{ config, lib, pkgs, ... }: with lib; let administrators = user: { name = user.name; value = let cfg = config.services; passPath = config.sops.secrets."users/${user.name}/password".path; in { isNormalUser = true; name = user.name; uid = user.id; subUidRanges = [{ startUid = 100000; count = 65536; }]; subGidRanges = [{ startGid = 100000; count = 65536; }]; home = builtins.toPath "/home/${user.name}"; createHome = true; description = "Administrative user ${user.name}."; group = user.name; extraGroups = [ "audio" "wheel" "network" ] ++ (optionals cfg.xserver.enable ["input" "video"]) ++ (optionals cfg.printing.enable [ "cups" "lp" ]) ++ (optional (config.virtualisation.docker.enable && !config.virtualisation.podman.enable) "docker") ++ (optional config.virtualisation.podman.enable "podman"); shell = "${pkgs.zsh}/bin/zsh"; passwordFile = passPath; # TODO: Fix for sops # openssh.authorizedKeys.keyFiles = optional # (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub")) # "${passPath}.pub"; }; }; mkusergroup = user: { name = user.name; value = { name = user.name; gid = user.id; members = [ user.name ]; }; }; in { users = { mutableUsers = false; users = listToAttrs (map administrators config.machine.administrators); groups = listToAttrs (map mkusergroup config.machine.administrators); }; }