From dd3d09bb670d17a5d697a89f937356bbe2e6e244 Mon Sep 17 00:00:00 2001
From: Donovan Glover <donovan@dglover.co>
Date: Sat, 6 Apr 2024 08:11:58 -0400
Subject: [PATCH] system: Add option to specify hashedPassword

It may be useful to add hashedPasswordFile in the future, although from
my testing it was possible to rebuild a VM that used a cached derivation
with the old password.

Ideally your main form of authentication is through LUKS encryption or
SSH keys anyway, and this password should solely be used for sudo
purposes.
---
 modules/system.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/system.nix b/modules/system.nix
index 45e750fb..a19d435c 100644
--- a/modules/system.nix
+++ b/modules/system.nix
@@ -1,10 +1,10 @@
 { nix-config, pkgs, lib, config, ... }:
 
 let
-  inherit (lib) mkOption mkEnableOption;
-  inherit (lib.types) str listOf;
+  inherit (lib) mkOption mkEnableOption mkIf;
+  inherit (lib.types) nullOr str listOf;
   inherit (pkgs.nixVersions) nix_2_19;
-  inherit (cfg) username iHaveLotsOfRam;
+  inherit (cfg) username iHaveLotsOfRam hashedPassword;
   inherit (builtins) attrValues;
 
   cfg = config.modules.system;
@@ -20,6 +20,11 @@ in
       default = "user";
     };
 
+    hashedPassword = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+
     timeZone = mkOption {
       type = str;
       default = "America/New_York";
@@ -98,9 +103,11 @@ in
       mutableUsers = false;
 
       users.${username} = {
+        inherit hashedPassword;
+
         isNormalUser = true;
         uid = 1000;
-        password = username;
+        password = mkIf (hashedPassword == null) username;
         extraGroups = [ "wheel" "networkmanager" ];
       };
     };