NixOSConfig/lib/modules/custom-sops-nix.nix

{ config, lib, ... }: {
  options =
  let
    vmVariantOptions = {
      users.sopsPasswordOverride = {
        enable = lib.mkEnableOption "sops password override" // {
          default = false;
          description = "Enable overwriting `sops-nix` passwords with default password.";
        };

        password = lib.mkOption {
          type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
          description = "The password to set for users which are supposed to use `sops-nix`.";
          default = null;
        };

        hashedPassword = lib.mkOption {
          type = lib.types.nullOr (lib.types.passwdEntry lib.types.str);
          description = "The hashed password to set for users which are supposed to use `sops-nix`.";
          default = null;
        };
      };
    };
  in {
    virtualisation = {
      vmVariant = vmVariantOptions;
      vmVariantWithBootLoader = vmVariantOptions;
    };
  };

  config = {
    virtualisation =
      let
        extendVMConfig =
          vmVariant: overrideSops: {
            # Override passwords backed by `sops-nix` as `nixos-rebuild build-vm-with-bootloader`
            # does not seem to play along well with `sops-nix`
            users.sopsPasswordOverride = lib.mkIf overrideSops {
              enable = lib.mkDefault overrideSops;
              password = lib.mkDefault "admin";
            };

            users.users =
              with { inherit (vmVariant.users) sopsPasswordOverride; };
              (lib.mkIf
                sopsPasswordOverride.enable
                (
                  builtins.listToAttrs (
                    builtins.map (
                      name: {
                        inherit name;

                        value = {
                          hashedPasswordFile = lib.mkVMOverride null;
                          hashedPassword = lib.mkVMOverride sopsPasswordOverride.hashedPassword;
                          password = lib.mkVMOverride sopsPasswordOverride.password;
                        };
                      })
                    (builtins.filter
                      (
                        name:
                          let
                            user = config.users.users.${name};
                          in
                            (
                              (user.hashedPasswordFile != null) &&
                              (lib.strings.hasPrefix "/run/secrets-for-users/" user.hashedPasswordFile)
                            ))
                      (builtins.attrNames config.users.users)))));
          };

        inherit (config.virtualisation)
          vmVariant
          vmVariantWithBootLoader
        ;
      in {
        vmVariant = extendVMConfig vmVariant false;
        vmVariantWithBootLoader = extendVMConfig vmVariantWithBootLoader true;
      };
  };
}