diff --git a/config/nix.nix b/config/nix.nix index f0e295e..bfed8d4 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -32,7 +32,7 @@ in substituters = [ "https://cache.nixos.org" ] ++ cfg.binaryCaches; - allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators); + allowed-users = [ "root" ] ++ (map (n: n.name) cfg.users); }; extraOptions = '' build-timeout = 86400 # 24 hours diff --git a/config/users.nix b/config/users.nix index dd1245a..6d2680c 100644 --- a/config/users.nix +++ b/config/users.nix @@ -9,7 +9,7 @@ with lib; let withDocker = config.virtualisation.docker.enable; withPodman = config.virtualisation.podman.enable; - administrators = user: { + users = user: { inherit (user) name; value = let @@ -20,24 +20,23 @@ let isNormalUser = true; inherit (user) name; uid = user.id; - subUidRanges = optional withPodman { + subUidRanges = optional (user.isAdmin && withPodman) { startUid = 100000; count = 65536; }; - subGidRanges = optional withPodman { + subGidRanges = optional (user.isAdmin && withPodman) { startGid = 100000; count = 65536; }; home = builtins.toPath "/home/${user.name}"; createHome = true; - description = "Administrative user ${user.name}."; group = user.name; extraGroups = [ "audio" - "wheel" "network" ] + ++ (optional user.isAdmin "wheel") ++ (optionals (lib.elem "desktop" config.machine.services) [ "input" "video" @@ -66,12 +65,12 @@ let }; in { - sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators { + sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.users { neededForUsers = true; }; users = { mutableUsers = false; - users = listToAttrs (map administrators config.machine.administrators); - groups = listToAttrs (map mkusergroup config.machine.administrators); + users = listToAttrs (map users config.machine.users); + groups = listToAttrs (map mkusergroup config.machine.users); }; } diff --git a/machines/Lilim/options.nix b/machines/Lilim/options.nix index 0df2386..fca1ff2 100644 --- a/machines/Lilim/options.nix +++ b/machines/Lilim/options.nix @@ -9,10 +9,11 @@ enable = true; waitOnline = false; }; - administrators = [ + users = [ { name = "derped"; id = 1337; + isAdmin = true; } ]; conffiles = [ diff --git a/machines/Marid/options.nix b/machines/Marid/options.nix index 1d2bd0d..328509c 100644 --- a/machines/Marid/options.nix +++ b/machines/Marid/options.nix @@ -6,10 +6,11 @@ config.machine = { allowUnfree = true; hostName = "Marid"; - administrators = [ + users = [ { name = "derped"; id = 1337; + isAdmin = true; } ]; conffiles = [ diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix index e12fc25..ea5f862 100644 --- a/machines/Ophanim/options.nix +++ b/machines/Ophanim/options.nix @@ -11,10 +11,11 @@ in config.machine = rec { hostName = "Ophanim"; domain = "ophanim.de"; - administrators = [ + users = [ { name = "derped"; id = 1337; + isAdmin = true; } ]; mailAccounts = [ diff --git a/machines/Sheol/options.nix b/machines/Sheol/options.nix index 7d739b2..4b80732 100644 --- a/machines/Sheol/options.nix +++ b/machines/Sheol/options.nix @@ -10,10 +10,11 @@ enable = true; waitOnline = false; }; - administrators = [ + users = [ { name = "derped"; id = 1337; + isAdmin = true; } ]; conffiles = [ diff --git a/options/machine.nix b/options/machine.nix index 8a5b860..a2cde7c 100644 --- a/options/machine.nix +++ b/options/machine.nix @@ -89,10 +89,10 @@ in Adds binary caches to both nix.trustedBinaryCaches and nix.binaryCaches. ("https://cache.nixos.org" is kept by default) ''; }; - administrators = mkOption { + users = mkOption { type = types.listOf types.attrs; description = '' - List of administrative users. + List of normal users. ''; }; domain = mkOption { diff --git a/services/impermanence.nix b/services/impermanence.nix index a69f19e..bd5a564 100644 --- a/services/impermanence.nix +++ b/services/impermanence.nix @@ -76,7 +76,7 @@ in "/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_rsa_key.pub" ]; - users = listToAttrs (map persistUser config.machine.administrators); + users = listToAttrs (map persistUser config.machine.users); }; # link current home manager profile if it exists @@ -91,6 +91,6 @@ in ln -sfn /home/${name}/.local/state/nix/profiles/profile /home/${name}/.nix-profile fi '' - ) config.machine.administrators + ) config.machine.users ); } diff --git a/services/nextcloud.nix b/services/nextcloud.nix index 3f60be9..04aa6c4 100644 --- a/services/nextcloud.nix +++ b/services/nextcloud.nix @@ -21,7 +21,7 @@ mkIf (elem "nextcloud" config.machine.services) { maxUploadSize = "1024M"; package = pkgs.nextcloud30; config = { - adminuser = mkDefault (elemAt cfg.administrators 0).name; + adminuser = mkDefault (findFirst (user: user.isAdmin) { name = "admin"; } cfg.users).name; adminpassFile = config.sops.secrets."services/nextcloud/adminPass".path; dbtype = "mysql"; dbhost = "localhost:3306"; diff --git a/services/openssh.nix b/services/openssh.nix index 7467210..bcfa374 100644 --- a/services/openssh.nix +++ b/services/openssh.nix @@ -25,7 +25,7 @@ mkIf (elem "openssh" config.machine.services) { extraConfig = let users = - concatMapStrings (user: "${user.name} ") config.machine.administrators + concatMapStrings (user: "${user.name} ") config.machine.users + (optionalString config.services.forgejo.enable (config.services.forgejo.user + " ")); in '' @@ -36,10 +36,8 @@ mkIf (elem "openssh" config.machine.services) { }; # Add public keys to /etc/ssh/authorized_keys.d # This replaces users.users.*.openssh.authorizedKeys.* - sops.secrets = - fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators - (user: { - path = "/etc/ssh/authorized_keys.d/${user.name}"; - mode = "444"; - }); + sops.secrets = fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.users (user: { + path = "/etc/ssh/authorized_keys.d/${user.name}"; + mode = "444"; + }); }