base/users.nix

@@ -5,10 +5,10 @@ in
 {
   users.mutableUsers = false;
   users.users.root = {
-    passwordFile = config.age.secrets."users/root-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-root;
   };
   users.users.alarsyo = {
-    passwordFile = config.age.secrets."users/alarsyo-hashed-password".path;
+    hashedPassword = secrets.shadow-hashed-password-alarsyo;
     isNormalUser = true;
     extraGroups = [
       "media"

hosts/zephyrus/default.nix

@@ -3,6 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, lib, pkgs, ... }:
+let
+  secrets = config.my.secrets;
+in
 {
   imports =
     [ # Include the results of the hardware scan.

modules/secrets/secrets.nix

@@ -13,7 +13,4 @@ in
 {
   "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
   "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
-
-  "users/root-hashed-password.age".publicKeys = machines;
-  "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ];
 }

services/restic-backup.nix

@@ -11,6 +11,7 @@ let
   ;
 
   cfg = config.my.services.restic-backup;
+  secrets = config.my.secrets;
   excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
   makePruneOpts = pruneOpts:
     attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;

zephyrus.nix

@@ -10,6 +10,9 @@
     # Service definitions
     ./services
 
+    # Configuration secrets
+    ./secrets
+
     # Host-specific config
     ./hosts/zephyrus
   ];