vm: fix user propagation, refactor base.users

This commit is contained in:
Motiejus Jakštys 2024-03-06 10:33:48 +02:00
parent b31dff0451
commit f5edd23253
10 changed files with 70 additions and 104 deletions

View File

@ -111,30 +111,26 @@
gamja = super.callPackage ./pkgs/gamja.nix {}; gamja = super.callPackage ./pkgs/gamja.nix {};
}) })
]; ];
mkVM = system:
nixpkgs.lib.nixosSystem {
inherit system;
modules = [
{nixpkgs.overlays = overlays;}
./hosts/vm/configuration.nix
./modules
./modules/profiles/desktop
home-manager.nixosModules.home-manager
];
specialArgs = {inherit myData;} // inputs;
};
in in
{ {
nixosConfigurations = { nixosConfigurations = {
vm-x86_64 = nixpkgs.lib.nixosSystem { vm-x86_64 = mkVM "x86_64-linux";
system = "x86_64-linux"; vm-aarch64 = mkVM "aarch64-linux";
modules = [
{nixpkgs.overlays = overlays;}
home-manager.nixosModules.home-manager
./hosts/vm/configuration.nix
./modules
];
specialArgs = {inherit myData;} // inputs;
};
vm-aarch64 = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
modules = [
{nixpkgs.overlays = overlays;}
home-manager.nixosModules.home-manager
./hosts/vm/configuration.nix
./modules
];
specialArgs = {inherit myData;} // inputs;
};
op5p = nixpkgs.lib.nixosSystem { op5p = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";

View File

@ -31,13 +31,13 @@
mj = { mj = {
stateVersion = "23.05"; stateVersion = "23.05";
timeZone = "UTC"; timeZone = "UTC";
username = "motiejus";
base = { base = {
users = { users = {
enable = true; enable = true;
passwd = {
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
motiejus.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
}; };
unitstatus = { unitstatus = {

View File

@ -56,16 +56,15 @@ in {
mj = { mj = {
stateVersion = "23.05"; stateVersion = "23.05";
timeZone = "Europe/Vilnius"; timeZone = "Europe/Vilnius";
username = "motiejus";
base = { base = {
zfs.enable = true; zfs.enable = true;
users = { users = {
enable = true; enable = true;
devTools = true; devTools = true;
passwd = {
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
motiejus.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
}; };
snapshot = { snapshot = {

View File

@ -2,33 +2,24 @@
self, self,
lib, lib,
pkgs, pkgs,
myData,
config,
modulesPath, modulesPath,
... ...
}: { }: {
imports = [ imports = [
"${modulesPath}/profiles/all-hardware.nix" "${modulesPath}/profiles/all-hardware.nix"
"${modulesPath}/installer/cd-dvd/iso-image.nix" "${modulesPath}/installer/cd-dvd/iso-image.nix"
../../modules/profiles/desktop
]; ];
home-manager.useGlobalPkgs = true;
home-manager.users.nixos = {pkgs, ...}:
import ../../shared/home/default.nix {
inherit lib;
inherit pkgs;
inherit (config.mj) stateVersion;
username = "nixos";
devTools = true;
hmOnly = false;
email = "motiejus@jakstys.lt";
};
mj = { mj = {
stateVersion = "23.11"; stateVersion = "23.11";
timeZone = "UTC"; timeZone = "UTC";
username = "nixos"; username = "nixos";
base.users = {
enable = true;
user.initialHashedPassword = "";
root.initialHashedPassword = "";
};
}; };
isoImage = { isoImage = {
@ -44,32 +35,15 @@
swapDevices = []; swapDevices = [];
services = { services = {
pcscd.enable = true;
getty.autologinUser = "nixos"; getty.autologinUser = "nixos";
xserver.enable = true;
};
users.users = {
nixos = {
isNormalUser = true;
initialHashedPassword = "";
openssh.authorizedKeys.keys = [myData.people_pubkeys.motiejus];
};
root.initialHashedPassword = "";
}; };
# do not autostart lightdm, leave at tty # do not autostart lightdm, leave at tty
systemd.services.display-manager.wantedBy = lib.mkForce []; systemd.services.display-manager.wantedBy = lib.mkForce [];
security = { security.pam.services.lightdm.text = ''
pam.services.lightdm.text = ''
auth sufficient pam_succeed_if.so user ingroup wheel auth sufficient pam_succeed_if.so user ingroup wheel
''; '';
sudo = {
enable = true;
wheelNeedsPassword = false;
};
};
networking = { networking = {
hostName = "vm"; hostName = "vm";

View File

@ -38,15 +38,14 @@
mj = { mj = {
stateVersion = "23.05"; stateVersion = "23.05";
timeZone = "Europe/Vilnius"; timeZone = "Europe/Vilnius";
username = "motiejus";
base = { base = {
zfs.enable = true; zfs.enable = true;
users = { users = {
enable = true; enable = true;
passwd = {
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
motiejus.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
}; };
snapshot = { snapshot = {

View File

@ -54,14 +54,14 @@
mj = { mj = {
stateVersion = "23.05"; stateVersion = "23.05";
timeZone = "Europe/Vilnius"; timeZone = "Europe/Vilnius";
username = "motiejus";
base = { base = {
zfs.enable = true; zfs.enable = true;
users = { users = {
enable = true; enable = true;
passwd = {
root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path; root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
motiejus.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path; user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
};
}; };
unitstatus = { unitstatus = {
enable = true; enable = true;

View File

@ -31,10 +31,7 @@ in {
description = "Time zone for this system"; description = "Time zone for this system";
}; };
username = lib.mkOption { username = lib.mkOption {type = str;};
type = str;
default = "motiejus";
};
}; };
config = { config = {

View File

@ -5,16 +5,7 @@
... ...
}: let }: let
cfg = config.mj.base.users; cfg = config.mj.base.users;
in { props = with lib.types; {
options.mj.base.users = with lib.types; {
enable = lib.mkEnableOption "enable motiejus and root";
devTools = lib.mkOption {
type = bool;
default = false;
};
passwd = lib.mkOption {
type = attrsOf (submodule {
options = {
hashedPasswordFile = lib.mkOption { hashedPasswordFile = lib.mkOption {
type = nullOr path; type = nullOr path;
default = null; default = null;
@ -23,14 +14,25 @@ in {
type = nullOr str; type = nullOr str;
default = null; default = null;
}; };
initialHashedPassword = lib.mkOption {
type = nullOr str;
default = null;
};
extraGroups = lib.mkOption { extraGroups = lib.mkOption {
type = listOf str; type = listOf str;
default = []; default = [];
}; };
}; };
}); in {
options.mj.base.users = with lib.types; {
enable = lib.mkEnableOption "enable motiejus and root";
devTools = lib.mkOption {
type = bool;
default = false;
}; };
user = props;
root = props;
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -38,10 +40,10 @@ in {
mutableUsers = false; mutableUsers = false;
users = { users = {
motiejus = ${config.mj.username} =
{ {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel" "dialout" "video"] ++ cfg.passwd.motiejus.extraGroups; extraGroups = ["wheel" "dialout" "video"] ++ cfg.user.extraGroups;
uid = myData.uidgid.motiejus; uid = myData.uidgid.motiejus;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
myData.people_pubkeys.motiejus myData.people_pubkeys.motiejus
@ -51,19 +53,18 @@ in {
n: v: n: v:
(n == "hashedPasswordFile" || n == "initialPassword") && v != null (n == "hashedPasswordFile" || n == "initialPassword") && v != null
) )
cfg.passwd.motiejus or {}; cfg.user or {};
root = assert lib.assertMsg (cfg.passwd ? root) "root password needs to be defined"; root = lib.filterAttrs (_: v: v != null) cfg.root;
lib.filterAttrs (_: v: v != null) cfg.passwd.root;
}; };
}; };
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.users.motiejus = {pkgs, ...}: home-manager.users.${config.mj.username} = {pkgs, ...}:
import ../../../shared/home/default.nix { import ../../../shared/home/default.nix {
inherit lib; inherit lib;
inherit pkgs; inherit pkgs;
inherit (config.mj) stateVersion; inherit (config.mj) stateVersion username;
inherit (cfg) devTools; inherit (cfg) devTools;
hmOnly = false; hmOnly = false;
email = "motiejus@jakstys.lt"; email = "motiejus@jakstys.lt";

View File

@ -23,7 +23,7 @@ in {
wireshark.enable = true; wireshark.enable = true;
}; };
mj.base.users.passwd.${username}.extraGroups = ["adbusers" "networkmanager" "wireshark"]; mj.base.users.user.extraGroups = ["adbusers" "networkmanager" "wireshark"];
services = { services = {
fwupd.enable = true; fwupd.enable = true;

View File

@ -5,7 +5,7 @@
email, email,
devTools, devTools,
hmOnly, hmOnly,
username ? "motiejus", username,
... ...
}: let }: let
# from https://github.com/Gerg-L/demoninajar/blob/39964f198dbfa34c21f81c35370fab312b476051/homes/veritas_manjaro/nixGL.nix#L42 # from https://github.com/Gerg-L/demoninajar/blob/39964f198dbfa34c21f81c35370fab312b476051/homes/veritas_manjaro/nixGL.nix#L42