feat(nixos): add owner config to manifest and users module

2025-07-06 23:33:36 +08:00 · 2025-07-06 23:33:36 +08:00 · 5add052c92
commit 5add052c92
parent a8a507daf2
2 changed files with 73 additions and 37 deletions
--- a/nix/manifest.nix
+++ b/nix/manifest.nix
@ -8,7 +8,14 @@ let
  };
 in
 {
-  flake.manifest.hosts = {
+  flake.manifest = {
+    owner = {
+      username = "rafiq";
+      email = "rafiq@rrv.sh";
+      shell = "fish";
+      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq";
+    };
+    hosts = {
      "nixos/test".extraCfg = testCfg;
      "nixos/nemesis" = {
        machine = {
@ -49,4 +56,5 @@ in
        extraCfg = testCfg;
      };
    };
+  };
 }
--- a/nix/modules/nixos/users.nix
+++ b/nix/modules/nixos/users.nix
@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  inherit (config.flake.manifest) owner;
+in
+{
+  flake.modules.nixos.default =
+    { pkgs, ... }:
+    {
+      #TODO: move sudo/security options elsewhere
+      security.sudo.wheelNeedsPassword = false;
+      nix.settings.trusted-users = [ "@wheel" ];
+      #TODO: move to shell config
+      programs.${owner.shell}.enable = true;
+      #TODO: move ssh key settings elsewhere
+      users = {
+        mutableUsers = false;
+        groups.users.gid = 100;
+        users.root.openssh.authorizedKeys.keys = [ owner.pubkey ];
+        users.${owner.username} = {
+          isNormalUser = true;
+          # hashedPasswordFile
+          extraGroups = [ "wheel" ];
+          shell = pkgs.${owner.shell};
+          openssh.authorizedKeys.keys = [ owner.pubkey ];
+        };
+      };
+    };
+}