Gave local passwordless sudo, rerolled and encrypted the authorized key.

2025-05-30 16:05:00 +02:00 · 2025-05-30 16:05:00 +02:00 · 4b7c62d00b
commit 4b7c62d00b
parent cfc276184f
2 changed files with 12 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -161,11 +161,11 @@
    },
    "secrets": {
      "locked": {
-        "lastModified": 1748608922,
-        "narHash": "sha256-Eo1QI58Y7Nmtj+tmJbT4Kaqfevf3hUHqQmcK2kFVMHY=",
+        "lastModified": 1748613807,
+        "narHash": "sha256-awE+2QvMkGP4OOPGniFMldvYnLYj60n4izgEJXcJUv0=",
        "ref": "refs/heads/main",
-        "rev": "b0dfdffee460c150a2d6fc54f4f10900be96140e",
-        "revCount": 5,
+        "rev": "d120fcc272429517649402cf2ccefb9334f50535",
+        "revCount": 7,
        "type": "git",
        "url": "ssh://gitea@git.bulthuis.dev/Jan/nixos-secrets"
      },
--- a/profiles/nixos/vm.nix
+++ b/profiles/nixos/vm.nix
@ -34,12 +34,17 @@ in

    # Local user
    services.getty.autologinUser = "local";
+    security.sudo.extraRules = [
+      {
+        users = [ "local" ];
+        options = [ "NOPASSWD" ];
+      }
+    ];
    users.mutableUsers = false;
    users.users.local = {
-      hashedPassword = "$y$j9T$f/uFTdcVyFUPJLn4VhRTx.$c9e2QPXYGKFNt3lUf8QD3KLJi4AKgPldfQTvc0WCe..";
      extraGroups = [ "wheel" ];
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKxoQSxfYqf9ITN8Fhckk8WbY4dwtBAXOhC9jxihJvq Laptop"
+      openssh.authorizedKeys.keyFiles = [
+        config.sops.secrets."ssh-keys/admin-pub".path
      ];
    };