From 4008fde19833fb825a11f59879a07927998f52ca Mon Sep 17 00:00:00 2001
From: Jelle Spreeuwenberg <mail@jelles.net>
Date: Tue, 21 Apr 2026 01:37:03 +0200
Subject: [PATCH] fix: disable password login on servers

---
 modules/users.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/users.nix b/modules/users.nix
index c99fb79..83bc3ad 100644
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -24,6 +24,10 @@ let
     { accountName }:
     {
       config,
+      host ? {
+        isServer = false;
+      },
+      lib,
       pkgs,
       ...
     }:
@@ -31,20 +35,24 @@ let
       account = accounts.${accountName};
     in
     {
-      sops.secrets."hashed-password-${accountName}".neededForUsers = true;
+      sops.secrets = lib.optionalAttrs (!host.isServer) {
+        "hashed-password-${accountName}".neededForUsers = true;
+      };
 
       programs.zsh.enable = true;
 
       users.users.${accountName} = {
         name = accountName;
         home = account.homeDirectory;
-        hashedPasswordFile = config.sops.secrets."hashed-password-${accountName}".path;
         isNormalUser = true;
         shell = pkgs.zsh;
         extraGroups = [
           "wheel"
           "networkmanager"
         ];
+      }
+      // lib.optionalAttrs (!host.isServer) {
+        hashedPasswordFile = config.sops.secrets."hashed-password-${accountName}".path;
       };
 
       home-manager.users.${accountName} = {