From link 1:
In a standard image you need to activate ssh and add key for root. That is the minimum for nixops to work, since it needs to root access via ssh.
users.users.root.openssh.authorizedKeys.keys = [ <yourkey> ]; services.openssh.enable = true;
See more at NixOS images on Azure discourse thread. (It’s archived, just in case.)
NOTE/TODO: nixops also creates images for various environments, so look at the image declarations, az they probably hold the bare minimum if nothing is added.
So many questions:
How to deploy machines (e.g., personal laptop) with data partition encryption?
My guess is that the partitions and encryption will have to be set up when NixOS is installed on that machine, and then specify it in the NixOps configs. Search for “luks” and then for “ita” in this repo.
 The problem is state. This hypothes.is article explains orphans, and it seems that when I made the annotation, I was logged in to github, so the checksum of the HTML elements in the highlighted text (or whatever they use to anchor) differs when opened in a browser where I’m not logged in.
 How to start contributing to the NixOps repo? There’s this discourse thread but it barely scratches the surface. Source is king, I guess.