- shorter.
- congruent with `nixos-rebuild .` choosing what to build based on `hostname`.
- more widely used within other nix repos i've seen.
- more accurate in the case that i migrate a host to a different
machine (which i plan to do with servo).
this approach lets me persist the password. persisting /etc/shadow
directly wasn't so feasible. populating /etc/shadow at activation time
is something nix already does and is easy to plug into.
so we store the passwd hash in this repo, but encrypt it to the
destination machine's ssh pubkey to add enough entropy that it's not
brute-forceable through the public git repo.
