made nix-secrets input comment-out-able.

configs/nixos/common.nix

@@ -4,7 +4,10 @@
   inputs,
   lib,
   ...
-}: {
+}: let
+  # hash for "nixos"
+  defaultPasswordHash = "$y$j9T$u0O3PELyRv3GOemCReQhA0$Qb4Sl6dXnafYwZeDYrJGwS4xp3v6vGriWFMYomHH2w3";
+in {
   nix = {
     package = pkgs.nixFlakes;
     extraOptions = ''
@@ -40,15 +43,22 @@
 
   programs.zsh.enable = lib.mkDefault true;
   environment.shells = lib.mkDefault [pkgs.zsh];
-  users.mutableUsers = false;
+  # if we arent setting our password from nix secrets, we need to allow changing it.
+  users.mutableUsers = !inputs ? nix-secrets;
   users.users.${config.host.user} = {
     isNormalUser = true;
-    hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
+    hashedPassword =
+      if inputs ? nix-secrets
+      then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
+      else defaultPasswordHash;
     description = config.host.fullName;
     shell = pkgs.zsh;
     extraGroups = ["wheel"];
   };
-  # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
+  users.users.root.password =
+    if inputs ? nix-secrets
+    then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
+    else defaultPasswordHash;
 
   imports = [
     ../../modules/hostopts.nix