1 files changed, 78 insertions, 0 deletions

diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix
new file mode 100644
index 0000000..d169423
--- /dev/null
+++ b/nixos/modules/users.nix
@@ -0,0 +1,78 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  isNative = config.nixpkgs.hostPlatform == config.nixpkgs.buildPlatform;
+  isArm = config.nixpkgs.hostPlatform.isAarch;
+in {
+  users = {
+    mutableUsers = false;
+    groups.cynerd.gid = 1000;
+    users = {
+      root = {
+        hashedPasswordFile = "/run/secrets/root.pass";
+      };
+      cynerd = {
+        group = "cynerd";
+        extraGroups = ["users" "wheel" "dialout" "kvm" "uucp" "wireshark" "leds"];
+        uid = 1000;
+        subUidRanges = [
+          {
+            count = 65534;
+            startUid = 10000;
+          }
+        ];
+        subGidRanges = [
+          {
+            count = 65534;
+            startGid = 10000;
+          }
+        ];
+        isNormalUser = true;
+        createHome = true;
+        shell =
+          if isNative
+          then pkgs.zsh.out
+          else pkgs.bash.out;
+        hashedPasswordFile = "/run/secrets/cynerd.pass";
+        openssh.authorizedKeys.keyFiles = [
+          (config.personal-secrets + "/unencrypted/git-private.pub")
+        ];
+      };
+    };
+  };
+
+  security.sudo.extraRules = [
+    {
+      groups = ["wheel"];
+      commands = ["ALL"];
+    }
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  programs = {
+    zsh = {
+      enable = isNative;
+      syntaxHighlighting.enable = isNative;
+    };
+    shellrc = true;
+    vim.defaultEditor = isArm;
+    neovim = {
+      enable = !isArm;
+      defaultEditor = true;
+      withNodeJs = true;
+    };
+
+    wireshark.enable = true;
+  };
+
+  programs.fuse.userAllowOther = true;
+}