added isPrincipleUser to users

enviroments/common/default.nix

@@ -4,7 +4,6 @@
   nix = {
     settings = {
       experimental-features = ["nix-command" "flakes"];
-      trusted-users = ["leyla"];
     };
     gc = {
       automatic = true;
@@ -44,40 +43,9 @@
       ports = [22];
       settings = {
         PasswordAuthentication = false;
-        AllowUsers = ["leyla"]; # Allows all users by default. Can be [ "user1" "user2" ]
         UseDns = true;
         X11Forwarding = false;
       };
     };
   };
-
-  environment = {
-    # List packages installed in system profile.
-    systemPackages = with pkgs; [
-      wget
-
-      # version control
-      git
-
-      # system debuging tools
-      iputils
-      dnsutils
-    ];
-
-    sessionVariables = rec {
-      SOPS_AGE_KEY_DIRECTORY = import ../../const/sops_age_key_directory.nix;
-      SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
-    };
-  };
-
-  sops = {
-    defaultSopsFormat = "yaml";
-    gnupg.sshKeyPaths = [];
-
-    age = {
-      keyFile = "/var/lib/sops-nix/key.txt";
-      sshKeyPaths = [];
-      # generateKey = true;
-    };
-  };
 }

hosts/defiant/configuration.nix

@@ -17,8 +17,9 @@
   host = {
     users = {
       leyla = {
-        isTerminalUser = true;
         isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
       };
       ester.isNormalUser = false;
       eve.isNormalUser = false;

hosts/horizon/configuration.nix

@@ -14,6 +14,7 @@
       leyla = {
         isDesktopUser = true;
         isTerminalUser = true;
+        isPrincipleUser = true;
       };
       ester.isDesktopUser = true;
       eve.isDesktopUser = true;

hosts/twilight/configuration.nix

@@ -10,7 +10,11 @@
 
   host = {
     users = {
-      leyla.isDesktopUser = true;
+      leyla = {
+        isDesktopUser = true;
+        isTerminalUser = true;
+        isPrincipleUser = true;
+      };
       ester.isDesktopUser = true;
       eve.isDesktopUser = true;
     };

modules/users.nix

@@ -4,6 +4,15 @@
   inputs,
   ...
 }: let
+  SOPS_AGE_KEY_DIRECTORY = import ../const/sops_age_key_directory.nix;
+
+  host = config.host;
+
+  hostUsers = host.hostUsers;
+  principleUsers = host.principleUsers;
+  terminalUsers = host.terminalUsers;
+  normalUsers = host.normalUsers;
+
   uids = {
     leyla = 1000;
     ester = 1001;
@@ -35,9 +44,30 @@
   ester = users.ester.name;
   eve = users.eve.name;
 in {
-  options.host.users = lib.mkOption {
+  options.host = {
-    type = lib.types.attrsOf (lib.types.submodule ({config, ...}: {
+    users = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({
+        config,
+        name,
+        ...
+      }: {
         options = {
+          name = lib.mkOption {
+            type = lib.types.string;
+            default = name;
+            description = ''
+              What should this users name on the system be
+            '';
+            defaultText = lib.literalExpression "config.host.users.\${name}.name";
+          };
+          isPrincipleUser = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              User should be configured as root and have ssh access
+            '';
+            defaultText = lib.literalExpression "config.host.users.\${name}.isPrincipleUser";
+          };
           isDesktopUser = lib.mkOption {
             type = lib.types.bool;
             default = false;
@@ -65,10 +95,66 @@ in {
         };
       }));
     };
+    hostUsers = lib.mkOption {
+      default = lib.attrsets.mapAttrsToList (_: user: user) host.users;
+    };
+    principleUsers = lib.mkOption {
+      default = lib.lists.filter (user: user.isPrincipleUser) hostUsers;
+    };
+    normalUsers = lib.mkOption {
+      default = lib.lists.filter (user: user.isTerminalUser) hostUsers;
+    };
+    terminalUsers = lib.mkOption {
+      default = lib.lists.filter (user: user.isNormalUser) hostUsers;
+    };
+  };
 
   config = {
+    assertions =
+      (
+        builtins.map (user: {
+          assertion = !(user.isPrincipleUser && !user.isNormalUser);
+          message = ''
+            Non normal user ${user.name} can not be a principle user.
+          '';
+        })
+        hostUsers
+      )
+      ++ [
+        {
+          assertion = (builtins.length principleUsers) > 0;
+          message = ''
+            At least one user must be a principle user.
+          '';
+        }
+      ];
+
+    # principle users are by definition trusted
+    nix.settings.trusted-users = builtins.map (user: user.name) principleUsers;
+
+    # we should only be able to ssh into principle users of a computer who are also set up for terminal access
+    services.openssh.settings.AllowUsers = builtins.map (user: user.name) (lib.lists.intersectLists terminalUsers principleUsers);
+
+    # we need to set up env variables to nix can find keys to decrypt passwords on rebuild
+    environment = {
+      sessionVariables = {
+        SOPS_AGE_KEY_DIRECTORY = SOPS_AGE_KEY_DIRECTORY;
+        SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt";
+      };
+    };
+
     # set up user passwords
-    sops.secrets = {
+    sops = {
+      defaultSopsFormat = "yaml";
+      gnupg.sshKeyPaths = [];
+
+      age = {
+        keyFile = "/var/lib/sops-nix/key.txt";
+        sshKeyPaths = [];
+        # generateKey = true;
+      };
+
+      secrets = {
         "passwords/leyla" = {
           neededForUsers = true;
           sopsFile = "${inputs.secrets}/user-passwords.yaml";
@@ -82,39 +168,44 @@ in {
           sopsFile = "${inputs.secrets}/user-passwords.yaml";
         };
       };
+    };
 
     users = {
       mutableUsers = false;
       users = {
         leyla = {
           uid = lib.mkForce uids.leyla;
+          name = lib.mkForce host.users.leyla.name;
           description = "Leyla";
           extraGroups =
-            (lib.lists.optionals config.host.users.leyla.isNormalUser ["networkmanager" "wheel" "dialout"])
+            (lib.lists.optionals host.users.leyla.isNormalUser ["networkmanager"])
-            ++ (lib.lists.optionals config.host.users.leyla.isDesktopUser ["adbusers"]);
+            ++ (lib.lists.optionals host.users.leyla.isPrincipleUser ["wheel" "dialout"])
+            ++ (lib.lists.optionals host.users.leyla.isDesktopUser ["adbusers"]);
           hashedPasswordFile = config.sops.secrets."passwords/leyla".path;
-          isNormalUser = config.host.users.leyla.isNormalUser;
+          isNormalUser = host.users.leyla.isNormalUser;
-          isSystemUser = !config.host.users.leyla.isNormalUser;
+          isSystemUser = !host.users.leyla.isNormalUser;
           group = config.users.users.leyla.name;
         };
 
         ester = {
           uid = lib.mkForce uids.ester;
+          name = lib.mkForce host.users.ester.name;
           description = "Ester";
-          extraGroups = lib.optionals config.host.users.ester.isNormalUser ["networkmanager"];
+          extraGroups = lib.optionals host.users.ester.isNormalUser ["networkmanager"];
           hashedPasswordFile = config.sops.secrets."passwords/ester".path;
-          isNormalUser = config.host.users.ester.isNormalUser;
+          isNormalUser = host.users.ester.isNormalUser;
-          isSystemUser = !config.host.users.ester.isNormalUser;
+          isSystemUser = !host.users.ester.isNormalUser;
           group = config.users.users.ester.name;
         };
 
         eve = {
           uid = lib.mkForce uids.eve;
+          name = lib.mkForce host.users.eve.name;
           description = "Eve";
-          extraGroups = lib.optionals config.host.users.eve.isNormalUser ["networkmanager"];
+          extraGroups = lib.optionals host.users.eve.isNormalUser ["networkmanager"];
           hashedPasswordFile = config.sops.secrets."passwords/eve".path;
-          isNormalUser = config.host.users.eve.isNormalUser;
+          isNormalUser = host.users.eve.isNormalUser;
-          isSystemUser = !config.host.users.eve.isNormalUser;
+          isSystemUser = !host.users.eve.isNormalUser;
           group = config.users.users.eve.name;
         };