panotaka/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Thomas Syms
2025-05-12 23:25:39 -03:00
parent bf178e3caa
commit dc6f6894e6
95 changed files with 3922 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
hosts/common/users/exampleSecondUser/default.nix Normal file
View File

@@ -0,0 +1,67 @@
# FIXME(starter): this is an example of how a secondary user called "exampleSecondUser" can be declared.
# NOTE that this file's parent directory matches the username!
# Modify the directory name and all instances of `exampleSecondUser` in this file to a real username to
# make use of this file. You'll also need to import this file in the relevant `nix-config/hosts/[platform]/[hostname]/default.nix`
# host file for the user to be created on the host.
# NOTE that this file also assumes you will be declaring the user's password via sops.
# .
# If you have no need for secondary users, simple delete this file and its parent directory, and ensure that
# your `nix-confitg/hosts/[platform]/[hostname]/default.nix` files do not import this file.
#
# Basic user for viewing exampleSecondUser
#
{
inputs,
lib,
pkgs,
config,
...
}:
let
hostSpec = config.hostSpec;
secretsSubPath = "passwords/exampleSecondUser";
in
{
# Decrypt passwords/exampleSecondUser to /run/secrets-for-users/ so it can be used to create the user
sops.secrets.${secretsSubPath}.neededForUsers = true;
users.mutableUsers = false; # Required for password to be set via sops during system activation!
users.users.exampleSecondUser = {
isNormalUser = true;
hashedPasswordFile = config.sops.secrets.${secretsSubPath}.path;
shell = pkgs.zsh; # default shell
extraGroups = [
"audio"
"video"
];
packages = [ pkgs.home-manager ];
};
}
# Import this user's personal/home configurations
// lib.optionalAttrs (inputs ? "home-manager") {
home-manager = {
extraSpecialArgs = {
inherit pkgs inputs;
hostSpec = config.hostSpec;
};
users.exampleSecondUser.imports = lib.flatten (
lib.optional (!hostSpec.isMinimal) [
(
{ config, ... }:
import (lib.custom.relativeToRoot "home/exampleSecondUser/${hostSpec.hostName}.nix") {
inherit
pkgs
inputs
config
lib
hostSpec
;
}
)
]
);
};
}

7
hosts/common/users/primary/darwin.nix Normal file
View File

@@ -0,0 +1,7 @@
# User config applicable only to darwin
{ config, ... }:
{
users.users.${config.hostSpec.username} = {
home = "/Users/${config.hostSpec.username}";
};
}

68
hosts/common/users/primary/default.nix Normal file
View File

@@ -0,0 +1,68 @@
# NOTE(starter): this is the primary user across all hosts. The username for primary is defined in hostSpec,
# and is declared in `nix-config/common/core/default.nix`
# User config applicable to both nixos and darwin
{
inputs,
pkgs,
config,
lib,
...
}:
let
hostSpec = config.hostSpec;
pubKeys = lib.filesystem.listFilesRecursive ./keys;
in
{
users.users.${hostSpec.username} = {
name = hostSpec.username;
shell = pkgs.bash; # default shell
# These get placed into /etc/ssh/authorized_keys.d/<name> on nixos
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
# Create ssh sockets directory for controlpaths when homemanager not loaded (i.e. isMinimal)
systemd.tmpfiles.rules =
let
user = config.users.users.${hostSpec.username}.name;
group = config.users.users.${hostSpec.username}.group;
in
# you must set the rule for .ssh separately first, otherwise it will be automatically created as root:root and .ssh/sockects will fail
[
"d /home/${hostSpec.username}/.ssh 0750 ${user} ${group} -"
"d /home/${hostSpec.username}/.ssh/sockets 0750 ${user} ${group} -"
];
# No matter what environment we are in we want these tools
programs.zsh.enable = true;
environment.systemPackages = [
pkgs.just
pkgs.rsync
];
}
# Import the user's personal/home configurations, unless the environment is minimal
// lib.optionalAttrs (inputs ? "home-manager") {
home-manager = {
extraSpecialArgs = {
inherit pkgs inputs;
hostSpec = config.hostSpec;
};
users.${hostSpec.username}.imports = lib.flatten (
lib.optional (!hostSpec.isMinimal) [
(
{ config, ... }:
import (lib.custom.relativeToRoot "home/${hostSpec.username}/${hostSpec.hostName}.nix") {
inherit
pkgs
inputs
config
lib
hostSpec
;
}
)
]
);
};
}

1
hosts/common/users/primary/keys/README.md Normal file
View File

@@ -0,0 +1 @@
Add your ssh public keys to this directory. E.g. id_foo.pub

44
hosts/common/users/primary/nixos.nix Normal file
View File

@@ -0,0 +1,44 @@
# User config applicable only to nixos
{
config,
lib,
pkgs,
...
}:
let
hostSpec = config.hostSpec;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in
{
users.mutableUsers = false; # Only allow declarative credentials; Required for password to be set via sops during system activation!
users.users.${hostSpec.username} = {
home = "/home/${hostSpec.username}";
isNormalUser = true;
password = "password";
extraGroups = lib.flatten [
"wheel"
(ifTheyExist [
"audio"
"video"
"docker"
"git"
"networkmanager"
"scanner" # for print/scan"
"lp" # for print/scan"
])
];
};
# No matter what environment we are in we want these tools for root, and the user(s)
programs.git.enable = true;
# root's ssh key are mainly used for remote deployment, borg, and some other specific ops
users.users.root = {
shell = pkgs.bash;
hashedPasswordFile = config.users.users.${hostSpec.username}.hashedPasswordFile;
hashedPassword = config.users.users.${hostSpec.username}.hashedPassword; # This comes from hosts/common/optional/minimal.nix and gets overridden if sops is working
openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
};
}