80 lines
2.2 KiB
Nix
80 lines
2.2 KiB
Nix
# Shared user definitions for all hosts that import `nixosModules.users`.
|
|
# Module (not bare attrset) so catalog entries can use `config.*` for sops paths etc.
|
|
{ ... }: {
|
|
flake.nixosModules.usersCatalogDefaults =
|
|
{ config, ... }:
|
|
{
|
|
config.chiasson.users.catalog = {
|
|
olivier = {
|
|
isNormalUser = true;
|
|
description = "Olivier";
|
|
extraGroups = [
|
|
"networkmanager"
|
|
"wheel"
|
|
"docker"
|
|
"fuse"
|
|
"uinput"
|
|
"kvm"
|
|
# `video` is required for the brightnessctl/light udev rules to grant write access
|
|
# to /sys/class/backlight/*/brightness without sudo. Harmless on hosts without a
|
|
# backlight (servers, desktop towers): the group simply has no devices to own.
|
|
"video"
|
|
];
|
|
|
|
# Host must set `sops.secrets."users/olivier/hashedPassword".neededForUsers = true`.
|
|
# With that, `.path` is under /run/secrets-for-users/… (sops-nix README).
|
|
hashedPasswordFile = config.sops.secrets."users/olivier/hashedPassword".path;
|
|
|
|
homeManager = {
|
|
enable = true;
|
|
module =
|
|
{ ... }:
|
|
{
|
|
home.username = "olivier";
|
|
home.homeDirectory = "/home/olivier";
|
|
home.stateVersion = "25.11";
|
|
programs.home-manager.enable = true;
|
|
};
|
|
};
|
|
|
|
ssh = {
|
|
inbound = {
|
|
enable = true;
|
|
authorizedHosts = "all";
|
|
};
|
|
outbound = {
|
|
rbw = {
|
|
enable = true;
|
|
hosts = "all";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
server = {
|
|
isNormalUser = true;
|
|
description = "Server user";
|
|
extraGroups = [ "wheel" ];
|
|
|
|
homeManager = {
|
|
enable = false;
|
|
module = null;
|
|
};
|
|
|
|
ssh = {
|
|
inbound = {
|
|
enable = true;
|
|
authorizedHosts = "all";
|
|
};
|
|
outbound = {
|
|
rbw = {
|
|
enable = false;
|
|
hosts = "all";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|