From 175f5eb78916bbcaef765645fe4f22ebd7ba5307 Mon Sep 17 00:00:00 2001
From: Ahwx <ahwx@ahwx.org>
Date: Wed, 29 Apr 2026 00:06:01 +0200
Subject: [PATCH] feat: initializes secrets file for fragile; adds yubikey u2f
 key to secrets and set it to be in the home path of ${username}

---
 .sops.yaml                   |  5 +++++
 modules/core/sops.nix        |  8 ++++++++
 secrets/fragile/secrets.yaml | 17 +++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 secrets/fragile/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
index b08f268..a515355 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -2,6 +2,7 @@ keys:
   - &sakura age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w
   - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3
   - &dandelion age1dpzajxcx7dcumda55qc3hncxqd43a7k85t2cdwtcvy5qsgp6k5tsugxqmd
+  - &fragile age1yu47wk9z3j5tspymyda8lw3u5snr66u96f2lzhqfdfmm7xv8xpxqcz9fcv
 creation_rules:
   - path_regex: secrets/sakura/secrets.yaml
     key_groups:
@@ -17,3 +18,7 @@ creation_rules:
       - age:
           - *sakura
           - *dandelion
+  - path_regex: secrets/fragile/secrets.yaml
+    key_groups:
+      - age:
+          - *fragile
diff --git a/modules/core/sops.nix b/modules/core/sops.nix
index 0543033..93ec1fe 100644
--- a/modules/core/sops.nix
+++ b/modules/core/sops.nix
@@ -49,6 +49,14 @@
           "dandelionSyncthingId" = { };
           "sakuraSyncthingId" = { };
         }
+      else if (host == "fragile") then
+        {
+          "systemMailerPassword" = { };
+          "yubikeySecret" = {
+            owner = username;
+            path = "/home/${username}/.config/Yubico/u2f_keys";
+          };
+        }
       else
         { };
   };
diff --git a/secrets/fragile/secrets.yaml b/secrets/fragile/secrets.yaml
new file mode 100644
index 0000000..72dcc2d
--- /dev/null
+++ b/secrets/fragile/secrets.yaml
@@ -0,0 +1,17 @@
+systemMailerPassword: ENC[AES256_GCM,data:N4xRgg40VtTgeHI16YC/ZOg4BN/N2GM67m81rqPrQUuMoFmarmBM0sYbxBVjpkyjyzH5kWyZ3Y6tY15FuY+d8kjFbCqmYc2B1OzaU/uHhyO4ewuZFBlgtu0PFWvPsKCfpx8D39sZwXpIQVnAbR7DbKaZmMdWCIxxfsYKJzhJiU8=,iv:xWLw1WTgqVt/I5ylbUjg2EIc7MoeMi4UPwm6zjmD3Xw=,tag:lPzhddRvi6qQZD7Gef2Uzg==,type:str]
+yubikeySecret: ENC[AES256_GCM,data:L46VgDAtIlxtdtnYhb59cFeU3v/j1nlkXLF/lkCnCpIS28NeG+3YrSAm0Gv0uwqBX7/XU6hBg2r9y1e4KrfYJn5+pBku18rPJz8eNLl+/9fzRDRba3251AyaoC8n3TuNVvwrLmXu14r1bR8LCIFX4D8N9QFREQeLMELlPrSzaKY7AT9K/rNgFZ7vDmJCqpKlv2Y1nMCAl5kvvn6HrIp489fypBLqGNCA0Sn5kymM7wqzaKM76E66SzkzG0hxFhUf7Tvi3iOS,iv:2QIOOVwZYDyIN1I7NC4AOvr7CuNsR1LZzIsNPdKHj/c=,tag:frJtXeylLdefu5AeVtthoA==,type:str]
+sops:
+    age:
+        - recipient: age1yu47wk9z3j5tspymyda8lw3u5snr66u96f2lzhqfdfmm7xv8xpxqcz9fcv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMm1mTzVxUE9zZGRyR2NB
+            V1VRbkgyTTJMMGVJanN0RGJwOURNejZKS1MwCklrUjZ5RTdWcTZNNC9KNWgvQ0R4
+            dVJtb2kvYjV5a04yVzJqaG8zKzhzRjAKLS0tIEpHOXpmbHdKZmJCNkxDeDlKUnZh
+            NURtNnR2T2MxaG52cEwvNEYxSUpDWXcK4VfTdWFJ33AwdOphxEfOSne/Aikgx46e
+            YeqjGdQslRCNutQnoJjefyToy/DCgd/wbdT1/Am7WwESA2O3xIzvoA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-28T20:36:04Z"
+    mac: ENC[AES256_GCM,data:p4PsH3iRHWOTADVAaFZhn+VP3IbaCKZNjiFbeqP9sjJfE+DE0ycAfw05IuzbqkDnwJX2J3wX5ufQyO8zmhjjLvR445jPoapwN1KuQO8L+eiPvbF3v7hNc2XISrYHbtnN7v1K2IfWgTqef+kEwFqjnPzMKhBFV+ObMg+CWVWVMVs=,iv:bSvX/jOQWn/HnVg/quokWdO36/01Isd4GrD566HFaQk=,tag:3M/fjgBYfprfe853ColVoQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1