The authentication credentials are managed using sops-nix at secrets. The sops encrypted secrets (using GPG authentication) are stored at multiple places, like in this directory, as well as users/passwords. User passwords are made using the command mkpasswd -m sha-512 and specified using the hashedPasswordFile option. The sops encrypted secrets are of binary format (and have the extension .secret) and can be conveniently managed using the nixos secret command. The keys directory contains the public User GPG Keys which are automatically imported
To create a secret, use the nixos secret create command, and append the directory along with requisite access permissions to the secrets.yaml file. Device-specific secrets are automatically imported, if a directory (with the same name as the device HOSTNAME) containing them is present in this directory