initial commit

hosts/common/users/primary/darwin.nix

@@ -0,0 +1,7 @@
+# User config applicable only to darwin
+{ config, ... }:
+{
+  users.users.${config.hostSpec.username} = {
+    home = "/Users/${config.hostSpec.username}";
+  };
+}

hosts/common/users/primary/default.nix

@@ -0,0 +1,68 @@
+# NOTE(starter): this is the primary user across all hosts. The username for primary is defined in hostSpec,
+# and is declared in `nix-config/common/core/default.nix`
+
+# User config applicable to both nixos and darwin
+{
+  inputs,
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  hostSpec = config.hostSpec;
+  pubKeys = lib.filesystem.listFilesRecursive ./keys;
+in
+{
+  users.users.${hostSpec.username} = {
+    name = hostSpec.username;
+    shell = pkgs.bash; # default shell
+
+    # These get placed into /etc/ssh/authorized_keys.d/<name> on nixos
+    openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+  };
+
+  # Create ssh sockets directory for controlpaths when homemanager not loaded (i.e. isMinimal)
+  systemd.tmpfiles.rules =
+    let
+      user = config.users.users.${hostSpec.username}.name;
+      group = config.users.users.${hostSpec.username}.group;
+    in
+    # you must set the rule for .ssh separately first, otherwise it will be automatically created as root:root and .ssh/sockects will fail
+    [
+      "d /home/${hostSpec.username}/.ssh 0750 ${user} ${group} -"
+      "d /home/${hostSpec.username}/.ssh/sockets 0750 ${user} ${group} -"
+    ];
+
+  # No matter what environment we are in we want these tools
+  programs.zsh.enable = true;
+  environment.systemPackages = [
+    pkgs.just
+    pkgs.rsync
+  ];
+}
+# Import the user's personal/home configurations, unless the environment is minimal
+// lib.optionalAttrs (inputs ? "home-manager") {
+  home-manager = {
+    extraSpecialArgs = {
+      inherit pkgs inputs;
+      hostSpec = config.hostSpec;
+    };
+    users.${hostSpec.username}.imports = lib.flatten (
+      lib.optional (!hostSpec.isMinimal) [
+        (
+          { config, ... }:
+          import (lib.custom.relativeToRoot "home/${hostSpec.username}/${hostSpec.hostName}.nix") {
+            inherit
+              pkgs
+              inputs
+              config
+              lib
+              hostSpec
+              ;
+          }
+        )
+      ]
+    );
+  };
+}

hosts/common/users/primary/keys/README.md

@@ -0,0 +1 @@
+Add your ssh public keys to this directory. E.g. id_foo.pub

hosts/common/users/primary/nixos.nix

@@ -0,0 +1,44 @@
+# User config applicable only to nixos
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  hostSpec = config.hostSpec;
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+in
+{
+  users.mutableUsers = false; # Only allow declarative credentials; Required for password to be set via sops during system activation!
+  users.users.${hostSpec.username} = {
+    home = "/home/${hostSpec.username}";
+    isNormalUser = true;
+    password = "password";
+
+    extraGroups = lib.flatten [
+      "wheel"
+      (ifTheyExist [
+        "audio"
+        "video"
+        "docker"
+        "git"
+        "networkmanager"
+        "scanner" # for print/scan"
+        "lp" # for print/scan"
+      ])
+    ];
+  };
+
+  # No matter what environment we are in we want these tools for root, and the user(s)
+  programs.git.enable = true;
+
+  # root's ssh key are mainly used for remote deployment, borg, and some other specific ops
+  users.users.root = {
+    shell = pkgs.bash;
+    hashedPasswordFile = config.users.users.${hostSpec.username}.hashedPasswordFile;
+    hashedPassword = config.users.users.${hostSpec.username}.hashedPassword; # This comes from hosts/common/optional/minimal.nix and gets overridden if sops is working
+    openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
+  };
+}
+