# "secret" consumer { config, lib, ... }: { options.users.users = lib.mkOption { type = lib.types.attrsOf (lib.types.submodule { options.passwordSecret = lib.mkOption { type = lib.types.nullOr config.contracts.secret.consumer; }; }); }; config = { # TODO other users than root users.users.root.passwordFile = lib.mkIf (config.users.users.root.passwordSecret != null) config.users.users.root.passwordSecret.output.path; users.users.root.passwordSecret.input = lib.mkIf (config.users.users.root.passwordSecret != null) { owner = "root"; group = "root"; mode = "0400"; }; }; }