169 lines
7.3 KiB
Nix
169 lines
7.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
namespace,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
inherit (lib.${namespace}) mkOpt mkBoolOpt;
|
|
cfg = config.${namespace}.user;
|
|
|
|
# Reference the sops-managed password file only when the secret has been
|
|
# declared somewhere in the configuration. Checking the attrset with ?
|
|
# avoids forcing evaluation of the secret path on hosts that don't use sops.
|
|
sopsMattPassword =
|
|
let
|
|
secretName = cfg.sopsPasswordSecret;
|
|
in
|
|
if secretName != null && builtins.hasAttr secretName config.sops.secrets then
|
|
config.sops.secrets.${secretName}.path
|
|
else
|
|
null;
|
|
|
|
# Fall back to the sops-managed password file only when no explicit password
|
|
# method has been set by the caller.
|
|
resolvedPasswordFile =
|
|
if cfg.hashedPassword == null && cfg.hashedPasswordFile == null && cfg.password == null then
|
|
sopsMattPassword
|
|
else
|
|
cfg.hashedPasswordFile;
|
|
|
|
# Common SSH keys used across systems
|
|
commonSshKeys = [
|
|
# MacBook
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
|
|
# MacBook NixOS
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOhX3ds1QBC5qqqtPJDZgyGr8gfGjCGnGCiIhWZNNi4 matt@macbook-pro-nixos"
|
|
# Desktop Windows
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
|
|
# Desktop NixOS
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSbGJHZKrraJYwF4hehqmSd/cFOPyLUuWUECEA7qH2Rv5zrL50Pey3o1L0pKlypxjrrNgkCsn53lP6jgF7GHDo0TICsE1jgVAUKhVL+h6+o/8A509ZVb/ZhItZmbc7mtif59FTF+RiIS11f6RFNdKy6XoosdIXPhxHRqKb40GoVdEmgqSqb77nePQPZQiBhosI0KmJ8UsCn+z6lLAX+hQ9CT7rQDuW18MbAYcc2DI4aug35npngys4m3RMA2IlzF5SRMxmPLpN8HHXkLlliDGjvFHxJbAAlkDvjFETrPjgKQqKcVOhEP42Qg/ywcGfqKQTig2r13AgJE2NSON7VtHu554RiQ+Ob52aN7PvxzsEWwXO01ot7PHB1nnKeFGkRAGQfm6nAZ/So0JOraWL35MKmBmlbIXR3uT8WMJrbCq1YYJ88PbAE8l1LOJSshHRcXFgnrllywO5+6S7cLpKKXu9L4xTisJMbGlq3yVSTfXiysXRa+tfgQy6GdSIyEeQHJs= matt@matt-nixos"
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
|
|
# Yubikey
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuzZfywCSde/3J1zRWH0s7OMEhHIwZeNWdKHUxMAYE/5hzFRtl5LYuNU68zxj7Aj67VF8VGwBbMEU6X/ebiNAxahmjf4mtioby5b4TIy+0Xvdbayoch938bP7UhskzobaJF6epg3vyATnJGr6i0EOXiDSkJU8vL1oeue0HN7WmwzIqxw0BTaSh6HJvjhhFhs20dBHc2x9behIfSmKFe9gBlPcIriUtpXNgasm14QCMk537dlSgGUFxPGIzZRAUSn5wqFjbiNK0rP/1MJzhGtXhHFJ8irI4TiVEk3cOm5nMoJxTP4KScfmHU+niU1Al+d0KOBsHb71AWutazRudKvsqrPsbG6vT4gGMVjOCTN9e89jcapz5GEQsVQR6s1HUjh4G+2PFbHOFmR8Mks+TIumqHIWsXgQnFBadblDRGPwrSH3zulvRzghyfTyU/bX28iGvpli2ckso5nJmG8D1LO7Y/E8U8ZGW4hC75+iP90cu9G1Ff1hETkrv6xpbNTGL61U= cardno:33_720_987"
|
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGdwsYDOkjd17rKdpjKN+3Yx1rRHT/Fiv2erc2JdE6ibHKBxLSEZ4kCOFCyGyc5ZO6Cmb09GfAe9FugkD4titns= cardno:33_720_987"
|
|
];
|
|
|
|
in
|
|
{
|
|
options.${namespace}.user = with types; {
|
|
email = mkOpt str "jalle008@proton.me" "The email of the user.";
|
|
|
|
extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";
|
|
|
|
extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";
|
|
|
|
fullName = mkOpt str "Matt Jallen" "The full name of the user.";
|
|
|
|
name = mkOpt str "matt" "The name to use for the user account.";
|
|
|
|
sshKeys = mkOpt (listOf str) [ ] "List of SSH public keys for the user.";
|
|
|
|
enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems.";
|
|
|
|
uid = mkOpt int 1000 "The user ID for the user account.";
|
|
|
|
group = mkOpt str "wheel" "Group of the user";
|
|
|
|
gid = mkOpt int 1000 "gid of the group";
|
|
|
|
packages = mkOpt (listOf package) [ ] "List of packages to install for this user.";
|
|
|
|
linger = mkBoolOpt false "Whether to enable systemd user service persistence.";
|
|
|
|
password = mkOpt (nullOr str) null "Plain text password for the user (development only).";
|
|
|
|
hashedPassword = mkOpt (nullOr str) null "Hashed password for the user.";
|
|
|
|
hashedPasswordFile = mkOpt (nullOr path) null "Path to the password file for this user account";
|
|
|
|
sopsPasswordSecret =
|
|
mkOpt (nullOr str) "matt_password"
|
|
"Name of the sops secret to use as the hashed password file when no explicit password method is set. Set to null to disable the sops fallback.";
|
|
|
|
mutableUsers = mkBoolOpt false "Whether users are mutable (can be modified after modification).";
|
|
};
|
|
|
|
config = {
|
|
users = {
|
|
inherit (cfg) mutableUsers;
|
|
groups.${cfg.group}.gid = lib.mkForce (if cfg.group != "wheel" then cfg.gid else 1);
|
|
users = {
|
|
root = {
|
|
isSystemUser = true;
|
|
isNormalUser = false;
|
|
shell = lib.mkForce pkgs.zsh;
|
|
};
|
|
${cfg.name} = {
|
|
inherit (cfg)
|
|
name
|
|
group
|
|
uid
|
|
linger
|
|
packages
|
|
password
|
|
hashedPassword
|
|
;
|
|
hashedPasswordFile = resolvedPasswordFile;
|
|
|
|
extraGroups = [
|
|
"wheel"
|
|
"keys"
|
|
"networkmanager"
|
|
"ratbagd"
|
|
"scanner"
|
|
"systemd-journal"
|
|
"mpd"
|
|
"audio"
|
|
"video"
|
|
"input"
|
|
"plugdev"
|
|
"lp"
|
|
"tss"
|
|
"power"
|
|
"nix"
|
|
"i2c"
|
|
"media"
|
|
"nscd"
|
|
"avahi"
|
|
"podman"
|
|
"libvirtd"
|
|
"fuse"
|
|
]
|
|
++ cfg.extraGroups;
|
|
|
|
home = "/home/${cfg.name}";
|
|
isNormalUser = true;
|
|
shell = lib.mkForce pkgs.zsh;
|
|
description = cfg.fullName;
|
|
|
|
# SSH keys - combine user-specific and common keys
|
|
openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);
|
|
}
|
|
// cfg.extraOptions;
|
|
};
|
|
};
|
|
assertions = [
|
|
{
|
|
assertion =
|
|
(cfg.password != null) || (cfg.hashedPassword != null) || (resolvedPasswordFile != null);
|
|
message = "User '${cfg.name}' requires at least one password method (password, hashedPassword, hashedPasswordFile, or a sops 'matt_password' secret).";
|
|
}
|
|
{
|
|
assertion =
|
|
let
|
|
passwordMethods = lib.count (x: x != null) [
|
|
cfg.password
|
|
cfg.hashedPassword
|
|
resolvedPasswordFile
|
|
];
|
|
in
|
|
passwordMethods <= 1;
|
|
message = "User '${cfg.name}' can only use one password method at a time.";
|
|
}
|
|
];
|
|
};
|
|
}
|