{ config, lib, ... }: { options.users.root.hashedPassword = lib.mkOption { type = lib.types.nullOr (lib.types.strMatching "[^\n:]*"); default = null; description = '' Hashed password of the user. This should be either a disabled password (e.g. `*` or `!`) or use MD5, SHA256, or SHA512. ''; }; config = { deploySteps.rootPassword = lib.mkIf (config.users.root.hashedPassword != null) { priority = 5000; apply = '' ( umask 0077 touch /tmp/.shadow while IFS=: read name pw rest; do if [ "$name" = root ]; then echo "$name:"${lib.escapeShellArg config.users.root.hashedPassword}":$rest" else echo "$name:$pw:$rest" fi done >/tmp/.shadow mv /tmp/.shadow /etc/shadow ) ''; }; }; }