nixos: split off system user support

And don't give it a password
author: Seth Flynn <[email protected]> 2025-02-13 20:25:01 -0500
committer: Seth Flynn <[email protected]> 2025-02-13 22:09:11 -0500
commit: 1ab6099032d0ecaffcbe2a319ee57118ce619fdc (patch)
tree: 7998fab06edddf95d98c820b9541e49c48d55275 /modules
parent: 102c93593af02273a5d7c2c618e9dea1a3cee747 (diff)
4 files changed, 32 insertions, 11 deletions
diff --git a/modules/nixos/defaults/users.nix b/modules/nixos/defaults/users.nix
index 0cec52a..4746d65 100644
--- a/modules/nixos/defaults/users.nix
+++ b/modules/nixos/defaults/users.nix
@@ -4,6 +4,7 @@
   pkgs,
   ...
 }:
+
 {
   users = {
     defaultUserShell = pkgs.bash;
diff --git a/modules/nixos/profiles/server.nix b/modules/nixos/profiles/server.nix
index d54285d..8934863 100644
--- a/modules/nixos/profiles/server.nix
+++ b/modules/nixos/profiles/server.nix
@@ -18,10 +18,6 @@ in
 {
   options.profiles.server = {
     enable = lib.mkEnableOption "the Server profile";
-
-    hostUser = lib.mkEnableOption "a default interactive user" // {
-      default = true;
-    };
   };
 
   config = lib.mkIf cfg.enable (
@@ -36,6 +32,10 @@ in
 
         boot.tmp.cleanOnBoot = lib.mkDefault true;
 
+        borealis.users = {
+          system.enable = true;
+        };
+
         # We don't need it here
         documentation.enable = false;
 
@@ -65,17 +65,15 @@ in
           secrets.enable = true;
         };
 
+        # I use exclusively Tailscale auth on some machines
+        users.allowNoPasswordLogin = true;
+
         zramSwap.enable = true;
       }
 
-      (lib.mkIf cfg.hostUser {
+      (lib.mkIf config.borealis.users.system.enable {
         # Hardening access to `nix` as no other users *should* ever really touch it
         nix.settings.allowed-users = [ config.networking.hostName ];
-
-        users.users.${config.networking.hostName} = {
-          isNormalUser = true;
-          extraGroups = [ "wheel" ];
-        };
       })
     ]
   );
diff --git a/modules/nixos/users/default.nix b/modules/nixos/users/default.nix
index df767b4..fa6ee8c 100644
--- a/modules/nixos/users/default.nix
+++ b/modules/nixos/users/default.nix
@@ -1 +1,6 @@
-{ imports = [ ./seth.nix ]; }
+{
+  imports = [
+    ./seth.nix
+    ./system.nix
+  ];
+}
diff --git a/modules/nixos/users/system.nix b/modules/nixos/users/system.nix
new file mode 100644
index 0000000..15c58cc
--- /dev/null
+++ b/modules/nixos/users/system.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.borealis.users.system;
+in
+
+{
+  options.borealis.users.system = {
+    enable = lib.mkEnableOption "an untrusted system user";
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.${config.networking.hostName} = {
+      isNormalUser = true;
+    };
+  };
+}
author	Seth Flynn <[email protected]>	2025-02-13 20:25:01 -0500
committer	Seth Flynn <[email protected]>	2025-02-13 22:09:11 -0500
commit	1ab6099032d0ecaffcbe2a319ee57118ce619fdc (patch)
tree	7998fab06edddf95d98c820b9541e49c48d55275 /modules
parent	102c93593af02273a5d7c2c618e9dea1a3cee747 (diff)