diff --git a/machines/bakunin/configuration.nix b/machines/bakunin/configuration.nix index 7b6421cd..5fc07341 100644 --- a/machines/bakunin/configuration.nix +++ b/machines/bakunin/configuration.nix @@ -8,12 +8,11 @@ in [ # Include the results of the hardware scan. #./hardware-configuration.nix ../modules/xserver.nix - ../modules/malobeo_user.nix ../modules/sshd.nix - ../modules/minimal_tools.nix ../modules/autoupdate.nix inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.initssh + inputs.self.nixosModules.malobeo.users ]; malobeo.autoUpdate = { @@ -38,6 +37,8 @@ in ethernetDrivers = ["r8169"]; }; + malobeo.users.malobeo = true; + hardware.sane.enable = true; #scanner support nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 075db24e..786ce20d 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -9,7 +9,6 @@ in imports = [ # Include the results of the hardware scan. #./hardware-configuration.nix - ../modules/malobeo_user.nix ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix @@ -18,6 +17,7 @@ in inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.microvm inputs.self.nixosModules.malobeo.metrics + inputs.self.nixosModules.malobeo.users ]; virtualisation.vmVariantWithDisko = { @@ -50,6 +50,10 @@ in ''; }; + malobeo.users = { + malobeo = true; + admin = true; + }; malobeo.disks = { enable = true; diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix new file mode 100644 index 00000000..543cdd72 --- /dev/null +++ b/machines/modules/malobeo/users.nix @@ -0,0 +1,63 @@ +{config, lib, pkgs, inputs, ...}: +let + cfg = config.malobeo.users; + sshKeys = import ( inputs.self + /machines/ssh_keys.nix); +in +{ + options.malobeo.users = { + malobeo = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable malobeo user, defaults to on"; + }; + admin = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable admin user, defaults to on to prevent lockouts"; + }; + }; + config = lib.mkMerge [ + (lib.mkIf cfg.malobeo { + users.users.malobeo = { + isNormalUser = true; + description = "malobeo user, password and ssh access, no root"; + extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ]; + openssh.authorizedKeys.keys = sshKeys.admins; + hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1"; + }; + environment.systemPackages = with pkgs; []; + }) + (lib.mkIf cfg.admin { + users.users.admin = { + isNormalUser = true; + description = "admin user, passwordless sudo access, only ssh"; + hashedPassword = null; + extraGroups = [ "networkmanager" ]; + }; + environment.systemPackages = with pkgs; []; + nix.settings.trusted-users = [ "admin" ]; + security.sudo.extraRules = [ + { + users = [ "admin" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + }) + { + users.mutableUsers = false; + environment.systemPackages = with pkgs; [ + nix-output-monitor + vim + htop + wget + git + pciutils + ]; + } + ]; +} \ No newline at end of file diff --git a/outputs.nix b/outputs.nix index 6da2c537..4f341e6c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -115,6 +115,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems initssh.imports = [ ./machines/modules/malobeo/initssh.nix ]; metrics.imports = [ ./machines/modules/malobeo/metrics.nix ]; disko.imports = [ ./machines/modules/disko ]; + users.imports = [ ./machines/modules/malobeo/users.nix ]; }; hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (