7 files changed, 117 insertions, 5 deletions

diff --git a/configuration.nix b/configuration.nix
index 78a98a1..8416a4d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -31,13 +31,14 @@
     isNormalUser = true;
     extraGroups = [ "wheel" "wireshark" ];
     shell = pkgs.fish;
-    hashedPassword = "REDACTED";
+    hashedPasswordFile = config.age.secrets."password-hash.txt".path;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF"
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdUe7mxGdV/Q37RKndPzDHisFb7q/xm+L97jcGluSDOA8MGt/+wTxpyGxfyEqaMvwV2bakaMVHTB3711dDu5kE="
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLZ6OVyjTvWx9gvS+/DvkQW5VvLBbykq/0AV5mYDLADDtIOaDVscQ3lGOcUsga1ODNSl14MSV63bE8VtHfG1HOc="
     ];
   };
+  age.secrets."password-hash.txt".file = ./secrets/password-hash.txt.age;
 
   programs.fish.enable = true;
 
@@ -46,8 +47,12 @@
     curl
     git
     (ffmpeg.override { withVpl = true; })
+    (inputs.agenix.packages.${pkgs.system}.agenix)
+    age-plugin-yubikey
   ];
 
+  age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ];
+
   services.openssh.enable = true;
   services.openssh.settings = {
     PasswordAuthentication = false;
diff --git a/flake.lock b/flake.lock
index 5b0620f..22560e3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1760836749,
+        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -21,6 +44,27 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "impermanence": {
       "locked": {
         "lastModified": 1737831083,
@@ -54,10 +98,26 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "disko": "disko",
         "impermanence": "impermanence",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 89a530a..8337af5 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,13 +1,24 @@
 {
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+
     disko.url = "github:nix-community/disko/latest";
     disko.inputs.nixpkgs.follows = "nixpkgs";
+
     impermanence.url = "github:nix-community/impermanence";
+
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "";
   };
-  outputs = inputs@{ self, nixpkgs, disko, impermanence, ... }: {
+  outputs = inputs@{ self, nixpkgs, disko, impermanence, agenix, ... }: {
     nixosConfigurations.oden = nixpkgs.lib.nixosSystem {
-      modules = [ ./configuration.nix disko.nixosModules.disko impermanence.nixosModules.impermanence ];
+      modules = [
+        ./configuration.nix
+        disko.nixosModules.disko
+        impermanence.nixosModules.impermanence
+        agenix.nixosModules.default
+      ];
       specialArgs = {
         inherit inputs;
       };
diff --git a/router.nix b/router.nix
index b377e57..0429dfa 100644
--- a/router.nix
+++ b/router.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 let
   lanInterface = "enp5s0f0u2";
   wifiInterface = "wlp9s0";
@@ -36,12 +36,13 @@ in
         authentication = {
           mode = "wpa3-sae";
           saePasswords = [
-            { password = "REDACTED"; }
+            { passwordFile = config.age.secrets."wifi-password.txt".path; }
           ];
         };
       };
     };
   };
+  age.secrets."wifi-password.txt".file = ./secrets/wifi-password.txt.age;
 
   services.dnsmasq = {
     enable = true;
diff --git a/secrets/password-hash.txt.age b/secrets/password-hash.txt.age
new file mode 100644
index 0000000..0470733
--- /dev/null
+++ b/secrets/password-hash.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA ycfoYqOSGdRa2gV+Tn/Y8+e3HnEjs1hfjlUtgVqiVkQ
+lGl96QG8b5oUiYHhqu37q1xhVAYeX0Da2asmslcmuuk
+-> piv-p256 Ddzw4A AgJJw27rUoBFwT8SkapRU/mJ0fAGcPxA59j8zoFhAnFh
+xtcfcMAp5a1/HqYceRBSFxCIGcpetR/NUPzrCSvKKJc
+-> piv-p256 9aSbLw Avg9OynmP4hAeZ9lRIZhFvemUewm5mVvm7FTy3s0XWCm
+3heF09gXysjk8/9dlS18YYhl3AUqI0BjTzM1DvQD+t4
+-> ssh-ed25519 YS7/yg PCBDSW5OehDQpaoQ4aP5/p3LD4jo1yUNYjcnXFfR3yI
+Ne28TJYDJXiAPn2n7kKKnNHqXJj+dO+Y/XXaFuRLL1w
+--- OOuhecnmxeaw1enttCF5k/QjKNonR6iMI1h4dd10BC4
+3��/;q�C���<��8�/�f������˗����+�B6�m������8^��z���@�v�RI�`����X�Z�E��9�
�X��Ml�kV�u�5�F&���ʝM�o
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..4963e52
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWOFcEGLg9E7LdD5wnnVAlwPe9jUxgAPF5dNsMSHxyZ" # oden host key
+
+    "age1yubikey1qtppenqpqjtll78q0tfcgnm4dczy7nakmj5l2z3syyqfcq27kqx32hh72rt" # yubikey5nfc
+    "age1yubikey1q2gkk5zhme43j9mzv8pyd22d60vv5v73aupcqw09fz8apwhw4qw3yd3n0w5" # yubikey5nano
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF" # ymer
+  ];
+in
+{
+  "wifi-password.txt.age".publicKeys = keys;
+  "password-hash.txt.age".publicKeys = keys;
+}
diff --git a/secrets/wifi-password.txt.age b/secrets/wifi-password.txt.age
new file mode 100644
index 0000000..97874ac
--- /dev/null
+++ b/secrets/wifi-password.txt.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 rf0kpA ZRfFZC4N5Jdnc32fZiL0QkXth2Lm1AuvGBW2PaFS/Dk
+RxOiUlv8wkWggGrRB0tokIyZIno+4Yxk/kf9FxpKqZ8
+-> piv-p256 Ddzw4A AwOuo9hts6Yz0cm878aHI6rwFyXNT1dHOiYsvloVA+2E
+GolNszVMq4xdHm0HIrAWVGhHwmSySkYbaA2+BVEhvGw
+-> piv-p256 9aSbLw Ay35UlB8/sD2b92X/AQ47MZG5FmEh8BaaNpAYm6Ousb4
+ctMzgWfXczvfQFBNTeFau4E6LlrKiDma5JN3T48WYMU
+-> ssh-ed25519 YS7/yg pxaaPWZcrAv8B11T+h/v9CE4xzb/VglRPRJbAthA6lU
+/Ye6TnDB+49l7REHzxBN4jPbOIfLevdadIrt7S20ZIU
+--- fi9+1UaXfza/crt3fD64sPAxIqlTB9uI4/hgjGS1gdM
+
�5ҡV����c�(���Ϗ�eL�s30������:6j�9�Ѕ��h+�m�A���O�
\ No newline at end of file