Add sops-nix secrets integration and installer ISO configuration with docs by moons-14 · Pull Request #13 · moons-14/dotfiles

moons-14 · 2026-06-06T13:27:33Z

Provide first-class support for host-specific encrypted secrets via sops-nix and document an SSH-first installer ISO workflow.
Make it possible to build a minimal installer ISO that can generate host age keys and bootstrap secrets during installation.

Add sops-nix as a flake input and whitelist secrets/ and /.sops.yaml in .gitignore, and add a sample /.sops.yaml for age recipients.
Introduce a new installer host and helpers by refactoring host builders with mkNixos, adding mkInstallerIso, and adding hosts/installer-iso/default.nix to provide an SSH-first installer image with required tooling and packages.
Add security and secrets modules under modules/features/security and modules/system/secrets that wire sops-nix into the configuration and expose options such as ageKeyFile, generateKey, defaultSopsFile, and a userPassword flow that maps a SOPS secret to the primary user's hashedPasswordFile.
Replace the SSH default-key activation script with a systemd user service in modules/features/identity/ssh-default-key.nix and make small user and profile config fixes (users.mutableUsers default, profiles/workloads/secure-storage.nix layout).
Add documentation: installer guide at docs/installer/iso.md, installer recommendations at docs/installer/recommendations.md, and SOPS guidance at docs/secrets/sops-nix.md plus a secrets/users/README.md example.

fix: use standard key generation flows

4a68b9f

moons-14 added the codex label Jun 6, 2026 — with ChatGPT Codex Connector

moons-14 added 2 commits June 6, 2026 23:13

fix: move sops feature to top level

52f1454

fix flake nix

6671e02

Provide feedback