{ config, lib, ... }: { options = let vmVariantOptions = { users.sopsPasswordOverride = { enable = lib.mkEnableOption "sops password override" // { default = false; }; password = lib.mkOption { type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); default = null; }; hashedPassword = lib.mkOption { type = lib.types.nullOr (lib.types.passwdEntry lib.types.str); default = null; }; }; }; in { virtualisation = { vmVariant = vmVariantOptions; vmVariantWithBootLoader = vmVariantOptions; }; }; config = { virtualisation = let extendVMConfig = vmVariant: { users.users = with { inherit (vmVariant.users) sopsPasswordOverride; }; (lib.mkIf sopsPasswordOverride.enable ( builtins.listToAttrs ( builtins.map ( name: { inherit name; value = { hashedPasswordFile = lib.mkVMOverride null; hashedPassword = sopsPasswordOverride.hashedPassword; password = sopsPasswordOverride.password; }; }) (builtins.filter ( name: let user = config.users.users.${name}; in ( (user.hashedPasswordFile != null) && (lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile) )) (builtins.attrNames config.users.users))))); }; inherit (config.virtualisation) vmVariant vmVariantWithBootLoader ; in { vmVariant = extendVMConfig vmVariant; vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader; }; }; }