auth: add user for each administrator

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y

logins/default.nix

@@ -6,18 +6,11 @@ in
 {
   flake = {
     logins = {
-      admins =
-        lib.lists.foldl
-          (logins: adminConfig: {
-            sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
+      admins = admins;
       wireguardDevices =
-              logins.wireguardDevices
-              ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
-          })
-          {
-            sshPubKeys = [ ];
-            wireguardDevices = [ ];
-          }
+        lib.lists.foldl
+          (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
+          [ ]
           (lib.attrsets.attrValues admins);
       robots.sshPubKeys = lib.attrsets.attrValues robots;
     };

modules/core/users.nix

@@ -11,18 +11,6 @@
       inherit (lib) mkOption types;
     in
     {
-      username = mkOption {
-        description = "Username for the adminstrative user";
-        type = types.str;
-        default = flake.self.username;
-      };
-
-      sshPubKeys = mkOption {
-        description = "SSH Keys that should have administrative root access";
-        type = types.listOf types.str;
-        default = flake.self.logins.admins.sshPubKeys;
-      };
-
       root.initialHashedPassword = mkOption {
         description = "Hashed password of the root account";
         type = types.str;
@@ -43,22 +31,26 @@
     };
 
   config = {
-    users.users.${config.pub-solar-os.authentication.username} = {
-      name = config.pub-solar-os.authentication.username;
-      group = config.pub-solar-os.authentication.username;
+    users.users = (lib.attrsets.foldlAttrs
+      (acc: name: value: acc // { ${name} = {
+        name = name;
+        group = name;
         extraGroups = [
           "wheel"
           "docker"
         ];
         isNormalUser = true;
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+        openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
         };
-    users.groups.${config.pub-solar-os.authentication.username} = { };
-
+      })
+      { }
+      flake.self.logins.admins)
+    // {
       # TODO: Remove when we stop locking ourselves out.
-    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+      root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+      root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
 
-    users.users.${config.pub-solar-os.authentication.robot.username} = {
+      ${config.pub-solar-os.authentication.robot.username} = {
         description = "CI and automation user";
         home = "/home/${config.pub-solar-os.authentication.robot.username}";
         createHome = true;
@@ -68,11 +60,15 @@
         isSystemUser = true;
         openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
       };
+    };
 
-    users.groups.${config.pub-solar-os.authentication.robot.username} = { };
-
-    users.users.root.initialHashedPassword =
-      config.pub-solar-os.authentication.root.initialHashedPassword;
+    users.groups = (lib.attrsets.foldlAttrs
+      (acc: name: value: acc // { "${name}" = { }; })
+      { }
+      flake.self.logins.admins)
+    // {
+        ${config.pub-solar-os.authentication.robot.username} = { };
+      };
 
     security.sudo.wheelNeedsPassword = false;
   };