password hash is now plain file in private repo.

configs/nixos/common.nix

@@ -40,12 +40,15 @@
 
   programs.zsh.enable = lib.mkDefault true;
   environment.shells = lib.mkDefault [pkgs.zsh];
+  users.mutableUsers = false;
   users.users.${config.host.user} = {
     isNormalUser = true;
+    hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
     description = config.host.fullName;
     shell = pkgs.zsh;
     extraGroups = ["wheel"];
   };
+  # users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash");
 
   imports = [
     ../../modules/hostopts.nix

configs/nixos/secrets.nix

@@ -11,7 +11,6 @@ in {
     inputs.sops-nix.nixosModules.sops
   ];
   sops = {
-    defaultSopsFile = "${secretsDirectory}/common.yaml";
     validateSopsFiles = false;
     age = {
       sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];