Gave local passwordless sudo, rerolled and encrypted the authorized key.

flake.lock

@@ -161,11 +161,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1748608922,
+        "lastModified": 1748613807,
-        "narHash": "sha256-Eo1QI58Y7Nmtj+tmJbT4Kaqfevf3hUHqQmcK2kFVMHY=",
+        "narHash": "sha256-awE+2QvMkGP4OOPGniFMldvYnLYj60n4izgEJXcJUv0=",
         "ref": "refs/heads/main",
-        "rev": "b0dfdffee460c150a2d6fc54f4f10900be96140e",
+        "rev": "d120fcc272429517649402cf2ccefb9334f50535",
-        "revCount": 5,
+        "revCount": 7,
         "type": "git",
         "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
       },

profiles/nixos/vm.nix

@@ -34,12 +34,17 @@ in
 
     # Local user
     services.getty.autologinUser = "local";
+    security.sudo.extraRules = [
+      {
+        users = [ "local" ];
+        options = [ "NOPASSWD" ];
+      }
+    ];
     users.mutableUsers = false;
     users.users.local = {
-      hashedPassword = "$y$j9T$f/uFTdcVyFUPJLn4VhRTx.$c9e2QPXYGKFNt3lUf8QD3KLJi4AKgPldfQTvc0WCe..";
       extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keyFiles = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Laptop"
+        config.sops.secrets."ssh-keys/admin-pub".path
       ];
     };