cleanup

modules/nixos/user/default.nix

@@ -8,20 +8,27 @@
 with lib;
 let
   inherit (lib.${namespace}) mkOpt mkBoolOpt;
-  cfg = config.${namespace}.user // {
-    hashedPasswordFile = (
-      if
-        (
-          config.${namespace}.user.hashedPassword == null
-          && config.${namespace}.user.hashedPasswordFile == null
-          && config.${namespace}.user.password == null
-        )
-      then
-        defaultPasswordFile
-      else
-        config.${namespace}.user.hashedPasswordFile
-    );
-  };
+  cfg = config.${namespace}.user;
+
+  # Reference the sops-managed password file only when the secret has been
+  # declared somewhere in the configuration.  Checking the attrset with ?
+  # avoids forcing evaluation of the secret path on hosts that don't use sops.
+  sopsMattPassword =
+    let
+      secretName = cfg.sopsPasswordSecret;
+    in
+    if secretName != null && builtins.hasAttr secretName config.sops.secrets then
+      config.sops.secrets.${secretName}.path
+    else
+      null;
+
+  # Fall back to the sops-managed password file only when no explicit password
+  # method has been set by the caller.
+  resolvedPasswordFile =
+    if cfg.hashedPassword == null && cfg.hashedPasswordFile == null && cfg.password == null then
+      sopsMattPassword
+    else
+      cfg.hashedPasswordFile;
 
   # Common SSH keys used across systems
   commonSshKeys = [
@@ -39,7 +46,6 @@ let
     "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGdwsYDOkjd17rKdpjKN+3Yx1rRHT/Fiv2erc2JdE6ibHKBxLSEZ4kCOFCyGyc5ZO6Cmb09GfAe9FugkD4titns= cardno:33_720_987"
   ];
 
-  defaultPasswordFile = config.sops.secrets."matt_password".path;
 in
 {
   options.${namespace}.user = with types; {
@@ -73,7 +79,11 @@ in
 
     hashedPasswordFile = mkOpt (nullOr path) null "Path to the password file for this user account";
 
-    mutableUsers = mkBoolOpt false "Whether users are mutable (can be modified after creation).";
+    sopsPasswordSecret =
+      mkOpt (nullOr str) "matt_password"
+        "Name of the sops secret to use as the hashed password file when no explicit password method is set. Set to null to disable the sops fallback.";
+
+    mutableUsers = mkBoolOpt false "Whether users are mutable (can be modified after modification).";
   };
 
   config = {
@@ -94,8 +104,8 @@ in
             packages
             password
             hashedPassword
-            hashedPasswordFile
             ;
+          hashedPasswordFile = resolvedPasswordFile;
 
           extraGroups = [
             "wheel"
@@ -137,8 +147,8 @@ in
     assertions = [
       {
         assertion =
-          (cfg.password != null) || (cfg.hashedPassword != null) || (cfg.hashedPasswordFile != null);
-        message = "User '${cfg.name}' requires at least one password method (password, hashedPassword, or hashedPasswordFile).";
+          (cfg.password != null) || (cfg.hashedPassword != null) || (resolvedPasswordFile != null);
+        message = "User '${cfg.name}' requires at least one password method (password, hashedPassword, hashedPasswordFile, or a sops 'matt_password' secret).";
       }
       {
         assertion =
@@ -146,19 +156,11 @@ in
             passwordMethods = lib.count (x: x != null) [
               cfg.password
               cfg.hashedPassword
-              cfg.hashedPasswordFile
+              resolvedPasswordFile
             ];
           in
           passwordMethods <= 1;
-        message = "User '${cfg.name}' can only use one password method at a time. Found multiple: ${
-          lib.concatStringsSep ", " (
-            lib.filter (x: x != null) [
-              (if cfg.password != null then "password" else null)
-              (if cfg.hashedPassword != null then "hashedPassword" else null)
-              (if cfg.hashedPasswordFile != null then "hashedPasswordFile" else null)
-            ]
-          )
-        }";
+        message = "User '${cfg.name}' can only use one password method at a time.";
       }
     ];
   };