2026-04-03)
• Updated input 'nixos-unstable':
    'github:NixOS/nixpkgs/8110df5ad7abf5d4c0f6fb0f8f978390e77f9685' (2026-03-28)
  → 'github:NixOS/nixpkgs/6201e203d09599479a3b3450ed24fa81537ebc4e' (2026-04-01)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/107cba9eb4a8d8c9f8e9e61266d78d340867913a' (2026-03-29)
  → 'github:NixOS/nixpkgs/bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e' (2026-04-01)
• Updated input 'nur':
    'github:nix-community/NUR/95ed6efd2ba5aefb62f522c71ef3276b18a8b5a0' (2026-03-26)
  → 'github:nix-community/NUR/09b0001e733b3c28458ca676b1db5d345fbf9820' (2026-04-05)
• Updated input 'nur/nixpkgs':
    'github:nixos/nixpkgs/46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9' (2026-03-24)
  → 'github:nixos/nixpkgs/6201e203d09599479a3b3450ed24fa81537ebc4e' (2026-04-01)

.envrc

@@ -0,0 +1 @@
+use flake . --impure --allow-dirty --no-write-lock-file

.sops.yaml

@@ -0,0 +1,19 @@
+# XXX: missing: macbook, thinknix?, at some point mobile
+keys:
+  - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  # Generate AGE keys from SSH keys with:
+  # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+  - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+creation_rules:
+  # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
+  - path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admins
+        - *machine_framenix
+  - path_regex: common/secrets\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admins
+        - *machine_framenix
+

common/default.nix

@@ -18,6 +18,7 @@ in
     ./guest.nix
     ./audio-sharing.nix
     ./angrr.nix
+    ./sops.nix
   ];
 
   services.davfs2.enable = true;

common/nix-settings.nix

@@ -18,6 +18,22 @@ in
     };
     nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
   };
+  sops = {
+    secrets."nix/access-tokens" = {
+      owner = "root";
+      group = "users";
+      mode = "0440";
+      sopsFile = ./secrets.yaml;
+    };
+    templates.nix-secrets = {
+      content = ''
+        access-tokens = ${config.sops.placeholder."nix/access-tokens"}
+      '';
+      owner = "root";
+      group = "users";
+      mode = "0440";
+    };
+  };
   nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
     # keep around all inputs necessary for offline-rebuilding the system
     keep-outputs = true;
@@ -35,6 +51,6 @@ in
   # TODO: manage access token with sops instead of manual deployment
   # permissions: needs to be readable by the user invoking nix and root (for nix daemon)
   nix.extraOptions = ''
-    !include /etc/nix/secrets.conf
+    !include ${config.sops.templates.nix-secrets.path}
   '';
 }

common/secrets.yaml

@@ -0,0 +1,26 @@
+nix:
+    access-tokens: ENC[AES256_GCM,data:0e58ZzTN81E/2BWphnGKRp8wM8CBOyC5JG2frU6pQ2a10DOwJBJiuv91H3IfHNq+YadNswQZhouQTczhIXlEIW3uADELSBhEiC/L8z9+zrgc4KyRLsMskipuCC3H,iv:DKnJmMs88QA4L9ozvYku4QGottrZVG3UFbw90XNzF0c=,tag:RoKuFIv/tJ/+ZF5aNzkpIQ==,type:str]
+sops:
+    age:
+        - recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v
+            TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE
+            Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz
+            MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy
+            3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm
+            YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0
+            WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54
+            S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9
+            WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-05T22:12:29Z"
+    mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1

common/sops.nix

@@ -0,0 +1,11 @@
+{ lib, config, ... }:
+let
+  inputs = config.inputInjection.flake-inputs;
+in
+{
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = lib.mkDefault toString (./. + "/hosts/${config.networking.hostname}/secrets.ini");
+    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
+  };
+}

darwin/configuration.nix

@@ -8,6 +8,7 @@ in
   imports = [
     ../common/nix-settings.nix
     ../common/angrr.nix
+    ./sops.nix
   ];
   nix = {
     enable = true;

darwin/sops.nix

@@ -0,0 +1,13 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = lib.mkDefault ./secrets.yaml;
+    defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
+  };
+}

flake.lock

@@ -11,11 +11,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1774628296,
+        "lastModified": 1775232685,
-        "narHash": "sha256-wZaNf8KbaiNWHUGKRe1LzXllMNcsTl7DkdLGd4Uczy0=",
+        "narHash": "sha256-+kVivleQqI6HdFeVWVukEPvPec/SN74l+j/Tw9OBaSw=",
         "owner": "linyinfeng",
         "repo": "angrr",
-        "rev": "bc5852e4d7fcd9ffe2d1562f8a7030b81e0679d9",
+        "rev": "e1b066a0dbdd6ed3208dd5405e7d6cde91b7e20d",
         "type": "github"
       },
       "original": {
@@ -79,11 +79,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772408722,
+        "lastModified": 1775087534,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -184,11 +184,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774875830,
+        "lastModified": 1775425411,
-        "narHash": "sha256-WPYlTmZvVa9dWlAziFkVjBdv1Z6giNIq40O1DxsBmiI=",
+        "narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7afd8cebb99e25a64a745765920e663478eb8830",
+        "rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe",
         "type": "github"
       },
       "original": {
@@ -246,11 +246,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773000227,
+        "lastModified": 1775037210,
-        "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=",
+        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
         "owner": "nix-darwin",
         "repo": "nix-darwin",
-        "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f",
+        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
         "type": "github"
       },
       "original": {
@@ -304,11 +304,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1774933469,
+        "lastModified": 1775203647,
-        "narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=",
+        "narHash": "sha256-6MWaMLXK9QMndI94CIxeiPafi3wuO+imCtK9tfhsZdw=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337",
+        "rev": "80afbd13eea0b7c4ac188de949e1711b31c2b5f0",
         "type": "github"
       },
       "original": {
@@ -320,11 +320,11 @@
     },
     "nixos-unstable": {
       "locked": {
-        "lastModified": 1774709303,
+        "lastModified": 1775036866,
-        "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=",
+        "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685",
+        "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e",
         "type": "github"
       },
       "original": {
@@ -352,11 +352,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1774799055,
+        "lastModified": 1775002709,
-        "narHash": "sha256-Tsq9BCz0q47ej1uFF39m4tuhcwru/ls6vCCJzutEpaw=",
+        "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "107cba9eb4a8d8c9f8e9e61266d78d340867913a",
+        "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e",
         "type": "github"
       },
       "original": {
@@ -368,11 +368,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1774386573,
+        "lastModified": 1775036866,
-        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1774540439,
+        "lastModified": 1775426378,
-        "narHash": "sha256-zVYoM58GjEh07Oa56zRygHaqp+Fm83PK8C77p84l5uA=",
+        "narHash": "sha256-ouGowK2BaU09TDryipQxRzOSRcBYxwpIeYbk4vfO96c=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "95ed6efd2ba5aefb62f522c71ef3276b18a8b5a0",
+        "rev": "09b0001e733b3c28458ca676b1db5d345fbf9820",
         "type": "github"
       },
       "original": {
@@ -439,6 +439,7 @@
         "nixos-unstable": "nixos-unstable",
         "nixpkgs": "nixpkgs_2",
         "nur": "nur",
+        "sops-nix": "sops-nix",
         "treefmt-nix": "treefmt-nix_3",
         "utils": "utils"
       }
@@ -464,6 +465,26 @@
         "type": "github"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1775188331,
+        "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
@@ -487,11 +508,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1773297127,
+        "lastModified": 1775125835,
-        "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
+        "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+        "rev": "75925962939880974e3ab417879daffcba36c4a3",
         "type": "github"
       },
       "original": {

flake.nix

@@ -29,6 +29,10 @@
       flake = false;
       url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nix-direnv = {
       url = "github:nix-community/nix-direnv";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -51,6 +55,7 @@
       treefmt-nix,
       nix-darwin,
       angrr,
+      sops-nix,
       ...
     }@inputs:
     let
@@ -85,6 +90,7 @@
         # for some reason, `imports`-ing the home-manager module via inputInjection
         # from a sub-module causes infinite recursion, so importing it here instead
         home-manager.nixosModules.home-manager
+        inputs.sops-nix.nixosModules.sops
       ];
       mkSystem =
         system: extraModules:
@@ -101,6 +107,7 @@
               imports = [
                 ./home/common.nix
                 ./home/${confName}.nix
+                inputs.sops-nix.homeManagerModules.sops
               ];
               # extends the home config
               home.username = user;
@@ -141,7 +148,7 @@
           ./darwin/configuration.nix
           inputInjection
           inputs.angrr.darwinModules.angrr
-
+          inputs.sops-nix.darwinModules.sops
         ];
       };
       homeConfigurations = {
@@ -168,7 +175,13 @@
         treefmtEval = treefmt-nix.lib.evalModule pkgs_unstable treefmtConf;
       in
       {
-        devShells.default = pkgs.mkShell { buildInputs = [ ]; };
+        devShells.default = pkgs.mkShell {
+          packages = with pkgs; [
+            sops
+            ssh-to-age
+            age
+          ];
+        };
         formatter = treefmtEval.config.build.wrapper;
         checks.formatting = treefmtEval.config.build.check self;
         # expose nixpkgs with overlay; TODO: figure out role of config

home/common.nix

@@ -13,6 +13,7 @@
     ./modules/captive-browser.nix
     ./modules/ensureDirs.nix
     ./modules/ssh.nix
+    ./modules/sops.nix
   ];
   home.homeDirectory =
     if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}";

home/modules/sops.nix

@@ -0,0 +1,7 @@
+{ inputs, ... }:
+{
+  sops = {
+    age.keyFile = "/home/user/.age-key.txt"; # must have no password!
+    # deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
+  };
+}

home/modules/ssh.nix

@@ -93,7 +93,7 @@ in
         tag: tagDef:
         let
           dependency = if tagDef.after != null then lib.hm.dag.entryAfter tagDef.after else lib.id;
-          escapeOpensshConfig = builtins.replaceStrings ["%"] ["%%"];
+          escapeOpensshConfig = builtins.replaceStrings [ "%" ] [ "%%" ];
         in
         lib.nameValuePair "tagged-${tag}" {
           match = ''tagged="${tag}"'';