6 files changed, 74 insertions, 53 deletions
diff --git a/modules/root/normaluser.nix b/modules/root/normaluser.nix
index 3bb9adc..ec266c4 100644
--- a/modules/root/normaluser.nix
+++ b/modules/root/normaluser.nix
@@ -1,18 +1,23 @@
-{ config, userDetails, ... }: {
-	users.users.root = {
-		hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
+{ lib, config, userDetails, ... }: {
+	options = {
+		users.setPassword.enable = lib.mkEnableOption "set users password. requires hashed root password from sops";
 	};
-	users.users.${userDetails.username} = {
-		description = userDetails.fullname;
-		#home = userDetails.home;
-		isNormalUser = true;
-		hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
-		extraGroups = [
-			"i2c"
-			"libvirtd"
-			"nixbld"
-			"video"
-			"wheel"
-		];
+
+	config = {
+		users.users.root = lib.mkIf config.users.setPassword.enable {
+			hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
+		};
+		users.users.${userDetails.username} = {
+			description = userDetails.fullname;
+			isNormalUser = true;
+			hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path;
+			extraGroups = [
+				"i2c"
+				"libvirtd"
+				"nixbld"
+				"video"
+				"wheel"
+			];
+		};
 	};
 }
diff --git a/modules/root/resources/secrets/hashed-root-password.yaml b/modules/root/resources/secrets/hashed-root-password.yaml
new file mode 100644
index 0000000..e2ba5d2
--- /dev/null
+++ b/modules/root/resources/secrets/hashed-root-password.yaml
@@ -0,0 +1,16 @@
+hashed-root-password: ENC[AES256_GCM,data:7Qgoeb/6JPNupkHCBEzCs0FMP2cDEw972bjCRWeMrBrAMZzLsZc3Mbv03s1zLztUp6Ie93R5lVsamxKPUnaPt+Tnr/l+0E9aTmt7j7L6UzmWr12nj3FHxxTSU9ief6+ioIk+S4eICJspIQ==,iv:VoWP4qBCGzuYRpQw4nilUXByJ+ZwyZR/BdKowi+53DM=,tag:x6A00VCm8BEOhtv/WySXrQ==,type:str]
+sops:
+    age:
+        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb3FoT3V5SFJUSEh6NW55
+            Wjh1dVYrc3UwUHR2L0RiNkhqWXFCNkNtZVhzCnlSSFR0YnRmbmN3SzNYZmYyTUdk
+            WVJyOFJvU3F5NTE0MENBaHVGdU5BeHcKLS0tIGdZNGdRYWd0WDVhcUZRK1doL3Ja
+            WXRyN2hTRTNobXlQS1JNeCtsL3hJZDAKAt7AbWYjT7MDIZdobIhUFovziofzna9f
+            aBXkOjlh6jDeBpgSwEiRuCX9sOCKrpD6z3dwzpoOAFqzqaI/8dGnEQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-17T22:34:07Z"
+    mac: ENC[AES256_GCM,data:B95HuJC2o8B+P1f9kAtJTcSty7YSAByuqe/Xs6ce6780p05FuzWM5X9bwvwsYXngGNKqCHksWf50UXzJ3eyc6y4ISxdxljAv2FmJFKw4NkfGaOMiRLlGPMn1uFpOtkRT+qL0+mupWG/Ap3zcpbxjsDx46PUur+e6yRxlAHw8mGw=,iv:DYobhWK+4+7vOog7BrBASiHrEzzz0P6zqgWxexfcLG8=,tag:skGwUpDEB8e3TCjrxs5peA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/modules/root/resources/secrets/secrets.yaml b/modules/root/resources/secrets/secrets.yaml
deleted file mode 100644
index fcba4a6..0000000
--- a/modules/root/resources/secrets/secrets.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-wpa_supplicant-conf: ENC[AES256_GCM,data:fvYez82qSJ1LXiOVtgGiJuwzFC++V5rNJ3x5zK1PDUf0ohwpOVrC+P3A0Rob5LURBZL0KFSIBIbJ5Iq/bRtsAD6ZgIwsKQxi3fLRanUbx2PM6JFpDYWgKlvxWMPtNp0hlicdZny7ayRXXA3Y4FOFScLPfl+5perzw8+6M3YRoeTAeDQAlhkA9BzOmg3UHZsZgKvuNYhSO2oQubEyYRhBMN5opACyyC8E96lPIplZytuvB7L4LH4VQHnqryUqXdVjXv/UIhZx4QU+jkTR5KHG0M9oG9pcWi/gpQD69hesQhOhKF+K71Bg507F29rM6WK2m6mdg5xA2BX3WQeddxc1m/hkBpQBDUk1SC58z4fQ4feITy4pAJLYzHyvMVm7CSDv0mSgfOAS/i4GdMArHG2FYSPnJ0/pfOpOQgH73PuDqgjMyRepiwUC6DILsqvmjMEXp3DZrYxvuGTbhahd/EHUzuNrOe9Wcw5NH+vucmdDzihsJ6UO56mQ7Dr+/4QFiQ8MHA+wm63MvS16YG3bDOJXIt7mTPREdFGG2YtXJfnZLLYXzsnNJGihwyCXkC0QFJRRPZyr6bYpxdEWyDnNXFzkajYlP/+EqC8RbIFYAYz3aJogjCPtp5P5JI7dqmJ8ALkFFBY=,iv:b5hJnjKOJx1I13QCNJsKGDbQ7g+27eX1XkSVaGcJhA4=,tag:6QumSrB7myeS/SU5bEAKRQ==,type:str]
-hashed-root-password: ENC[AES256_GCM,data:KUoB8Z0ifh7lE9ir9AqkiMRHfw6rusXw3KC1dLIRd4YpbTiNI+cAdC474LR721+LNWoj5ZytSdDsVyS+t3o076rV4sgWgL17jPPf+H2KE5FOmQKYTUiHfSBsLKyyhpie4tpFJWv/3cCW8Q==,iv:0sZPz3V7IqTGbF3Fnm+FbgBS3GTnHsRx0OzIoAE1H64=,tag:H6CQlANfiD6ZuQhONKyMAQ==,type:str]
-sops:
-    age:
-        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTUlBZXQ5Z080UUxoUGdr
-            dm9hRE5uTzFwWXhOWkJnbXNvazd1UnplcUdZCnRKQ3RVT1RGZURLYUxINStBSU4x
-            bUZudFp2SC9DSkVhNTRHV0MrRFFMckEKLS0tIGNBb3FLQVJsTGVsY3hMdy94WWZx
-            UkJ1SGJrWXNtbmlmc2c4M1IxdUpVOWMKjaakq+n8ZijGjaNVM8/dQApaVFp9+q3K
-            nhvon4p5KUFE+myABnEknaSZ5UcvW6ZLff9AB7l35NZhGXAhv+y6HA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-10T02:39:52Z"
-    mac: ENC[AES256_GCM,data:dn9v2ur5/sIrQL4HrQvTYcXpja+JwE2TMheT/AasZlhcYHI2NhLNwgpcDzITQbnnf+WAWYz3vjyEnP8tYuxO1Bggu+dDjAHMV8AfceYHnqJFPK4L9Kb8hBK93+7uOE38kjfsV3fZ3JS7dU3DkpNV6Geqa8cQ0u2bN3Yiz8YnaiQ=,iv:GGoDCZ/l4s7atWmRsbopq/WgxhQipaKHhSVQWi0TK8U=,tag:gkYht8PMOcTFhHOABKj4Ig==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.2
diff --git a/modules/root/resources/secrets/wpa_supplicant-conf.yaml b/modules/root/resources/secrets/wpa_supplicant-conf.yaml
new file mode 100644
index 0000000..2fd7a0e
--- /dev/null
+++ b/modules/root/resources/secrets/wpa_supplicant-conf.yaml
@@ -0,0 +1,16 @@
+wpa_supplicant-conf: ENC[AES256_GCM,data:QoHQhTuEsSCW/K2ArOzNMfpSV7RtyTgezg4bM6eyNwhBhuJ/fCExzrniZtFzZ3zfs+ROFOYYxkx5lu4N/AQ6xEdCjJ3DYKHpeveqQ3GcWaldDr6aUDxLnBmLGBgSskGoOOANCwGvXGtFsChlCah02/W3YIhLWKIC1pfw1t9ANw9ErtLt7Fxt8TphJ1n9KdCXCJCMFrDjWDTrvbDzrvkJh6EGJIoaXuJSN+9asKrFvTwXyvHPbJmw8ZRbYgtlJtv5c1Q+PZoMtEeBRI/q2y/xUX5nvhnyy3HO1CaZPq+2XP9w+Zz90PyehVvbFVSl3V3Wg3rg9uu/c1rRGgfNkVJSHdhN+7nWYobSI28uoA8L9oXono9mNYwfcN2c4R6xwW9yOH72KabKRbD0Qq0mXcwNjU0HNneqvnMFURbDVstWmKt39gHg2xoZkG774EEDdXBAmKe5nbj0wVk8TBPWPcyR8gQ3uQrXPElqC7CWHMvajzi/hq02gmzkq1DAiheVWHxVmSQUUP3M52vvFBDdWip4X7IM3r5H4uBmcF6wGHl7JS+okDno5BuInIXvrApDV3rTqnam7YeQZao9pbx8WRWg/ZQFUysiXf9tcAl4ror71+SLKa5MfeP9AV431DbcsrIS1XQ=,iv:7qdltuNvesslz32SfEXqu9WFu2uGOGg1sjfskfqfXnk=,tag:N1RhL1M9YtDlvxLBRC2gAg==,type:str]
+sops:
+    age:
+        - recipient: age1w80rc0dnuu8nw99gw64c596qqetm78jdnsqajr0u7ephykekr39qfz8vnv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxdXBUWXEvRU85Tk1lNWgz
+            ZHpENjdudmRuaEJIeVRHOHlDbWNzK0tQMGs4CmV6MVBpdE5PMTBWMm1PcDVFQ2VM
+            b0IwWDFxLy8xYUcxRVZFSEsyYlBFS1UKLS0tIHpCbDQ0a29TZlVFTGp4aXJCSmJ4
+            ZGxqMFQ1NDk1OHJIOUd0cVV0dzNNQlkKzYX36u0rEq6dMTCJf6OON6LzcEEnAB5A
+            +M9t3OKUUNtwgksjBUEwqBLJ1sU9amijpK63GUxwp74YDtsb0YXHiw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-17T22:33:44Z"
+    mac: ENC[AES256_GCM,data:leJsAdcWFE0EA1syXfd7yDu1Ct+vTkKiHUEc46O31uUeaWVFwgH8EKC0ImqiHMgbDJv+a9UHm7GtsWy1aMQNVRBXL3R2HbNQkOqGkIIdGsrrbjslQl8UwI7wx1g2P3ORhlGRYXTscDUl53+e4i3YrYOEDDPL5EAWuQEWldJXLZc=,iv:banL6qqV2EqfZFKHn5dawUq95Ima06z8H6Kso1qRdcA=,tag:g6M95M6bT4UPTfiEZT4ljw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/modules/root/secrets.nix b/modules/root/secrets.nix
index 045e3f4..38346b2 100644
--- a/modules/root/secrets.nix
+++ b/modules/root/secrets.nix
@@ -1,30 +1,18 @@
-{ pkgs, inputs, config, userDetails, ... }: {
+{ lib, pkgs, inputs, config, userDetails, ... }: {
 	imports = [ inputs.sops-nix.nixosModules.sops ];
 
 	sops = {
-		defaultSopsFile = ./resources/secrets/secrets.yaml;
 		defaultSopsFormat = "yaml";
-		age.keyFile = "${userDetails.home}/.config/sops/age/keys.txt";
+		age.sshKeyPaths = [ "${userDetails.home}/.ssh/id_ed25519" "/root/.ssh/id_ed25519" ];
 
 		secrets = {
-			wpa_supplicant-conf = { };
-			hashed-root-password = { };
-		};
-	};
-
-	# This service is a workaround to ensure that secrets are available on
-	# reboot when the secret keys are on a separate subvolume
-	systemd.services.npcnix-force-rebuild-sops-hack = {
-		wantedBy = [ "multi-user.target" ];
-		before = [
-			# List all services that require secrets
-			"wpa_supplicant.service"
-		];
-		serviceConfig = {
-			ExecStart = "/run/current-system/activate";
-			Type = "oneshot";
-			Restart = "on-failure"; # because oneshot
-			RestartSec = "10s";
+			wpa_supplicant-conf = lib.mkIf config.wifi.enable {
+				sopsFile = ./resources/secrets/wpa_supplicant-conf.yaml;
+			};
+			hashed-root-password = lib.mkIf config.users.setPassword.enable {
+				sopsFile = ./resources/secrets/hashed-root-password.yaml;
+				neededForUsers = true;
+			};
 		};
 	};
 }
diff --git a/modules/root/wifi.nix b/modules/root/wifi.nix
index 542cfd7..96fe5c8 100644
--- a/modules/root/wifi.nix
+++ b/modules/root/wifi.nix
@@ -14,5 +14,18 @@
 		environment.etc."wpa_supplicant.conf" = {
 			source = config.sops.secrets.wpa_supplicant-conf.path;
 		};
+
+		# This service is a workaround to ensure that secrets are available on
+		# reboot when the secret keys are on a separate subvolume
+		systemd.services.npcnix-force-rebuild-sops-hack = {
+			wantedBy = [ "multi-user.target" ];
+			before = [ "wpa_supplicant.service" ];
+			serviceConfig = {
+				ExecStart = "/run/current-system/activate";
+				Type = "oneshot";
+				Restart = "on-failure"; # because oneshot
+				RestartSec = "10s";
+			};
+		};
 	};
 }