From 19ecf4423b5e7ba8f4d22a776315bf65a23ce8df Mon Sep 17 00:00:00 2001
From: Tim Keller <tjk@tjkeller.xyz>
Date: Fri, 18 Jul 2025 14:47:10 -0500
Subject: cleanup secrets

---
 modules/root/normaluser.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'modules/root/normaluser.nix')

diff --git a/modules/root/normaluser.nix b/modules/root/normaluser.nix
index ec266c4..50e9236 100644
--- a/modules/root/normaluser.nix
+++ b/modules/root/normaluser.nix
@@ -4,13 +4,20 @@
 	};
 
 	config = {
-		users.users.root = lib.mkIf config.users.setPassword.enable {
-			hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
+		# Load hashed root password secret
+		sops.secrets.hashed-root-password = lib.mkIf config.users.setPassword.enable {
+			sopsFile = ./resources/secrets/hashed-root-password.yaml;
+			neededForUsers = true;
 		};
+
+		# Set hashed password file if the setPassword option is enabled
+		users.users.root.hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path;
+
+		# Setup normal user
 		users.users.${userDetails.username} = {
+			home = userDetails.home;
 			description = userDetails.fullname;
 			isNormalUser = true;
-			hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path;
 			extraGroups = [
 				"i2c"
 				"libvirtd"
@@ -18,6 +25,7 @@
 				"video"
 				"wheel"
 			];
+			hashedPasswordFile = lib.mkIf config.users.setPassword.enable config.sops.secrets.hashed-root-password.path;
 		};
 	};
 }
-- 
cgit v1.2.3