feat: impermanence

modules/nixos/user-group.nix

@@ -3,15 +3,19 @@
 {
   nix.settings.trusted-users = [username];
 
+  # Don't allow mutation of users outside the config.
+  users.mutableUsers = false;
+
   users.groups = {
     "${username}" = {};
     docker = {};
     wireshark = {};
   };
-  # Define a user account. Don't forget to set a password with ‘passwd’.
+
   users.users."${username}" = {
-    # the hashed password with salt is generated by run `mkpasswd`.
-    hashedPassword = "$y$j9T$YQu5vhlnogjDFDWp9QkPh0$Eu85OiwllqvLg5fzRVMLVHNO7InA3ro8grTJJIepyH1";
+    # generated by `mkpasswd -m scrypt`
+    # we have to use initialHashedPassword here, if your'are using tmpfs for /
+    initialHashedPassword = "$7$CU..../....Sdl/JRH..9eIvZ6mE/52r.$xeR6lyvTcVVKt28Owcoc/vPOOECcYSiq1xjw/QCz2t0";
     home = "/home/${username}";
     isNormalUser = true;
     description = username;
@@ -28,9 +32,9 @@
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7PTkP3ixXTZlrJNSHnXgkmHNT+QslFi9wNYXOpVwGB ryan@harmonica"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3F3AH/vKnA2vxl72h67fcxhIK8l+7F/bdE1zmtwTVU ryan@romantic"
     ];
   };
+  users.users.root.initialHashedPassword = "$7$CU..../....X6uvZYnFD.i1CqqFFNl4./$4vgqzIPyw5XBr0aCDFbY/UIRRJr7h5SMGoQ/ZvX3FP2";
 
   # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
   security.sudo.extraRules = [