set the initial user password

.sops-secrets.yaml

@@ -1,4 +1,7 @@
 zipline: ENC[AES256_GCM,data:YQMdw1cJy9wFnJsX6fPWBXK0rPEnuJJwJysVh0vggcnySFjl5Dmolaqxhw==,iv:RKB+rNz76ZxqzmyATLcpHmaap1f6aWWm7smBTieMZ8M=,tag:GN967VhwqZwMA6uzshKBmQ==,type:str]
+users:
+    cswimr:
+        password: ENC[AES256_GCM,data:KPB3C8z1vBB6M6hcuLQyIzoID23v/syTui3eFfrVKwzDwL4X7BdYbnYfuJSXedce+KHmvZv+AE6w3PTD9c7CPpLUlUQmteAY6w==,iv:a393VckzNy+vRqb9vDr9QRBQe27bHOUJR3JwrHAP5g4=,tag:UDl+3dWV+GrJ7Wva3y9VsQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +26,8 @@ sops:
             b1JvNi9YODZPN1FObWpOVHN3aU85NFEK1dN5pV8g3nG3D2l482z1JCRzmJ/9m495
             YEobjXbEqQDhvA47ueWojoMjvQ3CgrPyiL6v+DLj7VfI5cyuo+89IQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T01:29:28Z"
-    mac: ENC[AES256_GCM,data:NzE6V3kb9hiA9WAs7GFK5GqFoOUP5U/EOskWq0qdCo6GMewkK8TqrY+lFgjkEhY39PobgVTICBT8MGhY9eiEINYdBl7DuQGb3cR/puV+iCPEgUemzVcmcGkd24ktzUO2DsWet1EFC84oOu50XzYfR9VqW3z7+7UbpzWuOxIdvAA=,iv:pxNCxKPevqg8QxsIfL6+2pEB5cUmKhmLhmdiO+nB/Ac=,tag:uFA84z0XjzNgp3NLBu8AfQ==,type:str]
+    lastmodified: "2024-12-03T02:52:14Z"
+    mac: ENC[AES256_GCM,data:ai0BsmImgvbL7KI+ioxUEq0XhiMAziIoDYenLCXjaEEtX9gcvdlmzhuI7k8/MGJjtdAzKxnPWHwQeG1B59ub4Vv+jTOts5ERizbIxscSMhTYogW1CUWzfkunf2y2gViwcCogt2Qzf+v/lN0vQFlkPqJAK6Sd0R/b+vjIyOXMxO0=,iv:vRssoy2PJ8CXehsNoj/QoNesG2sMHNXgBlYtmlfaDzU=,tag:xQ/IsI0Bdzyqydw1blDfCA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1

.sops.yaml

@@ -2,7 +2,7 @@
   - &cswimr age1q9f9zhkfjn2c3a8qtmfqh0rtls3542jukqpt7t93jca6hc947f3sm9ujhx
   - &eclipse age184ude6fyak8z4nnndq4nzcpe2d89zxf3r4paty7j2tenkwa6zgtqrz60lq
 creation_rules:
-  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: \.sops-secrets\.yaml$
     key_groups:
       - age:
         - *cswimr

nixos/configuration.nix

@@ -1,7 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{ pkgs, hostname, ... }:
+{ pkgs, config, hostname, ... }:
 {
   nix = {
     settings = {
@@ -95,6 +95,7 @@
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.cswimr = {
     isNormalUser = true;
+    hashedPasswordFile = config.sops.secrets."users/cswimr/password".path;
     description = "Seaswimmer";
     extraGroups = [
       "networkmanager"

nixos/sops.nix

@@ -1,13 +1,18 @@
 { user, ... }:
 {
   sops = {
-    defaultSopsFile = ../secrets/secrets.yaml;
+    defaultSopsFile = ../.sops-secrets.yaml;
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
     secrets = {
       "zipline" = {
         owner = user;
         path = "/home/${user}/.secrets/zipline";
       };
+      "users/cswimr/password" = {
+        neededForUsers = true;
+        owner = user;
+        path = "/home/${user}/.secrets/password";
+      };
     };
   };
 }