dan/liminix
1
0
Fork 5
Code
nftables-turned
liminix/modules/users.nix
Daniel Barlow 7e2b0068e6 nixfmt-rfc-style 
There is nothing in this commit except for the changes made by
nix-shell -p nixfmt-rfc-style --run "nixfmt ."

If this has mucked up your open branches then sorry about that. You
can probably nixfmt them to match before merging
2025-02-10 21:55:08 +00:00

137 lines
3.2 KiB
Nix
Raw Permalink Blame History

## Users
## =====
##
## User- and group-related configuration.
##
## Changes made here are reflected in files such as :file:/etc/shadow,
## :file:/etc/passwd, :file:/etc/group etc. If you are familiar with
## user configuration in NixOS, please note that Liminix does not have
## the concept of "mutable users" - files in /etc/ are symlinks to
## the immutable store, so you can't e.g change a password with
## :command:`passwd`
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
concatStrings
concatStringsSep
mapAttrsToList
mkOption
types
;
inherit (builtins) toString;
inherit (pkgs.pseudofile) dir;
passwd-file =
let
lines = mapAttrsToList (
name: u:
"${name}:${
if u ? passwd then u.passwd else "!!"
}:${toString u.uid}:${toString u.gid}:${u.gecos}:${u.dir}:${u.shell}\n"
) config.users;
in
concatStrings lines;
group-file =
let
lines = mapAttrsToList (
name:
{
gid,
usernames ? [ ],
}:
"${name}:x:${toString gid}:${concatStringsSep "," usernames}\n"
) config.groups;
in
concatStrings lines;
in
{
options = {
users = mkOption {
type = types.attrsOf (
types.submodule {
options = {
passwd = mkOption {
type = types.str;
description = "encrypted password, as generated by mkpasswd -m sha512crypt";
example = "$6$RIYL.EgWOrtoJ0/7$Z53a8sc0o6AU/kuFOGiLJKhwVavTG/deoM7JTs6luNczYSUsh4UYmhvT8sVzm.l8F/LZXhhhkC7IHQs5UGAIM/";
default = "!!";
};
uid = mkOption {
type = types.int;
};
gid = mkOption {
type = types.int;
};
gecos = mkOption {
type = types.str;
default = "";
example = "Jo Q User";
};
dir = mkOption {
type = types.str;
default = "/run";
};
shell = mkOption {
type = types.str;
default = "/bin/sh";
};
openssh.authorizedKeys.keys = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
}
);
};
groups = mkOption {
type = types.attrsOf (
types.submodule {
options = {
gid = mkOption {
type = types.int;
};
usernames = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
}
);
};
};
config =
let
authorized_key_files = lib.attrsets.mapAttrs (
name: val:
dir {
".ssh" = dir {
authorized_keys = {
inherit (val) uid gid;
type = "f";
mode = "0400";
file = lib.concatStringsSep "\n" val.openssh.authorizedKeys.keys;
};
};
}
) config.users;
in
{
filesystem = dir {
etc = dir {
passwd = {
file = passwd-file;
};
group = {
file = group-file;
};
};
home = dir authorized_key_files;
};
};
}
View Git Blame Copy Permalink