From 391ed94ab4d96535f1e7be03eec9f317b2b72f1b Mon Sep 17 00:00:00 2001
From: Mohammad Rafiq <rafiq@rrv.sh>
Date: Sun, 18 May 2025 23:04:00 +0800
Subject: [PATCH] feat(modules/secrets): set rafiq password from sops

---
 modules/nixos/system/default.nix         |  3 ++-
 modules/nixos/system/secrets.nix         |  2 +-
 modules/nixos/system/users.nix           | 12 +++++-------
 systems/x86_64-linux/nemesis/default.nix |  3 ++-
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix
index 4794286..2a6641b 100644
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@@ -10,7 +10,8 @@
 
   options.system = {
    hostname = lib.pantheon.mkStrOption;
-   mainUser = lib.pantheon.mkStrOption;
+   mainUser.name = lib.pantheon.mkStrOption;
+   mainUser.publicKey = lib.pantheon.mkStrOption;
    bootloader = lib.pantheon.mkStrOption;
   };
 
diff --git a/modules/nixos/system/secrets.nix b/modules/nixos/system/secrets.nix
index f45a750..6206b88 100644
--- a/modules/nixos/system/secrets.nix
+++ b/modules/nixos/system/secrets.nix
@@ -3,7 +3,7 @@
   sops = {
     defaultSopsFile = lib.snowfall.fs.get-file "secrets/secrets.yaml";
     age.sshKeyPaths = ["/persist/home/rafiq/.ssh/id_ed25519"];
-    secrets ={
+    secrets = {
       "rafiq/hashedPassword".neededForUsers = true;
     };
   };
diff --git a/modules/nixos/system/users.nix b/modules/nixos/system/users.nix
index 689ee0c..de5bfbd 100644
--- a/modules/nixos/system/users.nix
+++ b/modules/nixos/system/users.nix
@@ -5,19 +5,17 @@
     users.mutableUsers = false;
     users.groups.users = {
 	gid = 100;
-      members = [ "${config.system.mainUser}" ];
+      members = [ "${config.system.mainUser.name}" ];
     };
-      users.users."${config.system.mainUser}" = {
+      users.users."${config.system.mainUser.name}" = {
       linger = true;
       uid = 1000;
         isNormalUser = true;
-        initialPassword = "1";
+	hashedPasswordFile = config.sops.secrets."${config.system.mainUser.name}/hashedPassword".path;
         extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n"
-      ];
+      openssh.authorizedKeys.keys = [ config.system.mainUser.publicKey ];
       };
-      services.getty.autologinUser = config.system.mainUser;
+      services.getty.autologinUser = config.system.mainUser.name;
     }
   ];
 }
diff --git a/systems/x86_64-linux/nemesis/default.nix b/systems/x86_64-linux/nemesis/default.nix
index aebe4d1..9db9750 100644
--- a/systems/x86_64-linux/nemesis/default.nix
+++ b/systems/x86_64-linux/nemesis/default.nix
@@ -1,7 +1,8 @@
 { config, lib, pkgs, ... }:
 {
   system.hostname = "nemesis";
-  system.mainUser = "rafiq";
+  system.mainUser.name = "rafiq";
+  system.mainUser.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n";
   system.bootloader = "systemd-boot";
   hardware.drives.btrfs = {
     enable = true;