{ config, lib, ... }: { options = let vmVariantOptions = { users.sopsPasswordOverride = { enable = lib.mkEnableOption "sops password override" // { default = false; description = "Enable overwriting `sops-nix` passwords with default password."; }; password = lib.mkOption { type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); description = "The password to set for users which are supposed to use `sops-nix`."; default = null; }; hashedPassword = lib.mkOption { type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); description = "The hashed password to set for users which are supposed to use `sops-nix`."; default = null; }; }; }; in { virtualisation = { vmVariant = vmVariantOptions; vmVariantWithBootLoader = vmVariantOptions; }; }; config = { virtualisation = let extendVMConfig = vmVariant: overrideSops: { # Override passwords backed by `sops-nix` as `nixos-rebuild build-vm-with-bootloader` # does not seem to play along well with `sops-nix` users.sopsPasswordOverride = lib.mkIf overrideSops { enable = lib.mkDefault true; password = lib.mkDefault "admin"; }; users.users = with { inherit (vmVariant.users) sopsPasswordOverride; }; (lib.mkIf sopsPasswordOverride.enable ( builtins.listToAttrs ( builtins.map ( name: { inherit name; value = { hashedPasswordFile = lib.mkVMOverride null; hashedPassword = sopsPasswordOverride.hashedPassword; password = sopsPasswordOverride.password; }; }) (builtins.filter ( name: let user = config.users.users.${name}; in ( (user.hashedPasswordFile != null) && (lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile) )) (builtins.attrNames config.users.users))))); }; inherit (config.virtualisation) vmVariant vmVariantWithBootLoader ; in { vmVariant = extendVMConfig vmVariant false; vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader true; }; }; }