nixos: split off system user support

And don't give it a password

1 files changed, 8 insertions, 10 deletions

diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix
index d54285d..8934863 100644
--- a/modules/nixos/profiles/server.nix
+++ b/modules/nixos/profiles/server.nix
@@ -18,10 +18,6 @@ in
 {
   options.profiles.server = {
     enable = lib.mkEnableOption "the Server profile";
-
-    hostUser = lib.mkEnableOption "a default interactive user" // {
-      default = true;
-    };
   };
 
   config = lib.mkIf cfg.enable (
@@ -36,6 +32,10 @@ in
 
         boot.tmp.cleanOnBoot = lib.mkDefault true;
 
+        borealis.users = {
+          system.enable = true;
+        };
+
         # We don't need it here
         documentation.enable = false;
 
@@ -65,17 +65,15 @@ in
           secrets.enable = true;
         };
 
+        # I use exclusively Tailscale auth on some machines
+        users.allowNoPasswordLogin = true;
+
         zramSwap.enable = true;
       }
 
-      (lib.mkIf cfg.hostUser {
+      (lib.mkIf config.borealis.users.system.enable {
         # Hardening access to `nix` as no other users *should* ever really touch it
         nix.settings.allowed-users = [ config.networking.hostName ];
-
-        users.users.${config.networking.hostName} = {
-          isNormalUser = true;
-          extraGroups = [ "wheel" ];
-        };
       })
     ]
   );