Apply @kevin's recommendations

- Remove `root`'s password; SSH password authentication is already
  removed for all users.
- Enable password-less sudo for `wheel` group.
- Add a note about removing `root` SSH connection altogether.
- Add `niols` user with sudo capabilities.

infra/common/users.nix

@@ -10,6 +10,14 @@
       ];
     };
 
+    niols = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
+      ];
+    };
+
     valentin = {
       isNormalUser = true;
       extraGroups = [ "wheel" ];
@@ -17,13 +25,14 @@
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOJzgwAYAoMexc1fBJxU08YmsiU9T4Ua8QFeE4/kZNZ5"
       ];
     };
-
-    root = {
-      hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A";
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
-      ];
-    };
   };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  ## FIXME: Remove direct root authentication once NixOps4 supports users with
+  ## password-less sudo.
+  users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
+  ];
 }

infra/vm02187/configuration.nix

@@ -101,8 +101,6 @@
     wget
   ];
 
-  security.sudo.wheelNeedsPassword = false;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave