From 83c0090ab9d91858dee87403f03ee78a2489cd05 Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Sun, 26 Jan 2020 17:36:24 +0100
Subject: [PATCH] Ban root passwords from HQ

---
 lib/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/default.nix b/lib/default.nix
index 8086bb75..3bba64ef 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -32,6 +32,7 @@ let
 
   cfg = config.c3d2;
 
+
 in {
 
   imports = [ ./users ];
@@ -118,6 +119,9 @@ in {
     # Configuration specific to this machine
 
     assertions = [
+      { assertion = cfg.isInHq -> (config.users.users.root.password == null);
+        message = "Root passwords not allowed in HQ";
+      }
       {
         assertion = let
           check = hostName: hostName == config.networking.hostName;