security: start setting permissions on secrets properly

2025-12-01 23:53:27 +01:00 · 2025-12-01 23:53:27 +01:00 · ad9862019c
commit ad9862019c
parent 01fb6d8ec9
11 changed files with 126 additions and 53 deletions
--- a/modules/users/cholli/default.nix
+++ b/modules/users/cholli/default.nix
@ -1,8 +1,4 @@
-{
-  config,
-  ...
-}:
-{
+topLevel: {
  flake = {
    meta.users = {
      cholli = {
@ -22,12 +18,13 @@

    modules = {
      nixos.cholli =
-        { pkgs, ... }:
+        { config, pkgs, ... }:
        {
          programs.fish.enable = true;
+          sops.secrets.passwordHash.neededForUsers = true;

          users.users.cholli = {
-            description = config.flake.meta.users.cholli.name;
+            description = topLevel.config.flake.meta.users.cholli.name;
            isNormalUser = true;
            createHome = true;
            extraGroups = [
@ -39,13 +36,12 @@
              "wheel"
            ];
            shell = pkgs.fish;
-            # TODO: fix this with sops
-            initialPassword = "asdf";
+            hashedPasswordFile = config.sops.secrets.passwordHash.path;

-            openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys;
+            openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
          };

-          nix.settings.trusted-users = [ config.flake.meta.users.cholli.username ];
+          nix.settings.trusted-users = [ topLevel.config.flake.meta.users.cholli.username ];

        };