infrastructure/machines/modules/malobeo/users.nix

{config, lib, pkgs, inputs, ...}:
let 
  cfg = config.malobeo.users;
  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
in
{
  options.malobeo.users = {
    malobeo = lib.mkEnableOption "enable malobeo user";
    admin = lib.mkEnableOption "enable admin user";
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.malobeo {
      sops.secrets.malobeoUserPassword = {
        sopsFile = ./secrets.yaml;
        neededForUsers = true;
      };
      users.users.malobeo = {
        isNormalUser = true;
        description = "malobeo user, password and ssh access, no root";
        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
        openssh.authorizedKeys.keys = sshKeys.admins;
        hashedPasswordFile = config.sops.secrets.malobeoUserPassword.path;
      };
      environment.systemPackages = with pkgs; [];
    })
    (lib.mkIf cfg.admin {
      users.users.admin = {
        isNormalUser = true;
        description = "admin user, passwordless sudo access, only ssh";
        hashedPassword = null;
        extraGroups = [ "networkmanager" ];
      };
      environment.systemPackages = with pkgs; [];
      security.sudo.extraRules = [
        {
          users = [ "admin" ];
          commands = [
            {
              command = "ALL";
              options = [ "NOPASSWD" ];
            }
          ];
        }
      ];
    })
    {
      users.mutableUsers = false;
      environment.systemPackages = with pkgs; [
        nix-output-monitor
        vim
        htop
        wget
        git
        pciutils
      ];
    }
  ];
}