xin/users/default.nix

82 lines
2.0 KiB
Nix

{ config
, lib
, pkgs
, ...
}:
with lib; let
userBase = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys =
config.myconf.hwPubKeys
++ config.myconf.managementPubKeys;
};
in
{
options = {
defaultUsers = {
enable = mkOption {
description = "Enable regular set of users";
default = if (builtins.hasAttr "${config.networking.hostName}" config.xin-secrets) then true else false;
example = true;
type = lib.types.bool;
};
};
};
config =
let
inherit (config.networking) hostName;
hasQbit =
if (builtins.hasAttr hostName config.xin-secrets) &&
(builtins.hasAttr "qbit" config.xin-secrets.${hostName}.user_passwords) then true else false;
in
mkIf config.defaultUsers.enable {
sops =
let
secretAttrs = config.xin-secrets.${hostName}.user_passwords;
in
{
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = mkMerge [
{
root_hash =
{
name = "hash";
sopsFile = secretAttrs.root;
owner = "root";
mode = "400";
neededForUsers = true;
};
}
(mkIf hasQbit {
qbit_hash = {
sopsFile = secretAttrs.qbit;
owner = "root";
mode = "400";
neededForUsers = true;
};
})
];
};
users = {
mutableUsers = false;
users = mkMerge [
{
root = userBase // {
hashedPasswordFile = config.sops.secrets.root_hash.path;
};
}
(mkIf hasQbit {
qbit = userBase // {
isNormalUser = true;
description = "Aaron Bieber";
home = "/home/qbit";
extraGroups = [ "wheel" ];
hashedPasswordFile = config.sops.secrets.qbit_hash.path;
};
})
];
};
};
}