From ddf79e54e950a7a9f2221f91bb8469801fbe96ff Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Wed, 28 Jun 2023 03:34:15 +0000
Subject: [PATCH] users: split `colin` and `guest` apart

---
 hosts/common/users/colin.nix   |  95 +++++++++++++++++++++++
 hosts/common/users/default.nix | 137 +++------------------------------
 hosts/common/users/guest.nix   |  34 ++++++++
 3 files changed, 139 insertions(+), 127 deletions(-)
 create mode 100644 hosts/common/users/colin.nix
 create mode 100644 hosts/common/users/guest.nix

diff --git a/hosts/common/users/colin.nix b/hosts/common/users/colin.nix
new file mode 100644
index 00000000..a4567f71
--- /dev/null
+++ b/hosts/common/users/colin.nix
@@ -0,0 +1,95 @@
+{ config, pkgs, lib, sane-lib, ... }:
+
+let
+  fs = sane-lib.fs;
+in
+{
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.colin = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/colin";
+    createHome = true;
+    homeMode = "0700";
+    # i don't get exactly what this is, but nixos defaults to this non-deterministically
+    # in /var/lib/nixos/auto-subuid-map and i don't want that.
+    subUidRanges = [
+      { startUid=100000; count=1; }
+    ];
+    group = "users";
+    extraGroups = [
+      "dialout"  # required for modem access (moby)
+      "feedbackd"
+      "input"  # for /dev/input/<xyz>: sxmo
+      "networkmanager"
+      "nixbuild"
+      "transmission"  # servo, to admin /var/lib/uninsane/media
+      "video"  # phosh/mobile. XXX colin: unsure if necessary
+      "wheel"
+      "wireshark"
+    ];
+
+    # initial password is empty, in case anything goes wrong.
+    # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
+    initialPassword = lib.mkDefault "";
+    passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
+
+    shell = pkgs.zsh;
+
+    # mount encrypted stuff at login
+    # some other nix pam users:
+    # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
+    # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
+    # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
+    pamMount = let
+      priv = config.fileSystems."/home/colin/private";
+    in {
+      fstype = priv.fsType;
+      path = priv.device;
+      mountpoint = priv.mountPoint;
+      options = builtins.concatStringsSep "," priv.options;
+    };
+  };
+
+  security.pam.mount.enable = true;
+
+  sane.users.colin.default = true;
+  # ensure ~ perms are known to sane.fs module.
+  # TODO: this is generic enough to be lifted up into sane.fs itself.
+  sane.fs."/home/colin".dir.acl = {
+    user = "colin";
+    group = config.users.users.colin.group;
+    mode = config.users.users.colin.homeMode;
+  };
+
+  sane.user.persist.plaintext = [
+    "archive"
+    "dev"
+    # TODO: records should be private
+    "records"
+    "ref"
+    "tmp"
+    "use"
+    "Music"
+    "Pictures"
+    "Videos"
+
+    ".cache/nix"
+    ".cache/nix-index"
+
+    # ".cargo"
+    # ".rustup"
+  ];
+
+  # convenience
+  sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
+  sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
+  sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
+  sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
+  sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
+  sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
+  sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
+
+  # used by password managers, e.g. unix `pass`
+  sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
+}
diff --git a/hosts/common/users/default.nix b/hosts/common/users/default.nix
index aff74f4f..1e09d300 100644
--- a/hosts/common/users/default.nix
+++ b/hosts/common/users/default.nix
@@ -1,134 +1,17 @@
 { config, pkgs, lib, sane-lib, ... }:
 
-# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
-with lib;
-let
-  cfg = config.sane.guest;
-  fs = sane-lib.fs;
-in
 {
-  options = {
-    sane.guest.enable = mkOption {
-      default = false;
-      type = types.bool;
-    };
-  };
+  imports = [
+    ./colin.nix
+    ./guest.nix
+  ];
 
-  config = {
-    # Users are exactly these specified here;
-    # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
-    users.mutableUsers = false;
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
 
-    # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
-    users.users.colin = {
-      # sets group to "users" (?)
-      isNormalUser = true;
-      home = "/home/colin";
-      createHome = true;
-      homeMode = "0700";
-      # i don't get exactly what this is, but nixos defaults to this non-deterministically
-      # in /var/lib/nixos/auto-subuid-map and i don't want that.
-      subUidRanges = [
-        { startUid=100000; count=1; }
-      ];
-      group = "users";
-      extraGroups = [
-        "dialout"  # required for modem access (moby)
-        "feedbackd"
-        "input"  # for /dev/input/<xyz>: sxmo
-        "networkmanager"
-        "nixbuild"
-        "transmission"  # servo, to admin /var/lib/uninsane/media
-        "video"  # phosh/mobile. XXX colin: unsure if necessary
-        "wheel"
-        "wireshark"
-      ];
-
-      # initial password is empty, in case anything goes wrong.
-      # if `colin-passwd` (a password hash) is successfully found/decrypted, that becomes the password at boot.
-      initialPassword = lib.mkDefault "";
-      passwordFile = lib.mkIf (config.sops.secrets ? "colin-passwd") config.sops.secrets.colin-passwd.path;
-
-      shell = pkgs.zsh;
-
-      # mount encrypted stuff at login
-      # some other nix pam users:
-      # - <https://github.com/g00pix/nixconf/blob/32c04f6fa843fed97639dd3f09e157668d3eea1f/profiles/sshfs.nix>
-      # - <https://github.com/lourkeur/distro/blob/11173454c6bb50f7ccab28cc2c757dca21446d1d/nixos/profiles/users/louis-full.nix>
-      # - <https://github.com/dnr/sample-nix-code/blob/03494480c1fae550c033aa54fd96aeb3827761c5/nixos/laptop.nix>
-      pamMount = let
-        priv = config.fileSystems."/home/colin/private";
-      in {
-        fstype = priv.fsType;
-        path = priv.device;
-        mountpoint = priv.mountPoint;
-        options = builtins.concatStringsSep "," priv.options;
-      };
-    };
-
-    security.pam.mount.enable = true;
-
-    sane.users.colin.default = true;
-    # ensure ~ perms are known to sane.fs module.
-    # TODO: this is generic enough to be lifted up into sane.fs itself.
-    sane.fs."/home/colin".dir.acl = {
-      user = "colin";
-      group = config.users.users.colin.group;
-      mode = config.users.users.colin.homeMode;
-    };
-
-    sane.user.persist.plaintext = [
-      "archive"
-      "dev"
-      # TODO: records should be private
-      "records"
-      "ref"
-      "tmp"
-      "use"
-      "Music"
-      "Pictures"
-      "Videos"
-
-      ".cache/nix"
-      ".cache/nix-index"
-
-      # ".cargo"
-      # ".rustup"
-    ];
-
-    # convenience
-    sane.user.fs."knowledge" = fs.wantedSymlinkTo "private/knowledge";
-    sane.user.fs."nixos" = fs.wantedSymlinkTo "dev/nixos";
-    sane.user.fs."Books/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Books";
-    sane.user.fs."Videos/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Videos";
-    sane.user.fs."Videos/servo-incomplete" = fs.wantedSymlinkTo "/mnt/servo-media/incomplete";
-    sane.user.fs."Music/servo" = fs.wantedSymlinkTo "/mnt/servo-media/Music";
-    sane.user.fs."Pictures/servo-macros" = fs.wantedSymlinkTo "/mnt/servo-media/Pictures/macros";
-
-    # used by password managers, e.g. unix `pass`
-    sane.user.fs.".password-store" = fs.wantedSymlinkTo "knowledge/secrets/accounts";
-
-    sane.persist.sys.plaintext = mkIf cfg.enable [
-      # intentionally allow other users to write to the guest folder
-      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
-    ];
-    users.users.guest = mkIf cfg.enable {
-      isNormalUser = true;
-      home = "/home/guest";
-      subUidRanges = [
-        { startUid=200000; count=1; }
-      ];
-      group = "users";
-      initialPassword = lib.mkDefault "";
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keys = [
-        # TODO: insert pubkeys that should be allowed in
-      ];
-    };
-
-    security.sudo = {
-      enable = true;
-      wheelNeedsPassword = false;
-    };
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
   };
 }
diff --git a/hosts/common/users/guest.nix b/hosts/common/users/guest.nix
new file mode 100644
index 00000000..7fc02da7
--- /dev/null
+++ b/hosts/common/users/guest.nix
@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.sane.guest;
+in
+{
+  options = with lib; {
+    sane.guest.enable = mkOption {
+      default = false;
+      type = types.bool;
+    };
+  };
+
+  config = {
+    users.users.guest = lib.mkIf cfg.enable {
+      isNormalUser = true;
+      home = "/home/guest";
+      subUidRanges = [
+        { startUid=200000; count=1; }
+      ];
+      group = "users";
+      initialPassword = lib.mkDefault "";
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = [
+        # TODO: insert pubkeys that should be allowed in
+      ];
+    };
+
+    sane.persist.sys.plaintext = lib.mkIf cfg.enable [
+      # intentionally allow other users to write to the guest folder
+      { directory = "/home/guest"; user = "guest"; group = "users"; mode = "0775"; }
+    ];
+  };
+}