flowy: add a user password

hosts/by-name/flowy/default.nix

@@ -20,7 +20,7 @@
   sane.programs.itgmania.enableFor.user.colin = true;
   sane.programs.sway.enableFor.user.colin = true;
 
-  # sops.secrets.colin-passwd.neededForUsers = true;
+  sops.secrets.colin-passwd.neededForUsers = true;
 
   # sane.services.rsync-net.enable = true;
 }

hosts/common/users/colin.nix

@@ -36,6 +36,10 @@
 
     # initial password is empty, in case anything goes wrong.
     # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    # N.B.: the linux password, here, is used for screen lockers;
+    #       the login password is dictated by gocryptfs credentials;
+    #       both are necessary for a well-functioning system.
+    #       (in the future, pam-mount *could* be used to unify those passwords)
     initialPassword = lib.mkDefault "";
     hashedPasswordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
 

secrets/flowy/README.md

@@ -0,0 +1,2 @@
+- colin-passwd.bin:
+  - generate with `mkpasswd -m sha512crypt`, or `mkpasswd --rounds=2000000 --method=sha512crypt`

secrets/flowy/colin-passwd.bin

@@ -0,0 +1,27 @@
+{
+	"data": "ENC[AES256_GCM,data:fBOYowPRuwsnF6m6qdYW4bpnI85qmp6y1l8VFJCr0LYHQSzQQxAjNklvX6AJEBIfEmqObUFT7J19L0JMs6PfWzDdwP16aJdetytMIgRQx27Sd74aKYj4WuTqHHtzPzSQvcwHv65IUOvd+9aYLS42xgmUZWU55v9Msd4=,iv:3gHGtx8DZIT07gUV95UWerKnUnOW2n+oLvvp+poy4QI=,tag:kSvCCDMuE4Yv3jPqZ3YoGA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQThkQkJoRy8rQlZHUUFE\nMzRhZjI3aUVuczYzT1l3OG9CNE85blJMSG40Ckdxc0c1OGs5dkJVUzRFeEVibXdu\nbXdyT1A3MXRUeDQ5QkJ4VmwzZ2lOODAKLS0tIGZpUjZhamczQWxOSnBRSC9XYTN6\nRWNqM0pUN0d3MXBlQ3V0U0h4S0dHSzAK3HSX9vIx1sQ3TqHopKzd6IIKX5HDmNJh\nlatXqFoXrS2sn7YXuhtQcyXEBi7RMlw+aUySanohrUE6M0iCpCeYNQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nw3z25gn6l8gxneqw43tp8d2354c83d9sn3r0dqy5tapakdwhyvse0j2cc",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3b1hpeDk0V1pKYWtEMUlR\nSEZOVU56eWVCWWZkYmNnYUZROEQ2eHZkTGo0CnZRMTFyWnZ1azg4ck1mczZvb08r\nejVkV0VVaGlsVEE0VS81a3RUdFdvZW8KLS0tIHpBQW42SWNtTzlqaEJpejZYc0o3\na1RRU1BVVmxJR1RyR285OFpXSlVEb2MKFAzhUc7cm9M6/+3+t50MwRMfViqhRYcC\ns7F8Z08AnLfTlKtLYEYUNf+rFQcMwIRH9iNgiOWwQd7JWjFyCW6bcg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBibXZEdDVJMXl4b0NvWEZ1\nTGU3dnlidm5Fb1hnU0NDQ3BrVU03MUxhQndjCnhIamFVdnVNVGhmTlFjYXlSSnNW\nRVgzRXIwMnpSUFEwdEt6eWJqdjJZbncKLS0tIDZ1TkJqU1JqTWVRbGphMnZRM1du\nQ1p0MzJjcnNST1ZTc2gydHpFTGFtblEK2Qt748R94CVIedp3kwbm9TlJlyh0F8f1\noKxAyfhtRQh/iA3SQ6nHlatPDMt4arRtGV6SiDdkcq3pH/4+xg31mQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1azm6carlm6tdjup37u5dr40585vjujajev70u4glwd9sv7swa99sk6mswx",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUXVjaVd2RnJVSmdmaUEx\nYmgxdFdiWTlPMXFvODRGdUdNY3hNZGhJYkZrCkZOQUMrUERDcWJZa3ZuZ2R3M2Jw\ncFFONEdXWGt5T3JHeVlyaFVHbkJGK00KLS0tIGdNdm14SmhVQy9LQWZ3c2dKd2Ri\neWRqN1oyVVJlL01JOXNJQ1p5N0dRc2sK77CJaC8Utp9QTa2KTyOWFCSpcrIFbQzO\nXwr3rCrnVwlK7+dTTul4Xz0AahS/Wi9UFGHT9kztAzKC5vgguLD7vQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-02T15:41:00Z",
+		"mac": "ENC[AES256_GCM,data:vLKwPPEOwXmwgseY1s4TfdsP87CtIiE3kHx5c+xMQsqZqpPi9Eas1wqyw4sQeMM5PQ9DCvxJFi8VpyYZOF0ySxSs4Xf0ifGubTKTKeYdVKUsQyJp26XUV+rrpU7jxItMKMDZ5HB69swviUPLs8EuRff0C1JAw04+dKRX5uKXBN4=,iv:dDuDK54AMrQf1k7kVDNT8NXLTkdIPFd83eXM5DW5wF0=,tag:q/tIvs/xNyhPe949yr0zsA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}