derped/nixos
1
0
Fork 0
Code Releases Activity

options/machine: allow to define users without wheel

Browse source
This commit is contained in:
Kevin Baensch 2025-07-04 16:52:46 +02:00
parent 87e83f336f
commit 88a6a90ab2
Signed by: derped
GPG key ID: C0F1D326C7626543
10 changed files with 26 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/nix.nix
View file

@ -32,7 +32,7 @@ in
substituters = [
"https://cache.nixos.org"
] ++ cfg.binaryCaches;
allowed-users = [ "root" ] ++ (map (n: n.name) cfg.administrators);
allowed-users = [ "root" ] ++ (map (n: n.name) cfg.users);
};
extraOptions = ''
build-timeout = 86400 # 24 hours

15
config/users.nix
View file

@ -9,7 +9,7 @@ with lib;
let
withDocker = config.virtualisation.docker.enable;
withPodman = config.virtualisation.podman.enable;
administrators = user: {
users = user: {
inherit (user) name;
value =
let
@ -20,24 +20,23 @@ let
isNormalUser = true;
inherit (user) name;
uid = user.id;
subUidRanges = optional withPodman {
subUidRanges = optional (user.isAdmin && withPodman) {
startUid = 100000;
count = 65536;
};
subGidRanges = optional withPodman {
subGidRanges = optional (user.isAdmin && withPodman) {
startGid = 100000;
count = 65536;
};
home = builtins.toPath "/home/${user.name}";
createHome = true;
description = "Administrative user ${user.name}.";
group = user.name;
extraGroups =
[
"audio"
"wheel"
"network"
]
++ (optional user.isAdmin "wheel")
++ (optionals (lib.elem "desktop" config.machine.services) [
"input"
"video"
@ -66,12 +65,12 @@ let
};
in
{
sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators {
sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.users {
neededForUsers = true;
};
users = {
mutableUsers = false;
users = listToAttrs (map administrators config.machine.administrators);
groups = listToAttrs (map mkusergroup config.machine.administrators);
users = listToAttrs (map users config.machine.users);
groups = listToAttrs (map mkusergroup config.machine.users);
};
}

3
machines/Lilim/options.nix
View file

@ -9,10 +9,11 @@
enable = true;
waitOnline = false;
};
administrators = [
users = [
{
name = "derped";
id = 1337;
isAdmin = true;
}
];
conffiles = [

3
machines/Marid/options.nix
View file

@ -6,10 +6,11 @@
config.machine = {
allowUnfree = true;
hostName = "Marid";
administrators = [
users = [
{
name = "derped";
id = 1337;
isAdmin = true;
}
];
conffiles = [

3
machines/Ophanim/options.nix
View file

@ -11,10 +11,11 @@ in
config.machine = rec {
hostName = "Ophanim";
domain = "ophanim.de";
administrators = [
users = [
{
name = "derped";
id = 1337;
isAdmin = true;
}
];
mailAccounts = [

3
machines/Sheol/options.nix
View file

@ -10,10 +10,11 @@
enable = true;
waitOnline = false;
};
administrators = [
users = [
{
name = "derped";
id = 1337;
isAdmin = true;
}
];
conffiles = [

4
options/machine.nix
View file

@ -89,10 +89,10 @@ in
Adds binary caches to both nix.trustedBinaryCaches and nix.binaryCaches. ("https://cache.nixos.org" is kept by default)
'';
};
administrators = mkOption {
users = mkOption {
type = types.listOf types.attrs;
description = ''
List of administrative users.
List of normal users.
'';
};
domain = mkOption {

4
services/impermanence.nix
View file

@ -76,7 +76,7 @@ in
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
users = listToAttrs (map persistUser config.machine.administrators);
users = listToAttrs (map persistUser config.machine.users);
};
# link current home manager profile if it exists
@ -91,6 +91,6 @@ in
ln -sfn /home/${name}/.local/state/nix/profiles/profile /home/${name}/.nix-profile
fi
''
) config.machine.administrators
) config.machine.users
);
}

2
services/nextcloud.nix
View file

@ -21,7 +21,7 @@ mkIf (elem "nextcloud" config.machine.services) {
maxUploadSize = "1024M";
package = pkgs.nextcloud30;
config = {
adminuser = mkDefault (elemAt cfg.administrators 0).name;
adminuser = mkDefault (findFirst (user: user.isAdmin) { name = "admin"; } cfg.users).name;
adminpassFile = config.sops.secrets."services/nextcloud/adminPass".path;
dbtype = "mysql";
dbhost = "localhost:3306";

12
services/openssh.nix
View file

@ -25,7 +25,7 @@ mkIf (elem "openssh" config.machine.services) {
extraConfig =
let
users =
concatMapStrings (user: "${user.name} ") config.machine.administrators
concatMapStrings (user: "${user.name} ") config.machine.users
+ (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
in
''
@ -36,10 +36,8 @@ mkIf (elem "openssh" config.machine.services) {
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
(user: {
path = "/etc/ssh/authorized_keys.d/${user.name}";
mode = "444";
});
sops.secrets = fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.users (user: {
path = "/etc/ssh/authorized_keys.d/${user.name}";
mode = "444";
});
}