
78 lines
3.0 KiB
Raw Normal View History

{ config, pkgs, lib, ... }:
# installer docs:
# Users are exactly these specified here;
# old ones will be deleted (from /etc/passwd, etc) upon upgrade.
users.mutableUsers = false;
# docs:
users.users.colin = {
# sets group to "users" (?)
isNormalUser = true;
home = "/home/colin";
uid = config.colinsane.allocations.colin-uid;
# i don't get exactly what this is, but nixos defaults to this non-deterministically
# in /var/lib/nixos/auto-subuid-map and i don't want that.
subUidRanges = [
{ startUid=100000; count=1; }
group = "users";
extraGroups = [
# phosh/mobile. XXX colin: unsure if necessary
"dialout" # required for modem access
2022-05-23 10:06:29 +00:00
initialPassword = lib.mkDefault "";
2022-05-24 03:33:08 +00:00
shell = pkgs.zsh;
# shell = pkgs.bashInteractive;
# XXX colin: create ssh key for THIS user by logging in and running:
# ssh-keygen -t ed25519
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpmFdNSVPRol5hkbbCivRhyeENzb9HVyf9KutGLP2Zu colin@lappy"
2022-05-22 09:06:33 +00:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPU5GlsSfbaarMvDA20bxpSZGWviEzXGD8gtrIowc1pX colin@desko"
2022-06-12 22:11:41 +00:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX colin@servo"
2022-07-15 21:23:33 +00:00
# moby doesn't need to login to any other devices yet
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU colin@moby"
security.sudo = {
enable = true;
wheelNeedsPassword = false;
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
# affix some UIDs which were historically auto-generated
users.users.sshd.uid = config.colinsane.allocations.sshd-uid;
users.groups.polkituser.gid = config.colinsane.allocations.polkituser-gid;
users.groups.sshd.gid = config.colinsane.allocations.sshd-gid;
users.groups.systemd-coredump.gid = config.colinsane.allocations.systemd-coredump-gid;
# guarantee determinism in uid/gid generation for users:
assertions = let
uidAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
assertion = user.uid != null;
message = "non-deterministic uid detected for: ${name}";
}) config.users.users);
gidAssertions = builtins.attrValues (builtins.mapAttrs (name: group: {
assertion = group.gid != null;
message = "non-deterministic gid detected for: ${name}";
}) config.users.groups);
autoSubAssertions = builtins.attrValues (builtins.mapAttrs (name: user: {
assertion = !user.autoSubUidGidRange;
message = "non-deterministic subUids/Guids detected for: ${name}";
}) config.users.users);
in uidAssertions ++ gidAssertions ++ autoSubAssertions;