nixos: split off system user support

And don't give it a password

2 files changed, 23 insertions, 1 deletions

diff --git a/modules/nixos/users/default.nix b/modules/nixos/users/default.nix
index df767b4..fa6ee8c 100644
--- a/modules/nixos/users/default.nix
+++ b/modules/nixos/users/default.nix
@@ -1 +1,6 @@
-{ imports = [ ./seth.nix ]; }
+{
+  imports = [
+    ./seth.nix
+    ./system.nix
+  ];
+}
diff --git a/modules/nixos/users/system.nix b/modules/nixos/users/system.nix
new file mode 100644
index 0000000..15c58cc
--- /dev/null
+++ b/modules/nixos/users/system.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.borealis.users.system;
+in
+
+{
+  options.borealis.users.system = {
+    enable = lib.mkEnableOption "an untrusted system user";
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${config.networking.hostName} = {
+      isNormalUser = true;
+    };
+  };
+}