infra/modules/core/users.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

76 lines
2.1 KiB
Nix
Raw Normal View History

2024-04-28 15:25:40 +00:00
{
flake,
pkgs,
lib,
config,
...
}:
{
options.pub-solar-os.authentication =
let
inherit (lib) mkOption types;
in
{
root.initialHashedPassword = mkOption {
description = "Hashed password of the root account";
type = types.str;
default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
};
2024-04-28 15:25:40 +00:00
robot.username = mkOption {
description = "username for the robot user";
type = types.str;
default = "hakkonaut";
};
2024-04-28 15:25:40 +00:00
robot.sshPubKeys = mkOption {
description = "SSH Keys to use for the robot user";
type = types.listOf types.str;
default = flake.self.logins.robots.sshPubKeys;
};
2024-04-28 15:25:40 +00:00
};
config = {
users.users = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { ${name} = {
name = name;
group = name;
extraGroups = [
"wheel"
"docker"
];
isNormalUser = true;
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
};
})
{ }
flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
2024-04-28 15:25:40 +00:00
${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "${config.pub-solar-os.authentication.robot.username}";
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
};
2024-04-28 15:25:40 +00:00
};
users.groups = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { "${name}" = { }; })
{ }
flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
2024-04-28 15:25:40 +00:00
security.sudo.wheelNeedsPassword = false;
};
}