feat: init

2026-03-17 04:07:14 -07:00 · 2026-03-17 04:07:14 -07:00 · 8cfede9f57
commit 8cfede9f57
28 changed files with 2129 additions and 0 deletions
--- a/modules/users.nix
+++ b/modules/users.nix
@ -0,0 +1,74 @@
+{ config, pkgs, lib, ... }:
+let
+  admins = [
+    {
+      name = "superq";
+      github = "SuperQ";
+      description = "Ben Kochie";
+    }
+    {
+      name = "rizend";
+      description = "rizend";
+      extraKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWvlc3+qDxhKE3jCCxKKU1h9QJyhCqLgHAwkiokvSPig6dXZW9f8uS/1CNMEmB5avrZhT6S3V00NExqZMldJechROhQoZb6YrUzakaeJCHrbThotQ/TlDuRWCCEh+y/qowk261X4Rbdx/KMwPuROP0p+pw2u3CVoLC7ejnsCwzTMZJ450QtZau0nvP7PY1vnehg2npA4HOqtwjOABJlMMpSZfaQdddwQJ7YE01GLpXF73Lwcnyue51fWFdjsQwIeQM2feO0yf1r1fjoLyMfWCVLK2GI0ONXVFWKQ52kfzr4QQ7Tq+Xi12qr7KGlHZ8yl7tw3MUoyU7k0HrUea1F8WF"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvHlZKV8yBsJOkeu2FkWZ1UDY/uTS8bBUbqh1W0pJ3BMec55uvRLNv1AT5Z7RHKbwdjiZTBm6sP0CRVjsOxeGRCVeddHx1SxsXeihZIRQLHX+Z7M1YwYdzmzRDIEhuZhp+RnGH71ESVEHlmUhNPYsNmlgE3nyNbbDatYRZQqC204pal6cz4CHRUWYIozAQvpO8BF+cNDbNgT1yR5DWflwHErlv8yltmxNjh+gQQgp7RzI+05uzpRgumLCIqdHIKUflDJGvZXnUNAr5nv8Xe3W77AZz348nK2SYoD7dOBw23LpEzmy0mENL+/d3ZCuricslc1eBqCpVxJiF7s/RCtix"
+      ];
+    }
+    {
+      name = "bfb";
+      github = "kevinjos";
+      description = "bfb";
+    }
+    {
+      name = "jof";
+      github = "jof";
+      description = "Jonathan Lassoff";
+    }
+    {
+      name = "mcint";
+      github = "mcint";
+      description = "Loren McIntyre";
+    }
+  ];
+
+  mkAdmin = { name, github ? null, description, extraKeys ? [] }: {
+    inherit name;
+    value = {
+      isNormalUser = true;
+      inherit description;
+      extraGroups = [ "wheel" ];
+      openssh.authorizedKeys.keys = extraKeys;
+      openssh.authorizedKeys.keyFiles =
+        lib.optionals (github != null) [
+          (builtins.fetchurl {
+            url = "https://github.com/${github}.keys";
+          })
+        ];
+    };
+  };
+
+  # Collect all GitHub key files for root access (deploy-rs needs root SSH)
+  adminKeyFiles = lib.concatMap
+    ({ github ? null, ... }:
+      lib.optionals (github != null) [
+        (builtins.fetchurl { url = "https://github.com/${github}.keys"; })
+      ])
+    admins;
+
+  adminExtraKeys = lib.concatMap
+    ({ extraKeys ? [], ... }: extraKeys)
+    admins;
+in
+{
+  users.mutableUsers = false;
+
+  users.users = builtins.listToAttrs (map mkAdmin admins);
+
+  # Root gets all admin keys so deploy-rs can SSH in
+  users.users.root.openssh.authorizedKeys = {
+    keyFiles = adminKeyFiles;
+    keys = adminExtraKeys;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+}