1 files changed, 20 insertions, 3 deletions

diff --git a/systems/cobalt/default.nix b/systems/cobalt/default.nix
index 9dd0f63..4b2378b 100644
--- a/systems/cobalt/default.nix
+++ b/systems/cobalt/default.nix
@@ -18,6 +18,9 @@ let
   hostId = "712ae82a";
   hostAddr = "cobalt.exotic.sh";
 
+  sefidelKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  maintainerKeys = [ ] ++ sefidelKeys;
+
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
@@ -80,7 +83,7 @@ in
     ];
 
     # Public ssh key to log into the initrd ssh
-    authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+    authorizedKeys = maintainerKeys;
   };
   boot.initrd.network.postCommands = ''
     cat <<EOF > /root/.profile
@@ -110,8 +113,22 @@ in
 
   time.timeZone = "UTC";
 
-  users.users.root.initialHashedPassword = ""; # FIXME: use proper secret
-  users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILN14b5Fu+StHeMXq4ClyLG4G+/vCAfS7adxceEFria/ openpgp:0x1D5BCD11" ];
+  sops.secrets.root-password.neededForUsers = true;
+  sops.secrets.sefidel-password.neededForUsers = true;
+
+  users.users.root.passwordFile = config.sops.secrets.root-password.path;
+  users.users.root.openssh.authorizedKeys.keys = maintainerKeys;
+
+  users.users.sefidel = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    passwordFile = config.sops.secrets.sefidel-password.path;
+    openssh.authorizedKeys.keys = sefidelKeys;
+
+    extraGroups = [ "wheel" ];
+  };
+  programs.zsh.enable = true;
+
   services.openssh.enable = true;
   services.openssh.settings.PermitRootLogin = "prohibit-password";