TODO: finish setting up core user settings

2026-01-11 17:54:08 -05:00 · 2025-06-07 09:03:05 -04:00 · 2025-06-07 09:03:05 -04:00 · 27af396b1f
commit 27af396b1f
parent 60b08d8dc4
3 changed files with 111 additions and 0 deletions
--- a/hosts/common/users/primary/nixos.nix
+++ b/hosts/common/users/primary/nixos.nix
@ -0,0 +1,46 @@
+# User config applicable only to nixos
+{
+  inputs,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  hostSpec = config.hostSpec;
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+
+  # Decrypt password to /run/secrets-for-users/ so it can be used to create the user
+  sopsHashedPasswordFile = lib.optionalString (!config.hostSpec.isMinimal) config.sops.secrets."passwords/${hostSpec.username}".path;
+in {
+  users.mutableUsers = false; # Only allow declarative credentials; Required for password to be set via sops during system activation!
+  users.users.${hostSpec.username} = {
+    home = "/home/${hostSpec.username}";
+    isNormalUser = true;
+    hashedPasswordFile = sopsHashedPasswordFile; # Blank if sops is not working.
+
+    extraGroups = lib.flatten [
+      "wheel"
+      (ifTheyExist [
+        "audio"
+        "video"
+        "docker"
+        "podman"
+        "dialout"
+        "git"
+        "networkmanager"
+        "scanner" # for print/scan"
+        "lp" # for print/scan"
+      ])
+    ];
+  };
+
+  # No matter what environment we are in we want these tools for root, and the user(s)
+  programs.git.enable = true;
+
+  users.users.root = {
+    shell = pkgs.zsh;
+    hashedPasswordFile = config.users.users.${hostSpec.username}.hashedPasswordFile;
+    hashedPassword = config.users.users.${hostSpec.username}.hashedPassword; # This comes from hosts/common/optional/minimal.nix and gets overridden if sops is working
+    openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
+  };
+}