users: custom property to define users with root

2025-03-17 02:57:15 +00:00 · 2025-03-17 02:57:15 +00:00 · d8e85815bd
parent 55000c365a
commit d8e85815bd
7 changed files with 29 additions and 7 deletions
--- a/common/users/default.nix
+++ b/common/users/default.nix
@ -1,3 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption types genAttrs;
+  cfg = config.fountain;
+in
 {
  # TODO: consider DRY-ing these
  imports = [
@ -7,5 +13,21 @@
    ./trungle.nix
  ];

-  users.mutableUsers = false;
+  options.fountain = {
+    admins = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      description = "List of users who should have root on this system";
+    };
+  };
+
+  config = {
+    users.mutableUsers = false;
+
+    users.users = genAttrs cfg.admins
+      (name: {
+        extraGroups = [ "wheel" ];
+      }
+      );
+  };
 }
--- a/hosts/elucredassa/default.nix
+++ b/hosts/elucredassa/default.nix
@ -37,7 +37,7 @@ in
  };

  fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];

  system.stateVersion = "24.11";
 }
--- a/hosts/kalessin/default.nix
+++ b/hosts/kalessin/default.nix
@ -15,7 +15,7 @@ in
  networking.domain = "birdsong.network";

  fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
  fountain.users.randomcat.enable = true;
  fountain.users.trungle.enable = true;

--- a/hosts/kilgharrah/default.nix
+++ b/hosts/kilgharrah/default.nix
@ -32,7 +32,7 @@ in
  fountain.users.qenya.enable = true;
  age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age;
  users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
  home-manager.users.qenya = { pkgs, ... }: {
    home.packages = with pkgs; [ obs-studio ];
    # For the moment, this hosts some network-accessible services, so we want it on 24/7
--- a/hosts/orm/default.nix
+++ b/hosts/orm/default.nix
@ -12,7 +12,7 @@
  networking.domain = "birdsong.network";

  fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
  qenya.base-server.enable = true;

  qenya.services.distributed-builds = {
--- a/hosts/tohru/default.nix
+++ b/hosts/tohru/default.nix
@ -31,10 +31,10 @@ in
  nix.optimise.automatic = mkForce false;

  fountain.users.qenya.enable = true;
+  fountain.admins = [ "qenya" ];
  age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age;
  users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path;
  users.users.qenya.extraGroups = [
-    "wheel" # sudo
    "networkmanager" # UI wifi configuration
    "dialout" # access to serial ports
  ];
--- a/hosts/yevaud/default.nix
+++ b/hosts/yevaud/default.nix
@ -16,7 +16,7 @@
  networking.domain = "birdsong.network";

  fountain.users.qenya.enable = true;
-  users.users.qenya.extraGroups = [ "wheel" ];
+  fountain.admins = [ "qenya" ];
  qenya.base-server.enable = true;

  qenya.services.distributed-builds = {