security: start setting permissions on secrets properly

2025-12-01 23:53:27 +01:00 · 2025-12-01 23:53:27 +01:00 · ad9862019c
commit ad9862019c
parent 01fb6d8ec9
11 changed files with 126 additions and 53 deletions
--- a/modules/users/root/default.nix
+++ b/modules/users/root/default.nix
@ -1,18 +1,15 @@
-{
-  config,
-  ...
-}:
-{
+topLevel: {
  flake = {
    modules.nixos.root =
-      { pkgs, ... }:
+      { config, pkgs, ... }:
      {
        programs.fish.enable = true;
+        sops.secrets.passwordHash.neededForUsers = true;

        users.users.root = {
          shell = pkgs.fish;
-          openssh.authorizedKeys.keys = config.flake.meta.users.cholli.authorizedKeys;
-          initialPassword = "asdf1234";
+          openssh.authorizedKeys.keys = topLevel.config.flake.meta.users.cholli.authorizedKeys;
+          hashedPasswordFile = config.sops.secrets.passwordHash.path;
        };
      };
  };