feat(nixos): add owner config to manifest and users module

2025-07-06 23:33:36 +08:00 · 2025-07-06 23:33:36 +08:00 · aef828b713
commit aef828b713
parent f670889e29
2 changed files with 73 additions and 37 deletions
--- a/nix/manifest.nix
+++ b/nix/manifest.nix
@ -8,45 +8,53 @@ let
  };
 in
 {
-  flake.manifest.hosts = {
-    "nixos/test".extraCfg = testCfg;
-    "nixos/nemesis" = {
-      machine = {
-        platform = "amd";
-        gpu = "nvidia";
-        root.drive = "/dev/disk/by-id/nvme-CT2000P3SSD8_2325E6E77434";
-        monitors = [
-          {
-            id = "desc:OOO AN-270W04K";
-            scale = "2";
-            resolution = "3840x2160";
-            refresh-rate = "60";
-          }
-        ];
-      };
-      # profiles = with config.flake.profiles.nixos; [
-      #   graphical
-      #   development
-      # ];
-      # extraModules = with config.flakes.modules.nixos; [
-      #   sunshine
-      #   sd-webui-forge
-      #   comfy-ui
-      # ];
-      extraCfg = testCfg;
+  flake.manifest = {
+    owner = {
+      username = "rafiq";
+      email = "rafiq@rrv.sh";
+      shell = "fish";
+      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq";
    };
-    "nixos/apollo" = {
-      machine = {
-        platform = "intel";
-        root.drive = "/dev/disk/by-id/nvme-eui.002538d221b47b01";
+    hosts = {
+      "nixos/test".extraCfg = testCfg;
+      "nixos/nemesis" = {
+        machine = {
+          platform = "amd";
+          gpu = "nvidia";
+          root.drive = "/dev/disk/by-id/nvme-CT2000P3SSD8_2325E6E77434";
+          monitors = [
+            {
+              id = "desc:OOO AN-270W04K";
+              scale = "2";
+              resolution = "3840x2160";
+              refresh-rate = "60";
+            }
+          ];
+        };
+        # profiles = with config.flake.profiles.nixos; [
+        #   graphical
+        #   development
+        # ];
+        # extraModules = with config.flakes.modules.nixos; [
+        #   sunshine
+        #   sd-webui-forge
+        #   comfy-ui
+        # ];
+        extraCfg = testCfg;
+      };
+      "nixos/apollo" = {
+        machine = {
+          platform = "intel";
+          root.drive = "/dev/disk/by-id/nvme-eui.002538d221b47b01";
+        };
+        # profiles = with config.flake.profiles.nixos; [ headless ];
+        # extraModules = with config.flakes.modules.nixos; [
+        #   librechat
+        #   forgejo
+        #   rrv-sh
+        # ];
+        extraCfg = testCfg;
      };
-      # profiles = with config.flake.profiles.nixos; [ headless ];
-      # extraModules = with config.flakes.modules.nixos; [
-      #   librechat
-      #   forgejo
-      #   rrv-sh
-      # ];
-      extraCfg = testCfg;
    };
  };
 }
--- a/nix/modules/nixos/users.nix
+++ b/nix/modules/nixos/users.nix
@ -0,0 +1,28 @@
+{ config, ... }:
+let
+  inherit (config.flake.manifest) owner;
+in
+{
+  flake.modules.nixos.default =
+    { pkgs, ... }:
+    {
+      #TODO: move sudo/security options elsewhere
+      security.sudo.wheelNeedsPassword = false;
+      nix.settings.trusted-users = [ "@wheel" ];
+      #TODO: move to shell config
+      programs.${owner.shell}.enable = true;
+      #TODO: move ssh key settings elsewhere
+      users = {
+        mutableUsers = false;
+        groups.users.gid = 100;
+        users.root.openssh.authorizedKeys.keys = [ owner.pubkey ];
+        users.${owner.username} = {
+          isNormalUser = true;
+          # hashedPasswordFile
+          extraGroups = [ "wheel" ];
+          shell = pkgs.${owner.shell};
+          openssh.authorizedKeys.keys = [ owner.pubkey ];
+        };
+      };
+    };
+}