2025-03-04 17:22:24 +01:00 · 2025-03-01 21:44:07 +01:00 · 2025-03-01 21:46:36 +01:00 · 2025-03-01 21:47:11 +01:00
4 changed files with 72 additions and 3 deletions
--- a/machines/bakunin/configuration.nix
+++ b/machines/bakunin/configuration.nix
@@ -8,12 +8,11 @@ in
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
      ../modules/xserver.nix
-      ../modules/malobeo_user.nix
      ../modules/sshd.nix
-      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
      inputs.self.nixosModules.malobeo.disko
      inputs.self.nixosModules.malobeo.initssh
+      inputs.self.nixosModules.malobeo.users
    ];

  malobeo.autoUpdate = {
@@ -38,6 +37,8 @@ in
    ethernetDrivers = ["r8169"];
  };

+  malobeo.users.malobeo = true;
+
  hardware.sane.enable = true; #scanner support

  nix.settings.experimental-features = [ "nix-command" "flakes" ];
--- a/machines/fanny/configuration.nix
+++ b/machines/fanny/configuration.nix
@@ -9,7 +9,6 @@ in
  imports =
    [ # Include the results of the hardware scan.
      #./hardware-configuration.nix
-      ../modules/malobeo_user.nix
      ../modules/sshd.nix
      ../modules/minimal_tools.nix
      ../modules/autoupdate.nix
@@ -18,6 +17,7 @@ in
      inputs.self.nixosModules.malobeo.disko
      inputs.self.nixosModules.malobeo.microvm
      inputs.self.nixosModules.malobeo.metrics
+      inputs.self.nixosModules.malobeo.users
    ];

    virtualisation.vmVariantWithDisko = {
@@ -50,6 +50,10 @@ in
    '';
  };

+  malobeo.users = {
+    malobeo = true;
+    admin = true;
+  };

  malobeo.disks = {
    enable = true;
--- a/machines/modules/malobeo/users.nix
+++ b/machines/modules/malobeo/users.nix
@@ -0,0 +1,63 @@
+{config, lib, pkgs, inputs, ...}:
+let 
+  cfg = config.malobeo.users;
+  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
+in
+{
+  options.malobeo.users = {
+    malobeo = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable malobeo user, defaults to on";
+    };
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable admin user, defaults to on to prevent lockouts";
+    };
+  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.malobeo {
+      users.users.malobeo = {
+        isNormalUser = true;
+        description = "malobeo user, password and ssh access, no root";
+        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
+        openssh.authorizedKeys.keys = sshKeys.admins;
+        hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
+      };
+      environment.systemPackages = with pkgs; [];
+    })
+    (lib.mkIf cfg.admin {
+      users.users.admin = {
+        isNormalUser = true;
+        description = "admin user, passwordless sudo access, only ssh";
+        hashedPassword = null;
+        extraGroups = [ "networkmanager" ];
+      };
+      environment.systemPackages = with pkgs; [];
+      nix.settings.trusted-users = [ "admin" ];
+      security.sudo.extraRules = [
+        {
+          users = [ "admin" ];
+          commands = [
+            {
+              command = "ALL";
+              options = [ "NOPASSWD" ];
+            }
+          ];
+        }
+      ];
+    })
+    {
+      users.mutableUsers = false;
+      environment.systemPackages = with pkgs; [
+        nix-output-monitor
+        vim
+        htop
+        wget
+        git
+        pciutils
+      ];
+    }
+  ];
+}
--- a/outputs.nix
+++ b/outputs.nix
@@ -115,6 +115,7 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
      initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
      metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
      disko.imports = [ ./machines/modules/disko ];
+      users.imports = [ ./machines/modules/malobeo/users.nix ];
    };

    hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (