From 9ca56553f76c00990647d8d93c2f4c81cfb1fb72 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 6 Dec 2025 02:33:40 +0100
Subject: [PATCH 1/5] Justfile: update secrets repo url

---
 .justfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.justfile b/.justfile
index 99e2d75..9b4041a 100644
--- a/.justfile
+++ b/.justfile
@@ -15,8 +15,8 @@ update:
     nix flake update
 
 @edit-secrets:
-    git clone ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets.git /tmp/secrets
-    sed -i 's\git+ssh://forgejo@git.everest.tailscale:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
+    git clone ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets.git /tmp/secrets
+    sed -i 's\git+ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets\/tmp/secrets\g' flake.nix
     nix flake update secrets
     echo "{{bold}}All done!"
     echo "{{normal}}Remember to restore flake.nix"

From 1d1b76b329eadadb4a70dc5d9f1390d45d2650af Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 6 Dec 2025 03:31:56 +0100
Subject: [PATCH 2/5] Flake: add sops-nix

---
 flake.lock                     | 23 ++++++++++++++++++++++-
 flake.nix                      |  5 +++++
 roles/common/configuration.nix |  8 +++++++-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/flake.lock b/flake.lock
index e622e4e..b7a234c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -517,7 +517,8 @@
         "nixpkgs-raw": "nixpkgs-raw",
         "nixpkgs-unstable-raw": "nixpkgs-unstable-raw",
         "plasma-manager": "plasma-manager",
-        "secrets": "secrets"
+        "secrets": "secrets",
+        "sops-nix": "sops-nix"
       }
     },
     "secrets": {
@@ -536,6 +537,26 @@
         "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets"
       }
     },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable-raw"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,
diff --git a/flake.nix b/flake.nix
index 07875bb..b73ccd4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,6 +16,10 @@
         darwin.follows = ""; # Not using this on MacOS, so this doesn't pull it's dependencies
       };
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable-raw";
+    };
 
     home-manager = {
       url = "github:nix-community/home-manager/release-25.11";
@@ -167,6 +171,7 @@
               modules =
                 [
                   agenix.nixosModules.default
+                  sops-nix.nixosModules.sops
                   (
                     if stable
                     then home-manager
diff --git a/roles/common/configuration.nix b/roles/common/configuration.nix
index 284565f..d26b350 100755
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@@ -129,7 +129,10 @@
     backupFileExtension = "hm-backup";
     useGlobalPkgs = true;
     verbose = true;
-    sharedModules = [flakeSelf.inputs.catppuccin.homeModules.catppuccin];
+    sharedModules = with flakeSelf; [
+      inputs.catppuccin.homeModules.catppuccin
+      inputs.sops-nix.homeManagerModules.sops
+    ];
     users.toast = {osConfig, ...}: {
       catppuccin.flavor = osConfig.catppuccin.flavor;
       catppuccin.accent = osConfig.catppuccin.accent;
@@ -156,6 +159,9 @@
       "/persist/id_host"
     ];
   };
+  sops = {
+    age.sshKeyPaths = ["/persist/id_host"];
+  };
 
   catppuccin.grub.enable = true;
 

From 8c6fdd5b51184a72605a10de2cd1a42b8a3ca877 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 6 Dec 2025 03:37:06 +0100
Subject: [PATCH 3/5] Desktop/NetworkManager: migrate secrets to sops-nix

---
 flake.lock                                | 8 ++++----
 roles/desktop/services/networkmanager.nix | 7 ++++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index b7a234c..2ed2be4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -524,11 +524,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1737970846,
-        "narHash": "sha256-+b44nvv+rKiRdABSHGaTLbp9ysRaHE+s/CuUsA9zNac=",
+        "lastModified": 1764987865,
+        "narHash": "sha256-9gporedK0k0t86x415hVhRdl756RsD9KUinOiuCqK4Y=",
         "ref": "refs/heads/main",
-        "rev": "d8262fb108d0810d21c5e098b54a105e867e72ce",
-        "revCount": 28,
+        "rev": "e945330fd68c693004ffd107e89b3d8f5d5a662e",
+        "revCount": 31,
         "type": "git",
         "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets"
       },
diff --git a/roles/desktop/services/networkmanager.nix b/roles/desktop/services/networkmanager.nix
index a9917e3..2be85d7 100644
--- a/roles/desktop/services/networkmanager.nix
+++ b/roles/desktop/services/networkmanager.nix
@@ -5,8 +5,9 @@
 }: let
   tailscaleName = config.services.tailscale.interfaceName;
 in {
-  age.secrets = {
-    wifiPasswords.file = "${flakeSelf.inputs.secrets}/wifi-passwords.age";
+  sops.secrets.wifiPasswords = {
+    sopsFile = "${flakeSelf.inputs.secrets}/wifi-passwords.env";
+    format = "dotenv";
   };
   networking.networkmanager = {
     enable = true;
@@ -14,7 +15,7 @@ in {
       "interface-name:${tailscaleName}"
     ];
     ensureProfiles = {
-      environmentFiles = [config.age.secrets.wifiPasswords.path];
+      environmentFiles = [config.sops.secrets.wifiPasswords.path];
       profiles = {
         "4g-modem" = {
           connection = {

From 7277135a5bed1698b961a369a710b9fa89505f1c Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 6 Dec 2025 04:16:48 +0100
Subject: [PATCH 4/5] Desktop/networkManager: refactor

---
 lib/default.nix                           |  1 +
 lib/networkManager.nix                    | 18 +++++++++++++
 roles/desktop/services/networkmanager.nix | 33 +++++++----------------
 3 files changed, 29 insertions(+), 23 deletions(-)
 create mode 100644 lib/networkManager.nix

diff --git a/lib/default.nix b/lib/default.nix
index 400dc18..b3febf7 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -4,5 +4,6 @@ nixpkgs.lib.extend (final: prev: {
     importLib = file: import file {lib = final;};
   in {
     patches = importLib ./patches.nix;
+    networkManager = importLib ./networkManager.nix;
   };
 })
diff --git a/lib/networkManager.nix b/lib/networkManager.nix
new file mode 100644
index 0000000..183501b
--- /dev/null
+++ b/lib/networkManager.nix
@@ -0,0 +1,18 @@
+{lib}: {
+	/**
+  Make a NetworkManager wifi profile, to be used with ensureProfiles
+	*/
+	mkWifiProfile = {id, ssid, priority ? 0,  wifi-security}: {
+	  connection = {
+	    inherit id;
+	    type = "wifi";
+	    autoconnect-priority = priority;
+	  };
+	  ipv4.method = "auto";
+	  wifi = {
+	    mode = "infrastructure";
+	    inherit ssid;
+	  };
+	  inherit wifi-security;
+	};
+}
diff --git a/roles/desktop/services/networkmanager.nix b/roles/desktop/services/networkmanager.nix
index 2be85d7..8ba9457 100644
--- a/roles/desktop/services/networkmanager.nix
+++ b/roles/desktop/services/networkmanager.nix
@@ -1,5 +1,6 @@
 {
   config,
+  lib,
   flakeSelf,
   ...
 }: let
@@ -16,35 +17,21 @@ in {
     ];
     ensureProfiles = {
       environmentFiles = [config.sops.secrets.wifiPasswords.path];
-      profiles = {
-        "4g-modem" = {
-          connection = {
-            id = "4G Modem";
-            type = "wifi";
-            autoconnect-priority = 5;
-          };
-          ipv4.method = "auto";
-          wifi = {
-            mode = "infrastructure";
-            ssid = "TP-Link_CCB4";
-          };
+      profiles = with lib.toast.networkManager; {
+        "4g-modem" = mkWifiProfile {
+          id = "4G Modem";
+          priority = 5;
+          ssid = "TP-Link_CCB4";
           wifi-security = {
             auth-alg = "open";
             key-mgmt = "wpa-psk";
             psk = "$MODEM";
           };
         };
-        phone = {
-          connection = {
-            id = "Phone";
-            type = "wifi";
-            autoconnect-priority = 5;
-          };
-          ipv4.method = "auto";
-          wifi = {
-            mode = "infrastructure";
-            ssid = "Redmi Note 10 Pro_5197";
-          };
+        phone = mkWifiProfile {
+          id = "Phone";
+          priority = 5;
+          ssid = "Redmi Note 10 Pro_5197";
           wifi-security = {
             auth-alg = "open";
             key-mgmt = "sae";

From 1ea530a2a6e2add56d90a6fb4575f812322e0bbf Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Sat, 6 Dec 2025 04:41:12 +0100
Subject: [PATCH 5/5] Desktop/networkManager: add home wifi

---
 flake.lock                                | 8 ++++----
 roles/desktop/services/networkmanager.nix | 8 ++++++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2ed2be4..dcad82e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -524,11 +524,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1764987865,
-        "narHash": "sha256-9gporedK0k0t86x415hVhRdl756RsD9KUinOiuCqK4Y=",
+        "lastModified": 1764992299,
+        "narHash": "sha256-6vJ4teDUQus5TsOMfJZEfDOslsjvkhHPELZiOAeOX8s=",
         "ref": "refs/heads/main",
-        "rev": "e945330fd68c693004ffd107e89b3d8f5d5a662e",
-        "revCount": 31,
+        "rev": "5c3122fc8dd5d6fe855d7da42740272cb2c313d4",
+        "revCount": 32,
         "type": "git",
         "url": "ssh://forgejo@git.toast003.xyz:4222/Toast/nix-secrets"
       },
diff --git a/roles/desktop/services/networkmanager.nix b/roles/desktop/services/networkmanager.nix
index 8ba9457..f19610b 100644
--- a/roles/desktop/services/networkmanager.nix
+++ b/roles/desktop/services/networkmanager.nix
@@ -38,6 +38,14 @@ in {
             psk = "$PHONE";
           };
         };
+        home = mkWifiProfile {
+          id = "Home";
+          ssid = "MOVISTAR-WIFI6-DC98";
+          wifi-security = {
+            key-mgmt = "sae";
+            psk = "$HOME";
+          };
+        };
       };
     };
   };