os/modules/user/default.nix

{
  config,
  pkgs,
  lib,
  flake,
  ...
}: let
  psCfg = config.pub-solar;
in
with lib; {
  imports = [
    ./home.nix
  ];

  options.pub-solar = {
    user = {
      name = mkOption {
        description = "User login name";
        type = types.nullOr types.str;
        default = "nixos";
      };
      description = mkOption {
        description = "User description";
        type = types.nullOr types.str;
        default = "The main PubSolarOS user";
      };
      password = mkOption {
        description = "User password";
        type = types.nullOr types.str;
        default = null;
      };
      passwordlessSudo = mkOption {
        description = "Whether this user can use sudo without entering a password";
        type = types.bool;
        default = false;
      };
      publicKeys = mkOption {
        description = "User SSH public keys";
        type = types.listOf types.str;
        default = [];
      };
      fullName = mkOption {
        description = "User full name";
        type = types.nullOr types.str;
        default = null;
      };
      email = mkOption {
        description = "User email address";
        type = types.nullOr types.str;
        default = null;
      };
      gpgKeyId = mkOption {
        description = "GPG Key ID";
        type = types.nullOr types.str;
        default = null;
      };
    };
  };

  config = {
    users = {
      mutableUsers = false;

      users."${psCfg.user.name}" = {
        # Indicates whether this is an account for a “real” user.
        # This automatically sets group to users, createHome to true,
        # home to /home/username, useDefaultShell to true, and isSystemUser to false.
        isNormalUser = true;
        description = psCfg.user.description;
        extraGroups = [
          "input"
          "lp"
          "networkmanager"
          "scanner"
          "video"
          "dialout"
          "wheel"
        ];
        shell = pkgs.bash;
        initialHashedPassword =
          if psCfg.user.password != null
          then psCfg.user.password
          else "";
        openssh.authorizedKeys.keys =
          flake.self.publicKeys ++
          (if psCfg.user.publicKeys != null
          then psCfg.user.publicKeys
          else []);
      };
    };

    security.sudo.extraRules = mkIf psCfg.user.passwordlessSudo [
      {
        users = ["${psCfg.user.name}"];
        commands = [
          {
            command = "ALL";
            options = ["NOPASSWD"];
          }
        ];
      }
    ];
  };
}