modularize NixOS secrets config

home/hosts/work/default.nix

@@ -10,7 +10,6 @@ let
 in
 {
   imports = [
-    inputs.sops-nix.homeManagerModules.sops
     ../../modules/dconf.nix # TODO: Only enable when on Gnome?
   ];
 

hosts/andromache/default.nix

@@ -6,11 +6,15 @@
   ...
 }:
 
+let
+  username = "h";
+in
 {
   system.stateVersion = "25.05";
 
   imports = [
     inputs.disko.nixosModules.disko
+    inputs.sops-nix.nixosModules.sops
     inputs.home-manager.nixosModules.default
     ./hard.nix
     ../../modules/bootloader.nix
@@ -28,8 +32,15 @@
     ../../modules/localization.nix
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
+    (import ../../modules/secrets {
+      inherit lib;
+      inherit inputs;
+      inherit config;
+    })
   ];
 
+  secrets.username = username;
+
   disko.devices = {
     disk.data = {
       type = "disk";
@@ -75,7 +86,7 @@
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
-    users.h = import ../../home/hosts/andromache {
+    users.${username} = import ../../home/hosts/andromache {
       inherit inputs;
       inherit config;
       inherit pkgs;
@@ -99,7 +110,7 @@
     enable = true;
     openDefaultPorts = true;
     folders = {
-      "/home/h/sync" = {
+      "/home/${username}/sync" = {
         id = "sync";
         devices = [ ];
       };

hosts/astyanax/default.nix

@@ -6,6 +6,10 @@
   ...
 }:
 
+let
+  username = "h";
+  hostName = "astynanax";
+in
 {
   system.stateVersion = "25.05";
 
@@ -23,37 +27,21 @@
     ../../modules/gnome.nix
     ../../modules/bluetooth.nix
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = "astyanax"; })
+    (import ../../modules/networking.nix { hostName = hostName; })
     ../../modules/users.nix
     ../../modules/audio.nix
     ../../modules/localization.nix
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
+    (import ../../modules/secrets {
+      inherit lib;
+      inherit inputs;
+      inherit config;
+      inherit username;
+    })
   ];
 
-  sops = {
+  secrets.username = username;
-    validateSopsFiles = false;
-    defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
-    defaultSopsFormat = "yaml";
-    age.keyFile = "/home/h/.config/sops/age/keys.txt";
-
-    secrets = {
-      "test" = { };
-
-      "taskwarrior_sync_server_url".owner = config.users.users.h.name;
-      "taskwarrior_sync_server_client_id".owner = config.users.users.h.name;
-      "taskwarrior_sync_encryption_secret".owner = config.users.users.h.name;
-    };
-
-    templates."taskrc.d/sync" = {
-      owner = config.users.users.h.name;
-      content = ''
-        sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"}
-        sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"}
-        sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"}
-      '';
-    };
-  };
 
   environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
 
@@ -67,7 +55,7 @@
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
-    users.h = import ../../home/hosts/astyanax {
+    users.${username} = import ../../home/hosts/astyanax {
       inherit inputs;
       inherit config;
       inherit pkgs;

hosts/vm/default.nix

@@ -1,16 +1,21 @@
 {
+  lib,
   inputs,
   config,
   pkgs,
   ...
 }:
 
+let
+  username = "h";
+in
 {
   system.stateVersion = "25.05";
 
   imports = [
     inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel
     inputs.disko.nixosModules.disko
+    inputs.sops-nix.nixosModules.sops
     inputs.home-manager.nixosModules.default
     ./hard.nix
     ./disk.nix
@@ -23,8 +28,15 @@
     ../../modules/x.nix
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
+    (import ../../modules/secrets {
+      inherit lib;
+      inherit inputs;
+      inherit config;
+    })
   ];
 
+  secrets.username = "h";
+
   environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
 
   nix.settings.experimental-features = [
@@ -55,7 +67,7 @@
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
-    users.h = import ../../home/hosts/vm {
+    users.${username} = import ../../home/hosts/vm {
       inherit inputs;
       inherit config;
       inherit pkgs;

modules/secrets/default.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  inputs,
+  config,
+  ...
+}:
+
+let
+  cfg = config.secrets;
+in
+{
+  options = {
+    secrets.username = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+  config = {
+    sops = {
+      validateSopsFiles = false;
+      defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
+      defaultSopsFormat = "yaml";
+      age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
+
+      secrets = {
+        "taskwarrior_sync_server_url".owner = config.users.users.${cfg.username}.name;
+        "taskwarrior_sync_server_client_id".owner = config.users.users.${cfg.username}.name;
+        "taskwarrior_sync_encryption_secret".owner = config.users.users.${cfg.username}.name;
+      };
+
+      templates."taskrc.d/sync" = {
+        owner = config.users.users.${cfg.username}.name;
+        content = ''
+          sync.server.url=${config.sops.placeholder."taskwarrior_sync_server_url"}
+          sync.server.client_id=${config.sops.placeholder."taskwarrior_sync_server_client_id"}
+          sync.encryption_secret=${config.sops.placeholder."taskwarrior_sync_encryption_secret"}
+        '';
+      };
+    };
+  };
+}