options/machine: allow to define users without wheel

2025-07-04 16:52:46 +02:00 · 2025-07-04 16:52:46 +02:00 · 88a6a90ab2
commit 88a6a90ab2
parent 87e83f336f
10 changed files with 26 additions and 25 deletions
--- a/config/nix.nix
+++ b/config/nix.nix
@ -32,7 +32,7 @@ in
      substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
-      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators);
+      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.users);
    };
    extraOptions = ''
      build-timeout = 86400  # 24 hours
--- a/config/users.nix
+++ b/config/users.nix
@ -9,7 +9,7 @@ with lib;
 let
  withDocker = config.virtualisation.docker.enable;
  withPodman = config.virtualisation.podman.enable;
-  administrators = user: {
+  users = user: {
    inherit (user) name;
    value =
      let
@ -20,24 +20,23 @@ let
        isNormalUser = true;
        inherit (user) name;
        uid = user.id;
-        subUidRanges = optional withPodman {
+        subUidRanges = optional (user.isAdmin && withPodman) {
          startUid = 100000;
          count = 65536;
        };
-        subGidRanges = optional withPodman {
+        subGidRanges = optional (user.isAdmin && withPodman) {
          startGid = 100000;
          count = 65536;
        };
        home = builtins.toPath "/home/${user.name}";
        createHome = true;
-        description = "Administrative user ${user.name}.";
        group = user.name;
        extraGroups =
          [
            "audio"
-            "wheel"
            "network"
          ]
+          ++ (optional user.isAdmin "wheel")
          ++ (optionals (lib.elem "desktop" config.machine.services) [
            "input"
            "video"
@ -66,12 +65,12 @@ let
  };
 in
 {
-  sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators {
+  sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.users {
    neededForUsers = true;
  };
  users = {
    mutableUsers = false;
-    users = listToAttrs (map administrators config.machine.administrators);
-    groups = listToAttrs (map mkusergroup config.machine.administrators);
+    users = listToAttrs (map users config.machine.users);
+    groups = listToAttrs (map mkusergroup config.machine.users);
  };
 }