options/machine: allow to define users without wheel

2025-07-04 16:52:46 +02:00 · 2025-07-04 16:52:46 +02:00 · 88a6a90ab2
commit 88a6a90ab2
parent 87e83f336f
10 changed files with 26 additions and 25 deletions
--- a/config/nix.nix
+++ b/config/nix.nix
@ -32,7 +32,7 @@ in
      substituters = [
        "https://cache.nixos.org"
      ] ++ cfg.binaryCaches;
-      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators);
+      allowed-users = [ "root" ] ++ (map (n: n.name) cfg.users);
    };
    extraOptions = ''
      build-timeout = 86400  # 24 hours
--- a/config/users.nix
+++ b/config/users.nix
@ -9,7 +9,7 @@ with lib;
 let
  withDocker = config.virtualisation.docker.enable;
  withPodman = config.virtualisation.podman.enable;
-  administrators = user: {
+  users = user: {
    inherit (user) name;
    value =
      let
@ -20,24 +20,23 @@ let
        isNormalUser = true;
        inherit (user) name;
        uid = user.id;
-        subUidRanges = optional withPodman {
+        subUidRanges = optional (user.isAdmin && withPodman) {
          startUid = 100000;
          count = 65536;
        };
-        subGidRanges = optional withPodman {
+        subGidRanges = optional (user.isAdmin && withPodman) {
          startGid = 100000;
          count = 65536;
        };
        home = builtins.toPath "/home/${user.name}";
        createHome = true;
        description = "Administrative user ${user.name}.";
        group = user.name;
        extraGroups =
          [
            "audio"
            "wheel"
            "network"
          ]
          ++ (optional user.isAdmin "wheel")
          ++ (optionals (lib.elem "desktop" config.machine.services) [
            "input"
            "video"
@ -66,12 +65,12 @@ let
  };
 in
 {
-  sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators {
+  sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.users {
    neededForUsers = true;
  };
  users = {
    mutableUsers = false;
-    users = listToAttrs (map administrators config.machine.administrators);
+    users = listToAttrs (map users config.machine.users);
-    groups = listToAttrs (map mkusergroup config.machine.administrators);
+    groups = listToAttrs (map mkusergroup config.machine.users);
  };
 }
--- a/machines/Lilim/options.nix
+++ b/machines/Lilim/options.nix
@ -9,10 +9,11 @@
      enable = true;
      waitOnline = false;
    };
-    administrators = [
+    users = [
      {
        name = "derped";
        id = 1337;
        isAdmin = true;
      }
    ];
    conffiles = [
--- a/machines/Marid/options.nix
+++ b/machines/Marid/options.nix
@ -6,10 +6,11 @@
  config.machine = {
    allowUnfree = true;
    hostName = "Marid";
-    administrators = [
+    users = [
      {
        name = "derped";
        id = 1337;
        isAdmin = true;
      }
    ];
    conffiles = [
--- a/machines/Ophanim/options.nix
+++ b/machines/Ophanim/options.nix
@ -11,10 +11,11 @@ in
  config.machine = rec {
    hostName = "Ophanim";
    domain = "ophanim.de";
-    administrators = [
+    users = [
      {
        name = "derped";
        id = 1337;
        isAdmin = true;
      }
    ];
    mailAccounts = [
--- a/machines/Sheol/options.nix
+++ b/machines/Sheol/options.nix
@ -10,10 +10,11 @@
      enable = true;
      waitOnline = false;
    };
-    administrators = [
+    users = [
      {
        name = "derped";
        id = 1337;
        isAdmin = true;
      }
    ];
    conffiles = [
--- a/options/machine.nix
+++ b/options/machine.nix
@ -89,10 +89,10 @@ in
        Adds binary caches to both nix.trustedBinaryCaches and nix.binaryCaches. ("https://cache.nixos.org" is kept by default)
      '';
    };
-    administrators = mkOption {
+    users = mkOption {
      type = types.listOf types.attrs;
      description = ''
-        List of administrative users.
+        List of normal users.
      '';
    };
    domain = mkOption {
--- a/services/impermanence.nix
+++ b/services/impermanence.nix
@ -76,7 +76,7 @@ in
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
      ];
-    users = listToAttrs (map persistUser config.machine.administrators);
+    users = listToAttrs (map persistUser config.machine.users);
  };
  # link current home manager profile if it exists
@ -91,6 +91,6 @@ in
          ln -sfn /home/${name}/.local/state/nix/profiles/profile /home/${name}/.nix-profile
        fi
      ''
-    ) config.machine.administrators
+    ) config.machine.users
  );
 }
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -21,7 +21,7 @@ mkIf (elem "nextcloud" config.machine.services) {
        maxUploadSize = "1024M";
        package = pkgs.nextcloud30;
        config = {
-          adminuser = mkDefault (elemAt cfg.administrators 0).name;
+          adminuser = mkDefault (findFirst (user: user.isAdmin) { name = "admin"; } cfg.users).name;
          adminpassFile = config.sops.secrets."services/nextcloud/adminPass".path;
          dbtype = "mysql";
          dbhost = "localhost:3306";
--- a/services/openssh.nix
+++ b/services/openssh.nix
@ -25,7 +25,7 @@ mkIf (elem "openssh" config.machine.services) {
    extraConfig =
      let
        users =
-          concatMapStrings (user: "${user.name} ") config.machine.administrators
+          concatMapStrings (user: "${user.name} ") config.machine.users
          + (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
      in
      ''
@ -36,10 +36,8 @@ mkIf (elem "openssh" config.machine.services) {
  };
  # Add public keys to /etc/ssh/authorized_keys.d
  # This replaces users.users.*.openssh.authorizedKeys.*
-  sops.secrets =
+  sops.secrets = fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.users (user: {
-    fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
+    path = "/etc/ssh/authorized_keys.d/${user.name}";
-      (user: {
+    mode = "444";
-        path = "/etc/ssh/authorized_keys.d/${user.name}";
+  });
        mode = "444";
      });
 }