{ config, lib, fn, pkgs, ... }: with lib; let withDocker = config.virtualisation.docker.enable; withPodman = config.virtualisation.podman.enable; administrators = user: { inherit (user) name; value = let cfg = config.services; passPath = config.sops.secrets."users/${user.name}/password".path; in { isNormalUser = true; inherit (user) name; uid = user.id; subUidRanges = optional withPodman { startUid = 100000; count = 65536; }; subGidRanges = optional withPodman { startGid = 100000; count = 65536; }; home = builtins.toPath "/home/${user.name}"; createHome = true; description = "Administrative user ${user.name}."; group = user.name; extraGroups = [ "audio" "wheel" "network" ] ++ (optionals (lib.elem "desktop" config.machine.services) [ "input" "video" ]) ++ (optionals cfg.printing.enable [ "cups" "lp" ]) ++ (optional config.programs.virt-manager.enable "libvirtd") ++ (optional config.virtualisation.virtualbox.host.enable "vboxusers") ++ (optional config.networking.networkmanager.enable "networkmanager") ++ (optional (withDocker && !withPodman) "docker") ++ (optional withPodman "podman"); shell = "${pkgs.zsh}/bin/zsh"; hashedPasswordFile = passPath; }; }; mkusergroup = user: { inherit (user) name; value = { inherit (user) name; gid = user.id; members = [ user.name ]; }; }; in { sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators { neededForUsers = true; }; users = { mutableUsers = false; users = listToAttrs (map administrators config.machine.administrators); groups = listToAttrs (map mkusergroup config.machine.administrators); }; }