90 lines
3.3 KiB
Nix
90 lines
3.3 KiB
Nix
|
{ config, lib, ... }:
|
||
|
|
{
|
||
|
|
options.snowflake.user = {
|
||
|
|
enable = lib.mkEnableOption "Enable user configuration";
|
||
|
|
|
||
|
|
uid = lib.mkOption {
|
||
|
|
type = lib.types.nullOr lib.types.int;
|
||
|
|
default = 1000;
|
||
|
|
description = "User ID for the system user";
|
||
|
|
};
|
||
|
|
username = lib.mkOption {
|
||
|
|
type = lib.types.str;
|
||
|
|
description = "Username for the system user";
|
||
|
|
};
|
||
|
|
description = lib.mkOption {
|
||
|
|
type = lib.types.str;
|
||
|
|
description = "Real name for the system user";
|
||
|
|
};
|
||
|
|
extraGroups = lib.mkOption {
|
||
|
|
type = lib.types.listOf lib.types.str;
|
||
|
|
default = [ ];
|
||
|
|
};
|
||
|
|
extraAuthorizedKeys = lib.mkOption {
|
||
|
|
type = lib.types.listOf lib.types.str;
|
||
|
|
default = [ ];
|
||
|
|
description = "Additional authorized keys for the system user";
|
||
|
|
};
|
||
|
|
extraRootAuthorizedKeys = lib.mkOption {
|
||
|
|
type = lib.types.listOf lib.types.str;
|
||
|
|
default = [ ];
|
||
|
|
description = "Additional authorized keys for root user";
|
||
|
|
};
|
||
|
|
userPasswordAgeModule = lib.mkOption {
|
||
|
|
description = "Age file to include to use as user password";
|
||
|
|
};
|
||
|
|
rootPasswordAgeModule = lib.mkOption {
|
||
|
|
description = "Age file to include to use as root password";
|
||
|
|
};
|
||
|
|
setEmptyPassword = lib.mkEnableOption "Enable to set empty password for the system user";
|
||
|
|
setEmptyRootPassword = lib.mkEnableOption "Enable to set empty password for the root user";
|
||
|
|
};
|
||
|
|
|
||
|
|
config = {
|
||
|
|
# Make users immutable.
|
||
|
|
users.mutableUsers = false;
|
||
|
|
|
||
|
|
# Add ~/bin to $PATH.
|
||
|
|
environment.homeBinInPath = config.snowflake.user.enable;
|
||
|
|
|
||
|
|
# Load password files.
|
||
|
|
age.secrets.hashed-user-password = lib.mkIf (
|
||
|
|
!config.snowflake.user.setEmptyPassword && config.snowflake.user.enable
|
||
|
|
) config.snowflake.user.userPasswordAgeModule;
|
||
|
|
age.secrets.hashed-root-password = lib.mkIf (
|
||
|
|
!config.snowflake.user.setEmptyRootPassword
|
||
|
|
) config.snowflake.user.rootPasswordAgeModule;
|
||
|
|
|
||
|
|
# Configure the user account.
|
||
|
|
# NOTE: hashedPasswordFile has an issue. If the auth method is changed from `hashedPassword`
|
||
|
|
# to `hashedPasswordFile`, /etc/shadow gets messed up and login does not work. To fix this
|
||
|
|
# we need to remove all the users' entries from /etc/shadow and run nixos-rebuild. Seems to be
|
||
|
|
# a one-time thing.
|
||
|
|
# ref: https://github.com/NixOS/nixpkgs/issues/99433
|
||
|
|
users.users.${config.snowflake.user.username} = lib.mkIf config.snowflake.user.enable {
|
||
|
|
inherit (config.snowflake.user) description;
|
||
|
|
extraGroups = [
|
||
|
|
"wheel"
|
||
|
|
"users"
|
||
|
|
] ++ config.snowflake.user.extraGroups;
|
||
|
|
hashedPasswordFile = lib.mkIf (
|
||
|
|
!config.snowflake.user.setEmptyPassword
|
||
|
|
) config.age.secrets.hashed-user-password.path;
|
||
|
|
isNormalUser = true;
|
||
|
|
openssh.authorizedKeys.keys = config.snowflake.user.extraAuthorizedKeys;
|
||
|
|
inherit (config.snowflake.user) uid;
|
||
|
|
};
|
||
|
|
|
||
|
|
# Define password, authorized keys and shell for root user.
|
||
|
|
users.users.root = {
|
||
|
|
hashedPasswordFile = lib.mkIf (
|
||
|
|
!config.snowflake.user.setEmptyRootPassword
|
||
|
|
) config.age.secrets.hashed-root-password.path;
|
||
|
|
openssh.authorizedKeys.keys = config.snowflake.user.extraRootAuthorizedKeys;
|
||
|
|
};
|
||
|
|
|
||
|
|
# Configure some miscellaneous dotfiles for my user.
|
||
|
|
# home-manager.users.${config.snowflake.user.username} = lib.mkIf config.snowflake.user.enable {
|
||
|
|
};
|
||
|
|
}
|