Sync

2024-11-10 20:15:47 +01:00 · 2024-11-10 20:15:47 +01:00 · cef3a949fe
commit cef3a949fe
parent c1025627ae
40 changed files with 3401 additions and 158 deletions
--- a/users/admin/default.nix
+++ b/users/admin/default.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.homelab.users.admin;
+in {
+  options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator";
+
+  config = lib.mkIf cfg.enable {
+    nix.settings.trusted-users = [
+      config.users.users.admin.name
+    ];
+
+    users.users.admin = {
+      description = "System Administrator";
+      isNormalUser = true;
+      extraGroups = [
+        config.users.groups.wheel.name # Enable 'sudo' for the user.
+      ];
+      initialPassword = "ChangeMe";
+      openssh.authorizedKeys.keys = [
+        # TODO ChangeMe
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+      ];
+      packages = with pkgs; [
+        curl
+        git
+        tmux
+        vim
+        wget
+      ];
+    };
+  };
+}
--- a/users/apps/default.nix
+++ b/users/apps/default.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.homelab.users.apps;
+in {
+  options.homelab.users.apps.enable = lib.mkEnableOption "user Apps";
+
+  config.users = lib.mkIf cfg.enable {
+    groups.apps.gid = lib.mkForce 568;
+    users.apps = {
+      uid = lib.mkForce 568;
+      isSystemUser = true;
+      group = config.users.groups.apps.name;
+      home = "/var/empty";
+      shell = null;
+    };
+  };
+}
--- a/users/backup/default.nix
+++ b/users/backup/default.nix
@ -0,0 +1,26 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.homelab.users.backup;
+in {
+  options.homelab.users.backup.enable = lib.mkEnableOption "user Backup";
+
+  config = lib.mkIf cfg.enable {
+    users.users.backup = {
+      description = "Backup User";
+      isNormalUser = true;
+      extraGroups = [
+        "docker" # Allow access to the docker socket.
+      ];
+      openssh.authorizedKeys.keys = [
+        # TODO ChangeMe
+
+        # Tibo-NixFat
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+
+        # Hugo
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAxR813vqq5zbu1NHrIybu5Imlu3k0rDCGxHiuGEhPoVV9c5FpnKNGLCi3ctm15ZcVBX4HcponYsKRBsCzM2pI4uXjxhHkLzbss5LttFuSzv5v/QHfLW1bvyJEMBEPxguGqAydAeWrBFdI9uHBEXeb325uKxMKBZHYvvpyAQ115c1wKy1bL8BfR0LTkhsFqexRvI86q59AVrAU/KFf6RXO0T9QA6H/vyWLlIPc7Ta+tSWwQ68bMmS5Pwn8q58tOAOAd6Lpt4TqUDJSppPjLEPKyKC6ShwMdEjwmwpEG0hxfsvaU8XERyQbSbEE9sLHRA2LoEdtMx3J8nzX3AwYUNspsqIv6NQZksnVqJ8OfL45ngUFcSJ6kBsUvCZfzEUGUTJ6Js0v84NOIXxNG/ZfPsk6ArXm3dvj2TYeK8llO6wpJnMMyztmmiODWoj9tepZSij44IgVM5wdWYIK/RZoYTsCQbmvJFfB8jhyJnf/7F19Vo5+LwhmCOsQh/KEK0F1DVc= admin@Hugo"
+      ];
+    };
+  };
+}
--- a/users/default.nix
+++ b/users/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./admin
+    ./apps
+    ./backup
+    ./deploy
+    ./media
+  ];
+}
--- a/users/deploy/default.nix
+++ b/users/deploy/default.nix
@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.homelab.users.deploy;
+in {
+  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      groups.deploy = { };
+
+      # The user used to deploy rebuilds without password authentication
+      users.deploy = {
+        group = config.users.groups.deploy.name;
+        isSystemUser = true;
+        home = "/var/empty";
+        shell = pkgs.bashInteractive;
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
+        ];
+      };
+    };
+
+    security.sudo.extraRules = [
+      {
+        groups = [
+          config.users.groups.deploy.name
+        ];
+        commands = [
+          {
+            command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+      {
+        groups = [
+          config.users.groups.deploy.name
+        ];
+        commands = [
+          {
+            command = "/nix/store/*/bin/switch-to-configuration";
+            options = [ "NOPASSWD" ];
+          }
+        ];
+      }
+    ];
+  };
+}
--- a/users/media/default.nix
+++ b/users/media/default.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.homelab.users.media;
+in {
+  options.homelab.users.media.enable = lib.mkEnableOption "user Media";
+
+  config.users = lib.mkIf cfg.enable {
+    groups.media.gid = lib.mkForce 3000;
+    users.media = {
+      uid = lib.mkForce 3001;
+      isSystemUser = true;
+      group = config.users.groups.media.name;
+      home = "/var/empty";
+      shell = null;
+    };
+  };
+}