rework secrets

modules/common.nix

@@ -10,6 +10,8 @@
     identityPaths = ["/etc/ssh/ssh_host_ed25519_key"];
 
     secrets = {
+      rootPassword.file = ../secrets/${config.networking.hostName}/rootPassword.age;
+      userPassword.file = ../secrets/userPassword.age;
       tailscaleKey.file = ../secrets/tailscaleKey.age;
     };
   };
@@ -104,6 +106,8 @@
 
   time.timeZone = "Europe/Paris";
 
+  users.users.root.hashedPasswordFile = config.age.secrets.rootPassword.path;
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

modules/desktop.nix

@@ -12,13 +12,6 @@ in {
     (lib.mkAliasOptionModule ["hm"] ["home-manager" "users" username])
   ];
 
-  age.secrets = let
-    base = ../secrets/desktop;
-  in {
-    rootPassword.file = "${base}/rootPassword.age";
-    userPassword.file = "${base}/userPassword.age";
-  };
-
   boot = {
     extraModulePackages = with config.boot.kernelPackages; [v4l2loopback];
     kernelModules = ["v4l2loopback"];
@@ -174,15 +167,11 @@ in {
 
   sound.enable = true;
 
-  users.users = {
-    "${username}" = {
-      isNormalUser = true;
-      shell = pkgs.fish;
-      extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
-      hashedPasswordFile = config.age.secrets.userPassword.path;
-    };
-
-    root.hashedPasswordFile = config.age.secrets.rootPassword.path;
+  users.users."${username}" = {
+    isNormalUser = true;
+    shell = pkgs.fish;
+    extraGroups = ["networkmanager" "wheel" "video" "libvirtd"];
+    hashedPasswordFile = config.age.secrets.userPassword.path;
   };
 
   virtualisation.libvirtd.enable = true;