chiasson-nix/modules/system/users/catalog-default.nix

# Shared user definitions for all hosts that import `nixosModules.users`.
# Module (not bare attrset) so catalog entries can use `config.*` for sops paths etc.
{ ... }: {
  flake.nixosModules.usersCatalogDefaults =
    { config, ... }:
    {
      config.chiasson.users.catalog = {
        olivier = {
          isNormalUser = true;
          description = "Olivier";
          extraGroups = [
            "networkmanager"
            "wheel"
            "docker"
            "fuse"
            "uinput"
            "kvm"
            # `video` is required for the brightnessctl/light udev rules to grant write access
            # to /sys/class/backlight/*/brightness without sudo. Harmless on hosts without a
            # backlight (servers, desktop towers): the group simply has no devices to own.
            "video"
            # DRI render nodes and input devices for gamescope / Steam on Wayland (no sudo).
            "render"
            "input"
          ];

          # Host must set `sops.secrets."users/olivier/hashedPassword".neededForUsers = true`.
          # With that, `.path` is under /run/secrets-for-users/… (sops-nix README).
          hashedPasswordFile = config.sops.secrets."users/olivier/hashedPassword".path;

          homeManager = {
            enable = true;
            module =
              { ... }:
              {
                home.username = "olivier";
                home.homeDirectory = "/home/olivier";
                home.stateVersion = "25.11";
                programs.home-manager.enable = true;
              };
          };

          ssh = {
            inbound = {
              enable = true;
              authorizedHosts = "all";
            };
            outbound = {
              rbw = {
                enable = true;
                hosts = "all";
              };
            };
          };
        };

        server = {
          isNormalUser = true;
          description = "Server user";
          extraGroups = [ "wheel" ];

          homeManager = {
            enable = false;
            module = null;
          };

          ssh = {
            inbound = {
              enable = true;
              authorizedHosts = "all";
            };
            outbound = {
              rbw = {
                enable = false;
                hosts = "all";
              };
            };
          };
        };

        builder = {
          isNormalUser = true;
          description = "Navi fleet deploy (push + activate only)";
          extraGroups = [ ];
          createHome = false;

          homeManager = {
            enable = false;
            module = null;
          };

          ssh.inbound.enable = true;
        };
      };
    };
}