Using separate password file

docs/src/hera.md

@@ -74,9 +74,12 @@ mount -t zfs rpool/safe/persist /mnt/persist
 # Required directories
 mkdir -p /mnt/persist/etc/NetworkManager/system-connections
 mkdir -p /mnt/persist/var/lib/bluetooth
+mkdir -p /mnt/persist/etc/users
 ```
 
-* Prepare ssh keys
+The hashed password for each user should go in `/mnt/persist/etc/users/<user>`.
+
+### Prepare ssh keys
 
 ```sh
 mkdir -p /mnt/persist/etc/ssh
@@ -96,6 +99,8 @@ Update `.sops.yaml` and then `task sops:re-encrypt`
 
 Commit and push the changes.
 
+### Config Generation
+
 Generate the configuration with:
 
 ```sh
@@ -113,5 +118,5 @@ from the host machine.
 Finally, install via
 
 ```sh
-nixos-install
+nixos-install --no-root-passwd
 ```

hosts/_modules/nixos/system/impermanence/default.nix

@@ -25,8 +25,8 @@ in
     config = lib.mkIf cfg.enable {
       # move ssh keys
 
-      # bind a initrd command to rollback to blank root after boot
       boot = {
+        # bind a initrd command to rollback to blank root after boot
         initrd.postDeviceCommands = lib.mkAfter ''
           zfs rollback -r ${cfg.rootPoolName}@${cfg.rootBlankSnapshotName}
         '';

hosts/hera/default.nix

@@ -35,7 +35,7 @@ in {
     shell = pkgs.fish;
     packages = [pkgs.home-manager];
     openssh.authorizedKeys.keys = [(builtins.readFile ../../homes/scotte/config/ssh/ssh.pub)];
-    hashedPasswordFile = config.sops.secrets.scotte-password.path;
+    passwordFile = "/persist/etc/users/scotte";
     isNormalUser = true;
     extraGroups =
       ["wheel"]
@@ -48,11 +48,6 @@ in {
     gid = 1000;
   };
 
-  sops.secrets.scotte-password = {
-    sopsFile = ../../homes/scotte/hosts/hera/secrets.sops.yaml;
-    neededForUsers = true;
-  };
-
   system.activationScripts.postActivation.text = ''
     # Must match what is in /etc/shells
     chsh -s /run/current-system/sw/bin/fish scotte