From dfd8eb9c15915667f7dbc5073b1a13c63796dcc9 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 28 Jan 2025 11:58:38 +0100 Subject: [PATCH 1/7] Add malo user module --- machines/modules/malobeo/users.nix | 54 ++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 machines/modules/malobeo/users.nix diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix new file mode 100644 index 00000000..f57f8c20 --- /dev/null +++ b/machines/modules/malobeo/users.nix @@ -0,0 +1,54 @@ +{config, lib, pkgs, ...}: +let + cfg = config.malobeo.users; + sshKeys = import ../ssh_keys.nix; +in +{ + options.malobeo.users = { + malobeo = lib.mkEnableOption "enable malobeo user"; + admin = lib.mkEnableOption "enable admin user"; + }; + config = lib.mkMerge [ + (lib.mkIf cfg.malobeo { + + users.users.malobeo = { + isNormalUser = true; + description = "malobeo user, password via sops -d "; + extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ]; + openssh.authorizedKeys.keys = sshKeys.admins; + }; + environment.systemPackages = with pkgs; []; + }) + (lib.mkIf cfg.admin { + users.user.admin = { + isNormalUser = true; + description = "admin user, passwordless sudo access, only ssh"; + hashedPassword = null; + extraGroups = [ "networkmanager" ]; + }; + environment.systemPackages = with pkgs; []; + security.sudo.extraRules = [ + { + users = [ "admin" ]; + commands = [ + { + command = "ALL"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + }) + { + users.mutableUsers = false; + environment.systemPackages = with pkgs; [ + nix-output-monitor + vim + htop + wget + git + pciutils + ]; + } + ]; +} \ No newline at end of file From fdb9980176c0acd74327e809b295152a04a290c2 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 28 Jan 2025 12:04:40 +0100 Subject: [PATCH 2/7] add malo user password --- machines/.sops.yaml | 7 ++++ machines/modules/malobeo/secrets.yaml | 59 +++++++++++++++++++++++++++ machines/modules/malobeo/users.nix | 5 ++- 3 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 machines/modules/malobeo/secrets.yaml diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 560284a4..127d5186 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -100,3 +100,10 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan + - path_regex: modules/malobeo/secrets.yaml$ + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan diff --git a/machines/modules/malobeo/secrets.yaml b/machines/modules/malobeo/secrets.yaml new file mode 100644 index 00000000..3bd0982b --- /dev/null +++ b/machines/modules/malobeo/secrets.yaml @@ -0,0 +1,59 @@ +malobeoUserPassword: ENC[AES256_GCM,data:/w9Q89njBL5eL8RU6IhOxegJqtvBmx/R2+b7+asop98PN4SZn3r53lagM/3UiNnbde/Mh1/3T3OtddNFTh+v64NNzMdKE65T/A==,iv:8o97dDxA6GHkFN0uAfbdG0DnatoiP3ytEGLTHOOZe0w=,tag:Jl2EPOooYdnSfyfOr9Pn2g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b2lTY1hhTUwxalZ6bHJJ + aUpUelB6K0hweW8rWXJzaTVKWC94Q0E4c2hRCnBaM3hwTkxwWGZjUCtycTR0aFJr + QXZPVkNjK2dIOWpHYUhxd2x6cW9MMTgKLS0tIEh4N2d5TEZuK2RRMklxRGNlOTFP + ZCtqbzVZYnB4WTh1RUt4V0FPYzRualUKh3lyO+Ow2698jZ05PZjeKK5CnuUnIAJ2 + IdBRJNhalleoJPdQnsq/Yj3aewXtIYDdXKnhN4QdEfbQnrIrm1B7FQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-28T11:04:06Z" + mac: ENC[AES256_GCM,data:ZfWuWafknBtaLPjpujLfFjh4oRIk6Bq521NnI1woEamV1MZ53AbmGqZRroW4mAz2uI1KA3RSX7CLvFjJRzQiCBA/OblD89xGNEsQdRvsMCfkEGN85TgV5RVZ+Iqi/VoSXQUc4WcUZenBtgua8p84Ujikr/XT08dEB8hNVAOsSaw=,iv:fVX8LyxT3QkogpF/zRUY0LWzemp6ugrlK2eTag8jtWk=,tag:9kIXxg2hI1+D4XXx/ZPILw==,type:str] + pgp: + - created_at: "2025-01-28T11:02:47Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv+JmOlIv1eupyfTV+T0jpZ0Ux49fjTP8xo/6aBNrukFFej + 1JNX7Y57c5jUPUIWYX/obbhrT0yOj5w7yiA2lOO4ZUoHswDs70F7kuEXfdlEiL+Y + R2Zl5aAL+1Q0ydmjEG/P11H/ts0csHJTFwf6bR463Kv8yn8wjrpZKWcBTWoKzxbQ + LfEiDZ5F4FAjRJFgJRioWdUWCnMTaWWM6hQRathbVIi0DgddjzDma7I1l8qdsEEX + rh5y+SQSfajIPn1MxstY3Y8kkYb/LUOXIGGDxJV5UOuem8z2O0wiHsuRGtNAmQVJ + O0XjRALgoXbLFZYvej5xkDBvkr13JsJsa7P9IrVChF72ktFhWjPd5ALM63L3Rj// + voFD3JXmwOZsgsy+0wgfWwYb89xKcrLSrNkZKXFfLM1fUGx3huOw3YYqH35IccHe + KVPB0w5NkFRjq0Ubs9M/FpdspZPZmUgz6Y3hNUdSPsmd8+KWdDqFX0Nijv4dW/5k + 1lMNcr6K/bHY9mWpqhsF0lgBfV1uX9Gw+rPVxpfbAmrqScw4XOnsYRhr39Ew2jyr + FY+EDPYj84AlfKCRr21lDOYsEYlxvRRL94LuzaJ5ZPsvc4fSRlLfA6CaTnyMO/Uh + 0UaAUmo9gj8D + =oYMG + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-01-28T11:02:47Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ/+O8kqGBbX22K56L7/TRjZIFsvPKNO89QADDuL8R9cYYug + iKvtCp1rjSkRZZOxEqdLltqlub7Qvm/FmOTTV/Ha97FyLu908ci9FhZhYSIu95PO + VVBKRqEvcjtYj7HV/WbHUPc0KNq3EJ2XmJPAbNel0vbLv5Y5RMCiPK7ZtP5owIX+ + Vq5wxu92MUyQOcryqzVnP5Ly7hWjlQEVg88zHtOvzMBf2OtVh10f5xF6nNpxfmXO + ni0UvlzzatLmGX1t9CDchVvRkgvlALZAgwDnFqc3L3HbKlATgaH8Ilr5rEmjt3v1 + wWSQWewoEH3BtMgNTvXcVZu4mji9wYTNR2MfrL7eIqkhQzxCgL+vIh9wpNXYN+jO + ghnQKUoGFpM0AnT8OXGODDfOqQd2nkUuySUP+n+N8LnEN021ve5500t4uAjZnASe + kVrNXK+9XUEIDNaWnO9ykRRvB4y41yqf5Pu5FfMtHg5s53ypqox3rSqQMPhwFtVz + HLSQ5iyv2v66RoXUX9Esk+QcTQuDRQpZFzM7v4tyU+IeT7rOe7dC0YEOYRetKApQ + bru47ZS4nPFfaCdOnMr5tmTMwv/dzMDQHeRkxqEKPTyYx56nHjrMRE13PjYUvSbT + aQVoAspsYXhxQ6eDVzGbBlbA1KXS7fbl9Ji0aVWXVS2otdL0hPRd6Nh0Cy0RuLnS + WAF5hbffH9AgRLC8HlAFAsYvf42JSjwpLdeFnGYka8dWZX0ItxLFEOJ1IAyilFy6 + mkBFyUYLRwlbExJNEH+WFlbMSDWzZ6eXmuPzUBvhwOC/8AxKvhk8je4= + =x1tN + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix index f57f8c20..484ed717 100644 --- a/machines/modules/malobeo/users.nix +++ b/machines/modules/malobeo/users.nix @@ -10,12 +10,13 @@ in }; config = lib.mkMerge [ (lib.mkIf cfg.malobeo { - + sops.secrets.malobeoUserPassword.neededForUsers = true; users.users.malobeo = { isNormalUser = true; - description = "malobeo user, password via sops -d "; + description = "malobeo user, password and ssh access, no root"; extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ]; openssh.authorizedKeys.keys = sshKeys.admins; + hashedPassword = config.sops.secrets.malobeoUserPassword.path; }; environment.systemPackages = with pkgs; []; }) From eb61088dc9a8f658b7db323bff09c99b56f597f1 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 28 Jan 2025 12:39:05 +0100 Subject: [PATCH 3/7] [user module] actually call the module and fix some issues --- machines/bakunin/configuration.nix | 5 +++-- machines/modules/malobeo/users.nix | 6 +++--- outputs.nix | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/machines/bakunin/configuration.nix b/machines/bakunin/configuration.nix index 7b6421cd..5fc07341 100644 --- a/machines/bakunin/configuration.nix +++ b/machines/bakunin/configuration.nix @@ -8,12 +8,11 @@ in [ # Include the results of the hardware scan. #./hardware-configuration.nix ../modules/xserver.nix - ../modules/malobeo_user.nix ../modules/sshd.nix - ../modules/minimal_tools.nix ../modules/autoupdate.nix inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.initssh + inputs.self.nixosModules.malobeo.users ]; malobeo.autoUpdate = { @@ -38,6 +37,8 @@ in ethernetDrivers = ["r8169"]; }; + malobeo.users.malobeo = true; + hardware.sane.enable = true; #scanner support nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix index 484ed717..e216c034 100644 --- a/machines/modules/malobeo/users.nix +++ b/machines/modules/malobeo/users.nix @@ -1,7 +1,7 @@ -{config, lib, pkgs, ...}: +{config, lib, pkgs, inputs, ...}: let cfg = config.malobeo.users; - sshKeys = import ../ssh_keys.nix; + sshKeys = import ( inputs.self + /machines/ssh_keys.nix); in { options.malobeo.users = { @@ -21,7 +21,7 @@ in environment.systemPackages = with pkgs; []; }) (lib.mkIf cfg.admin { - users.user.admin = { + users.users.admin = { isNormalUser = true; description = "admin user, passwordless sudo access, only ssh"; hashedPassword = null; diff --git a/outputs.nix b/outputs.nix index c8dac173..62c922f4 100644 --- a/outputs.nix +++ b/outputs.nix @@ -113,6 +113,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems initssh.imports = [ ./machines/modules/malobeo/initssh.nix ]; metrics.imports = [ ./machines/modules/malobeo/metrics.nix ]; disko.imports = [ ./machines/modules/disko ]; + users.imports = [ ./machines/modules/malobeo/users.nix ]; }; hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) ( From 8b33a1c70473addc8f74c954f9bfea49b2a19f72 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Wed, 29 Jan 2025 09:29:58 +0100 Subject: [PATCH 4/7] [user module] fix sops user password --- machines/modules/malobeo/users.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix index e216c034..6dc8c63d 100644 --- a/machines/modules/malobeo/users.nix +++ b/machines/modules/malobeo/users.nix @@ -10,13 +10,16 @@ in }; config = lib.mkMerge [ (lib.mkIf cfg.malobeo { - sops.secrets.malobeoUserPassword.neededForUsers = true; + sops.secrets.malobeoUserPassword = { + sopsFile = ./secrets.yaml; + neededForUsers = true; + }; users.users.malobeo = { isNormalUser = true; description = "malobeo user, password and ssh access, no root"; extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ]; openssh.authorizedKeys.keys = sshKeys.admins; - hashedPassword = config.sops.secrets.malobeoUserPassword.path; + hashedPasswordFile = config.sops.secrets.malobeoUserPassword.path; }; environment.systemPackages = with pkgs; []; }) From 505354078b42805cc129af8549babb8eb11dd9a2 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Tue, 18 Feb 2025 10:29:27 +0100 Subject: [PATCH 5/7] [users] enable malo user module for fanny --- machines/fanny/configuration.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 748396ee..a79e0f13 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -9,7 +9,6 @@ in imports = [ # Include the results of the hardware scan. #./hardware-configuration.nix - ../modules/malobeo_user.nix ../modules/sshd.nix ../modules/minimal_tools.nix ../modules/autoupdate.nix @@ -18,6 +17,7 @@ in inputs.self.nixosModules.malobeo.disko inputs.self.nixosModules.malobeo.microvm inputs.self.nixosModules.malobeo.metrics + inputs.self.nixosModules.malobeo.users ]; malobeo.metrics = { @@ -43,6 +43,10 @@ in ''; }; + malobeo.users = { + malobeo = true; + admin = true; + }; malobeo.disks = { enable = true; From ff2ccd5fb4e70bc5158423a6d7b4008a2c79b67b Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 1 Mar 2025 21:11:50 +0100 Subject: [PATCH 6/7] [user module] use hashed password without sops (for now) --- machines/.sops.yaml | 9 +--- machines/modules/malobeo/secrets.yaml | 59 --------------------------- machines/modules/malobeo/users.nix | 6 +-- 3 files changed, 2 insertions(+), 72 deletions(-) delete mode 100644 machines/modules/malobeo/secrets.yaml diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 127d5186..5a9f52cf 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -99,11 +99,4 @@ creation_rules: - *admin_kalipso - *admin_kalipso_dsktp age: - - *admin_atlan - - path_regex: modules/malobeo/secrets.yaml$ - key_groups: - - pgp: - - *admin_kalipso - - *admin_kalipso_dsktp - age: - - *admin_atlan + - *admin_atlan \ No newline at end of file diff --git a/machines/modules/malobeo/secrets.yaml b/machines/modules/malobeo/secrets.yaml deleted file mode 100644 index 3bd0982b..00000000 --- a/machines/modules/malobeo/secrets.yaml +++ /dev/null @@ -1,59 +0,0 @@ -malobeoUserPassword: ENC[AES256_GCM,data:/w9Q89njBL5eL8RU6IhOxegJqtvBmx/R2+b7+asop98PN4SZn3r53lagM/3UiNnbde/Mh1/3T3OtddNFTh+v64NNzMdKE65T/A==,iv:8o97dDxA6GHkFN0uAfbdG0DnatoiP3ytEGLTHOOZe0w=,tag:Jl2EPOooYdnSfyfOr9Pn2g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b2lTY1hhTUwxalZ6bHJJ - aUpUelB6K0hweW8rWXJzaTVKWC94Q0E4c2hRCnBaM3hwTkxwWGZjUCtycTR0aFJr - QXZPVkNjK2dIOWpHYUhxd2x6cW9MMTgKLS0tIEh4N2d5TEZuK2RRMklxRGNlOTFP - ZCtqbzVZYnB4WTh1RUt4V0FPYzRualUKh3lyO+Ow2698jZ05PZjeKK5CnuUnIAJ2 - IdBRJNhalleoJPdQnsq/Yj3aewXtIYDdXKnhN4QdEfbQnrIrm1B7FQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-28T11:04:06Z" - mac: ENC[AES256_GCM,data:ZfWuWafknBtaLPjpujLfFjh4oRIk6Bq521NnI1woEamV1MZ53AbmGqZRroW4mAz2uI1KA3RSX7CLvFjJRzQiCBA/OblD89xGNEsQdRvsMCfkEGN85TgV5RVZ+Iqi/VoSXQUc4WcUZenBtgua8p84Ujikr/XT08dEB8hNVAOsSaw=,iv:fVX8LyxT3QkogpF/zRUY0LWzemp6ugrlK2eTag8jtWk=,tag:9kIXxg2hI1+D4XXx/ZPILw==,type:str] - pgp: - - created_at: "2025-01-28T11:02:47Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQGMA5HdvEwzh/H7AQv+JmOlIv1eupyfTV+T0jpZ0Ux49fjTP8xo/6aBNrukFFej - 1JNX7Y57c5jUPUIWYX/obbhrT0yOj5w7yiA2lOO4ZUoHswDs70F7kuEXfdlEiL+Y - R2Zl5aAL+1Q0ydmjEG/P11H/ts0csHJTFwf6bR463Kv8yn8wjrpZKWcBTWoKzxbQ - LfEiDZ5F4FAjRJFgJRioWdUWCnMTaWWM6hQRathbVIi0DgddjzDma7I1l8qdsEEX - rh5y+SQSfajIPn1MxstY3Y8kkYb/LUOXIGGDxJV5UOuem8z2O0wiHsuRGtNAmQVJ - O0XjRALgoXbLFZYvej5xkDBvkr13JsJsa7P9IrVChF72ktFhWjPd5ALM63L3Rj// - voFD3JXmwOZsgsy+0wgfWwYb89xKcrLSrNkZKXFfLM1fUGx3huOw3YYqH35IccHe - KVPB0w5NkFRjq0Ubs9M/FpdspZPZmUgz6Y3hNUdSPsmd8+KWdDqFX0Nijv4dW/5k - 1lMNcr6K/bHY9mWpqhsF0lgBfV1uX9Gw+rPVxpfbAmrqScw4XOnsYRhr39Ew2jyr - FY+EDPYj84AlfKCRr21lDOYsEYlxvRRL94LuzaJ5ZPsvc4fSRlLfA6CaTnyMO/Uh - 0UaAUmo9gj8D - =oYMG - -----END PGP MESSAGE----- - fp: c4639370c41133a738f643a591ddbc4c3387f1fb - - created_at: "2025-01-28T11:02:47Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA98TrrsQEbXUAQ/+O8kqGBbX22K56L7/TRjZIFsvPKNO89QADDuL8R9cYYug - iKvtCp1rjSkRZZOxEqdLltqlub7Qvm/FmOTTV/Ha97FyLu908ci9FhZhYSIu95PO - VVBKRqEvcjtYj7HV/WbHUPc0KNq3EJ2XmJPAbNel0vbLv5Y5RMCiPK7ZtP5owIX+ - Vq5wxu92MUyQOcryqzVnP5Ly7hWjlQEVg88zHtOvzMBf2OtVh10f5xF6nNpxfmXO - ni0UvlzzatLmGX1t9CDchVvRkgvlALZAgwDnFqc3L3HbKlATgaH8Ilr5rEmjt3v1 - wWSQWewoEH3BtMgNTvXcVZu4mji9wYTNR2MfrL7eIqkhQzxCgL+vIh9wpNXYN+jO - ghnQKUoGFpM0AnT8OXGODDfOqQd2nkUuySUP+n+N8LnEN021ve5500t4uAjZnASe - kVrNXK+9XUEIDNaWnO9ykRRvB4y41yqf5Pu5FfMtHg5s53ypqox3rSqQMPhwFtVz - HLSQ5iyv2v66RoXUX9Esk+QcTQuDRQpZFzM7v4tyU+IeT7rOe7dC0YEOYRetKApQ - bru47ZS4nPFfaCdOnMr5tmTMwv/dzMDQHeRkxqEKPTyYx56nHjrMRE13PjYUvSbT - aQVoAspsYXhxQ6eDVzGbBlbA1KXS7fbl9Ji0aVWXVS2otdL0hPRd6Nh0Cy0RuLnS - WAF5hbffH9AgRLC8HlAFAsYvf42JSjwpLdeFnGYka8dWZX0ItxLFEOJ1IAyilFy6 - mkBFyUYLRwlbExJNEH+WFlbMSDWzZ6eXmuPzUBvhwOC/8AxKvhk8je4= - =x1tN - -----END PGP MESSAGE----- - fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 - unencrypted_suffix: _unencrypted - version: 3.9.2 diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix index 6dc8c63d..3982f286 100644 --- a/machines/modules/malobeo/users.nix +++ b/machines/modules/malobeo/users.nix @@ -10,16 +10,12 @@ in }; config = lib.mkMerge [ (lib.mkIf cfg.malobeo { - sops.secrets.malobeoUserPassword = { - sopsFile = ./secrets.yaml; - neededForUsers = true; - }; users.users.malobeo = { isNormalUser = true; description = "malobeo user, password and ssh access, no root"; extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ]; openssh.authorizedKeys.keys = sshKeys.admins; - hashedPasswordFile = config.sops.secrets.malobeoUserPassword.path; + hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1"; }; environment.systemPackages = with pkgs; []; }) From e2fac827bdab70bc4eee40fc54469645b4d64620 Mon Sep 17 00:00:00 2001 From: ahtlon Date: Sat, 1 Mar 2025 21:31:14 +0100 Subject: [PATCH 7/7] [user module] default enable users to prevent lockouts also, add admin to trusted users --- machines/modules/malobeo/users.nix | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/machines/modules/malobeo/users.nix b/machines/modules/malobeo/users.nix index 3982f286..543cdd72 100644 --- a/machines/modules/malobeo/users.nix +++ b/machines/modules/malobeo/users.nix @@ -5,8 +5,16 @@ let in { options.malobeo.users = { - malobeo = lib.mkEnableOption "enable malobeo user"; - admin = lib.mkEnableOption "enable admin user"; + malobeo = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable malobeo user, defaults to on"; + }; + admin = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable admin user, defaults to on to prevent lockouts"; + }; }; config = lib.mkMerge [ (lib.mkIf cfg.malobeo { @@ -27,6 +35,7 @@ in extraGroups = [ "networkmanager" ]; }; environment.systemPackages = with pkgs; []; + nix.settings.trusted-users = [ "admin" ]; security.sudo.extraRules = [ { users = [ "admin" ];