use agenix

machines/173-249-5-230/configuration.nix

@@ -1,4 +1,9 @@
-{machine, ...}: {
+{
+  config,
+  machine,
+  ...
+}: {
+  age.secrets.secret1.file = ../../secrets/secret1.age;
   boot.tmp.cleanOnBoot = true;
   boot.loader.grub.devices = ["nodev"];
   environment.persistence."/nix/persist" = {
@@ -66,7 +71,7 @@
   users.users."mtgmonkey" = {
     isNormalUser = true;
     description = "mtgmonkey";
-    initialPassword = "password";
+    passwordFile = builtins.toString config.age.secrets.secret1.path;
     extraGroups = ["wheel"];
     openssh.authorizedKeys.keys = machine.pub-keys.ssh;
   };