1 files changed, 6 insertions, 1 deletions

diff --git a/configuration.nix b/configuration.nix
index 78a98a1..8416a4d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -31,13 +31,14 @@
     isNormalUser = true;
     extraGroups = [ "wheel" "wireshark" ];
     shell = pkgs.fish;
-    hashedPassword = "REDACTED";
+    hashedPasswordFile = config.age.secrets."password-hash.txt".path;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPC69ml72mqbn7L3QkpsCJuWdrKFYFNd0MaS5xERbuSF"
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdUe7mxGdV/Q37RKndPzDHisFb7q/xm+L97jcGluSDOA8MGt/+wTxpyGxfyEqaMvwV2bakaMVHTB3711dDu5kE="
       "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLZ6OVyjTvWx9gvS+/DvkQW5VvLBbykq/0AV5mYDLADDtIOaDVscQ3lGOcUsga1ODNSl14MSV63bE8VtHfG1HOc="
     ];
   };
+  age.secrets."password-hash.txt".file = ./secrets/password-hash.txt.age;
 
   programs.fish.enable = true;
 
@@ -46,8 +47,12 @@
     curl
     git
     (ffmpeg.override { withVpl = true; })
+    (inputs.agenix.packages.${pkgs.system}.agenix)
+    age-plugin-yubikey
   ];
 
+  age.identityPaths = [ "/nix/persist/etc/ssh/ssh_host_ed25519_key" ];
+
   services.openssh.enable = true;
   services.openssh.settings = {
     PasswordAuthentication = false;