liminix/modules/users.nix

## Users
## =====
##
## User- and group-related configuration.
##
## Changes made here are reflected in files such as :file:/etc/shadow,
## :file:/etc/passwd, :file:/etc/group etc. If you are familiar with
## user configuration in NixOS, please note that Liminix does not have
## the concept of "mutable users" - files in /etc/ are symlinks to
## the immutable store, so you can't e.g  change a password with
## :command:`passwd`

{
  lib,
  pkgs,
  config,
  ...
}:
let
  inherit (lib)
    concatStrings
    concatStringsSep
    mapAttrsToList
    mkOption
    types
    ;
  inherit (builtins) toString;
  inherit (pkgs.pseudofile) dir;
  passwd-file =
    let
      lines = mapAttrsToList (
        name: u:
        "${name}:${
          if u ? passwd then u.passwd else "!!"
        }:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n"
      ) config.users;
    in
    concatStrings lines;
  group-file =
    let
      lines = mapAttrsToList (
        name:
        {
          gid,
          usernames ? [ ],
        }:
        "${name}:x:${toString gid}:${concatStringsSep "," usernames}\n"
      ) config.groups;
    in
    concatStrings lines;
in
{
  options = {
    users = mkOption {
      type = types.attrsOf (
        types.submodule {
          options = {
            passwd = mkOption {
              type = types.str;
              description = "encrypted password, as generated by mkpasswd -m sha512crypt";
              example = "$6$RIYL.EgWOrtoJ0/7$Z53a8sc0o6AU/kuFOGiLJKhwVavTG/deoM7JTs6luNczYSUsh4UYmhvT8sVzm.l8F/LZXhhhkC7IHQs5UGAIM/";
              default = "!!";
            };
            uid = mkOption {
              type = types.int;
            };
            gid = mkOption {
              type = types.int;
            };
            gecos = mkOption {
              type = types.str;
              default = "";
              example = "Jo Q User";
            };
            dir = mkOption {
              type = types.str;
              default = "/run";
            };
            shell = mkOption {
              type = types.str;
              default = "/bin/sh";
            };
            openssh.authorizedKeys.keys = mkOption {
              type = types.listOf types.str;
              default = [ ];
            };
          };
        }
      );
    };
    groups = mkOption {
      type = types.attrsOf (
        types.submodule {
          options = {
            gid = mkOption {
              type = types.int;
            };
            usernames = mkOption {
              type = types.listOf types.str;
              default = [ ];
            };
          };
        }
      );
    };
  };
  config =
    let
      authorized_key_files = lib.attrsets.mapAttrs (
        name: val:
        dir {
          ".ssh" = dir {
            authorized_keys = {
              inherit (val) uid gid;
              type = "f";
              mode = "0400";
              file = lib.concatStringsSep "\n" val.openssh.authorizedKeys.keys;
            };
          };
        }
      ) config.users;
    in
    {
      filesystem = dir {
        etc = dir {
          passwd = {
            file = passwd-file;
          };
          group = {
            file = group-file;
          };
        };
        home = dir authorized_key_files;
      };
    };
}
much text, such doc, very wow 2023-08-09 21:27:37 +00:00			`## Users`
			`## =====`
			`##`
			`## User- and group-related configuration.`
			`##`
			`## Changes made here are reflected in files such as :file:/etc/shadow,`
			`## :file:/etc/passwd, :file:/etc/group etc. If you are familiar with`
			`## user configuration in NixOS, please note that Liminix does not have`
			`## the concept of "mutable users" - files in /etc/ are symlinks to`
			`## the immutable store, so you can't e.g change a password with`
			## :command:`passwd`

nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`{`
			`lib,`
			`pkgs,`
			`config,`
			`...`
			`}:`
configuration for users and groups 2022-09-28 20:31:15 +00:00			`let`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`inherit (lib)`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`concatStrings`
			`concatStringsSep`
			`mapAttrsToList`
			`mkOption`
			`types`
			`;`
configuration for users and groups 2022-09-28 20:31:15 +00:00			`inherit (builtins) toString;`
remove dead code (run deadnix) 2024-06-29 21:59:27 +00:00			`inherit (pkgs.pseudofile) dir;`
cleanup whitespace and commas * [] is now [ ] * {} is now { } * commas in arglists go at end of line not beginning In short, I ran the whole thing through nixfmt-rfc-style but only accepted about 30% of its changes. I might grow accustomed to more of it over time 2024-06-30 15:58:29 +00:00			`passwd-file =`
			`let`
			`lines = mapAttrsToList (`
			`name: u:`
			`"${name}:${`
			`if u ? passwd then u.passwd else "!!"`
			`}:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n"`
			`) config.users;`
			`in`
			`concatStrings lines;`
configuration for users and groups 2022-09-28 20:31:15 +00:00			`group-file =`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`let`
			`lines = mapAttrsToList (`
			`name:`
			`{`
			`gid,`
			`usernames ? [ ],`
			`}:`
			`"${name}:x:${toString gid}:${concatStringsSep "," usernames}\n"`
			`) config.groups;`
			`in`
			`concatStrings lines;`
			`in`
			`{`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`options = {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`users = mkOption {`
			`type = types.attrsOf (`
			`types.submodule {`
			`options = {`
			`passwd = mkOption {`
			`type = types.str;`
			`description = "encrypted password, as generated by mkpasswd -m sha512crypt";`
			`example = "$6$RIYL.EgWOrtoJ0/7$Z53a8sc0o6AU/kuFOGiLJKhwVavTG/deoM7JTs6luNczYSUsh4UYmhvT8sVzm.l8F/LZXhhhkC7IHQs5UGAIM/";`
			`default = "!!";`
			`};`
			`uid = mkOption {`
			`type = types.int;`
			`};`
			`gid = mkOption {`
			`type = types.int;`
			`};`
			`gecos = mkOption {`
			`type = types.str;`
			`default = "";`
			`example = "Jo Q User";`
			`};`
			`dir = mkOption {`
			`type = types.str;`
			`default = "/run";`
			`};`
			`shell = mkOption {`
			`type = types.str;`
			`default = "/bin/sh";`
			`};`
			`openssh.authorizedKeys.keys = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`};`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`}`
			`);`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`groups = mkOption {`
			`type = types.attrsOf (`
			`types.submodule {`
			`options = {`
			`gid = mkOption {`
			`type = types.int;`
			`};`
			`usernames = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`};`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`};`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`}`
			`);`
define structured options for config.users 2023-03-04 00:24:48 +00:00			`};`
			`};`
add openssh authorized_keys 2023-03-10 23:13:32 +00:00			`config =`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`let`
			`authorized_key_files = lib.attrsets.mapAttrs (`
			`name: val:`
			`dir {`
			`".ssh" = dir {`
			`authorized_keys = {`
			`inherit (val) uid gid;`
			`type = "f";`
			`mode = "0400";`
			`file = lib.concatStringsSep "\n" val.openssh.authorizedKeys.keys;`
			`};`
			`};`
			`}`
			`) config.users;`
			`in`
			`{`
add openssh authorized_keys 2023-03-10 23:13:32 +00:00			`filesystem = dir {`
			`etc = dir {`
nixfmt-rfc-style There is nothing in this commit except for the changes made by nix-shell -p nixfmt-rfc-style --run "nixfmt ." If this has mucked up your open branches then sorry about that. You can probably nixfmt them to match before merging 2025-02-10 21:55:08 +00:00			`passwd = {`
			`file = passwd-file;`
			`};`
			`group = {`
			`file = group-file;`
			`};`
add openssh authorized_keys 2023-03-10 23:13:32 +00:00			`};`
			`home = dir authorized_key_files;`
configuration for users and groups 2022-09-28 20:31:15 +00:00			`};`
			`};`
			`}`