Add sops-nix for secrets management

- Add flake.nix with sops-nix input
- Configure sops with age key encryption
- Add .sops.yaml template for age key configuration
- Create secrets/ directory for encrypted secrets
- Add .gitignore for age keys and nix result symlinks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -0,0 +1,7 @@
+# Age keys (never commit these)
+*.key
+key.txt
+
+# Result symlinks
+result
+result-*

.sops.yaml

@@ -0,0 +1,10 @@
+keys:
+  # Replace with your age public key (from age-keygen)
+  # Example: age1qyqszq...
+  - &vps age1__REPLACE_WITH_YOUR_AGE_PUBLIC_KEY__
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *vps

configuration.nix

@@ -39,6 +39,15 @@
   # === Sudo without password for wheel group ===
   security.sudo.wheelNeedsPassword = false;
 
+  # === SOPS (Secrets Management) ===
+  sops = {
+    defaultSopsFile = ./secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+    # Generate with: nix-shell -p age --run "age-keygen -o key.txt"
+    # Then add the public key to .sops.yaml
+  };
+
   # === Automatic Updates ===
   system.autoUpgrade = {
     enable = true;

flake.nix

@@ -0,0 +1,19 @@
+{
+  description = "NixOS VPS configuration";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, sops-nix, ... }@inputs: {
+    nixosConfigurations.nixos = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+        sops-nix.nixosModules.sops
+      ];
+    };
+  };
+}