From b4783e6b93a67ac49040a031d1afdf039e46bf28 Mon Sep 17 00:00:00 2001 From: Nico Jensch Date: Mon, 11 Sep 2023 19:42:37 +0200 Subject: [PATCH] feat(users): add FGD to our users, allowing access to buildiso (and exa -> eza) --- devshell/flake-module.nix | 2 +- flake.lock | 107 ++++++++++++++++------------- flake.nix | 24 +++++-- home-manager/alexjp.nix | 4 -- home-manager/nico.nix | 4 -- nixos/flake-module.nix | 1 + nixos/hosts/iso-runner.nix | 10 +++ nixos/modules/common.nix | 6 +- nixos/modules/users.nix | 135 ++++++++++++++++++++----------------- 9 files changed, 167 insertions(+), 126 deletions(-) diff --git a/devshell/flake-module.nix b/devshell/flake-module.nix index 9fd6990..62544f7 100644 --- a/devshell/flake-module.nix +++ b/devshell/flake-module.nix @@ -83,7 +83,7 @@ } { name = "buildiso-remote"; - help = "Spawn a buildiso shell on the iso-runner builder"; + help = "Spawns a buildiso shell on the iso-runner builder"; category = "infra-nix"; command = '' # We are assuming the NixOS user is named the same as the one using it diff --git a/flake.lock b/flake.lock index e0dc528..e595cf4 100644 --- a/flake.lock +++ b/flake.lock @@ -21,14 +21,16 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems" + "systems": [ + "systems" + ] }, "locked": { - "lastModified": 1693833206, - "narHash": "sha256-wHOY0nnD6gWj8u9uI85/YlsganYyWRK1hLFZulZwfmY=", + "lastModified": 1694435990, + "narHash": "sha256-yLQPD2eZGepu3yvdwABXrR3GhAqWRWTj9rn3a4knYuk=", "owner": "numtide", "repo": "devshell", - "rev": "65114ea495a8d3cc1352368bf170d67ef005aa5a", + "rev": "f6aec2e8b1cdddcab10ce7fc2eac66886e3deaad", "type": "github" }, "original": { @@ -75,14 +77,16 @@ }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": [ + "systems" + ] }, "locked": { - "lastModified": 1685518550, - "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", "owner": "numtide", "repo": "flake-utils", - "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", "type": "github" }, "original": { @@ -94,16 +98,15 @@ "gitignore": { "inputs": { "nixpkgs": [ - "pre-commit-hooks", "nixpkgs" ] }, "locked": { - "lastModified": 1660459072, - "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "lastModified": 1694102001, + "narHash": "sha256-vky6VPK1n1od6vXbqzOXnekrQpTL4hbPAwUhT5J9c9E=", "owner": "hercules-ci", "repo": "gitignore.nix", - "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "rev": "9e21c80adf67ebcb077d75bd5e7d724d21eeafd6", "type": "github" }, "original": { @@ -119,11 +122,11 @@ ] }, "locked": { - "lastModified": 1694134858, - "narHash": "sha256-fG/ESauOGmiojKlpJG8gB62dJa5Wd+ZIuiDMKK/HD3g=", + "lastModified": 1694375657, + "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", "owner": "nix-community", "repo": "home-manager", - "rev": "19c6a4081b14443420358262f8416149bd79561a", + "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", "type": "github" }, "original": { @@ -144,6 +147,18 @@ "url": "https://github.com/alexjp.keys" } }, + "keys_frank": { + "flake": false, + "locked": { + "narHash": "sha256-P/i98yv7ZDS9ZgqC19DTFp7r+W4sxRWB2BOb+q2x+Hw=", + "type": "file", + "url": "https://github.com/fgd-garuda.keys" + }, + "original": { + "type": "file", + "url": "https://github.com/fgd-garuda.keys" + } + }, "keys_nico": { "flake": false, "locked": { @@ -173,11 +188,11 @@ "locked": { "narHash": "sha256-d6PFL1WTyfee09ykY1oWnX+7nGhEfPZn4aSQouAS42c=", "type": "file", - "url": "https://github.com/Technetium1.keys" + "url": "https://github.com/technetium1.keys" }, "original": { "type": "file", - "url": "https://github.com/Technetium1.keys" + "url": "https://github.com/technetium1.keys" } }, "keys_tne": { @@ -258,11 +273,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1693985761, - "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=", + "lastModified": 1694183432, + "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", "owner": "nixos", "repo": "nixpkgs", - "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352", + "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", "type": "github" }, "original": { @@ -304,11 +319,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1685801374, - "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "lastModified": 1694304580, + "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", "type": "github" }, "original": { @@ -323,19 +338,25 @@ "flake-compat": [ "flake-compat" ], - "flake-utils": "flake-utils", - "gitignore": "gitignore", + "flake-utils": [ + "flake-utils" + ], + "gitignore": [ + "gitignore" + ], "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": [ + "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1692274144, - "narHash": "sha256-BxTQuRUANQ81u8DJznQyPmRsg63t4Yc+0kcyq6OLz8s=", + "lastModified": 1694364351, + "narHash": "sha256-oadhSCqopYXxURwIA6/Anpe5IAG11q2LhvTJNP5zE6o=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "7e3517c03d46159fdbf8c0e5c97f82d5d4b0c8fa", + "rev": "4f883a76282bc28eb952570afc3d8a1bf6f481d7", "type": "github" }, "original": { @@ -349,8 +370,11 @@ "devshell": "devshell", "flake-compat": "flake-compat", "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "gitignore": "gitignore", "home-manager": "home-manager", "keys_alexjp": "keys_alexjp", + "keys_frank": "keys_frank", "keys_nico": "keys_nico", "keys_pedrohlc": "keys_pedrohlc", "keys_technetium1": "keys_technetium1", @@ -360,13 +384,15 @@ "meshagent_x86_64": "meshagent_x86_64", "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs", + "nixpkgs-stable": "nixpkgs-stable", "pre-commit-hooks": "pre-commit-hooks", "src-buildiso": "src-buildiso", "src-chaotic-mirror": "src-chaotic-mirror", "src-chaotic-toolbox": "src-chaotic-toolbox", "src-cloudflare-ipv4": "src-cloudflare-ipv4", "src-garuda-website": "src-garuda-website", - "src-repoctl": "src-repoctl" + "src-repoctl": "src-repoctl", + "systems": "systems" } }, "src-buildiso": { @@ -432,11 +458,11 @@ "src-garuda-website": { "flake": false, "locked": { - "lastModified": 1694112632, - "narHash": "sha256-E4uVUgGi2iMNTl/UWrnAalI5BroXwJMNnaSwVO0pmuA=", + "lastModified": 1694422278, + "narHash": "sha256-VaGoziKj7kAnKuT8WTIjWH0HpmGoVzruE6ST5oBDZ7A=", "owner": "garuda-linux%2Fwebsite", "repo": "garuda", - "rev": "462fb51604ab0ed328a5dccfc5221407444f3cab", + "rev": "1c7c53a88b8d5723519696091ca72528ced1d871", "type": "gitlab" }, "original": { @@ -476,21 +502,6 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "utils": { "locked": { "lastModified": 1605370193, diff --git a/flake.nix b/flake.nix index d27fd20..767fd30 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,7 @@ # Devshell to set up a development environment devshell.url = "github:numtide/devshell"; devshell.inputs.nixpkgs.follows = "nixpkgs"; + devshell.inputs.systems.follows = "systems"; # Used by multiple flakes, have them use the same version flake-compat.url = "github:edolstra/flake-compat"; @@ -17,12 +18,21 @@ flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + # Required by pre-commit-hooks + flake-utils.url = "github:numtide/flake-utils"; + flake-utils.inputs.systems.follows = "systems"; + + # Gitignore common input + gitignore.url = "github:hercules-ci/gitignore.nix"; + gitignore.inputs.nixpkgs.follows = "nixpkgs"; + # Home-manager for dotfile management home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; # The single source of truth nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05"; # Our mailserver nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; @@ -38,14 +48,19 @@ # Pre-commit hooks via nix-shell or nix develop pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; pre-commit-hooks.inputs.flake-compat.follows = "flake-compat"; + pre-commit-hooks.inputs.flake-utils.follows = "flake-utils"; + pre-commit-hooks.inputs.gitignore.follows = "gitignore"; pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs"; + pre-commit-hooks.inputs.nixpkgs-stable.follows = "nixpkgs-stable"; # SSH keys of maintainers keys_nico.url = "https://github.com/dr460nf1r3.keys"; keys_nico.flake = false; keys_tne.url = "https://github.com/justtne.keys"; keys_tne.flake = false; - keys_technetium1.url = "https://github.com/Technetium1.keys"; + keys_frank.url = "https://github.com/fgd-garuda.keys"; + keys_frank.flake = false; + keys_technetium1.url = "https://github.com/technetium1.keys"; keys_technetium1.flake = false; keys_alexjp.url = "https://github.com/alexjp.keys"; keys_alexjp.flake = false; @@ -67,6 +82,9 @@ src-garuda-website.flake = false; src-cloudflare-ipv4.url = "https://www.cloudflare.com/ips-v4"; src-cloudflare-ipv4.flake = false; + + # Common input + systems.url = "github:nix-systems/default"; }; outputs = @@ -88,9 +106,7 @@ perSystem = { pkgs, system, ... }: { # Enter devshell via "nix run .#apps.x86_64-linux.devshell" - apps = { - devshell = self.outputs.devShells.${system}.default.flakeApp; - }; + apps.devshell = self.outputs.devShells.${system}.default.flakeApp; # Run nixpkgs-fmt via "nix fmt" formatter = pkgs.nixpkgs-fmt; diff --git a/home-manager/alexjp.nix b/home-manager/alexjp.nix index 7844f4e..5957fbc 100644 --- a/home-manager/alexjp.nix +++ b/home-manager/alexjp.nix @@ -18,10 +18,6 @@ enable = true; config.theme = "GitHub"; }; - exa = { - enable = true; - enableAliases = true; - }; fish.enable = true; git = { enable = true; diff --git a/home-manager/nico.nix b/home-manager/nico.nix index abfe3b8..dd7307d 100644 --- a/home-manager/nico.nix +++ b/home-manager/nico.nix @@ -26,10 +26,6 @@ theme_background = false; }; }; - exa = { - enable = true; - enableAliases = true; - }; fish = { enable = true; }; diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index ea9abdd..6259695 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -37,6 +37,7 @@ let }; keys = { alexjp = inputs.keys_alexjp; + frank = inputs.keys_frank; nico = inputs.keys_nico; pedrohlc = inputs.keys_pedrohlc; technetium1 = inputs.keys_technetium1; diff --git a/nixos/hosts/iso-runner.nix b/nixos/hosts/iso-runner.nix index e447469..798487e 100644 --- a/nixos/hosts/iso-runner.nix +++ b/nixos/hosts/iso-runner.nix @@ -12,5 +12,15 @@ rsyncd.enable = lib.mkForce false; }; + # Let maintainers use buildiso (which is a wrapper around the Docker container) + # without having to enter a password - our devshell should work just like that + security.sudo.extraRules = [{ + users = [ "frank" ]; + commands = [{ + command = "/run/current-system/sw/bin/buildiso"; + options = [ "NOPASSWD" ]; + }]; + }]; + system.stateVersion = "23.05"; } diff --git a/nixos/modules/common.nix b/nixos/modules/common.nix index 23e8db3..4c0ff55 100644 --- a/nixos/modules/common.nix +++ b/nixos/modules/common.nix @@ -54,7 +54,7 @@ "egrep" = "egrep --color=auto"; "fgrep" = "fgrep --color=auto"; "ip" = "ip --color=auto"; - "ls" = "exa -al --color=always --group-directories-first --icons"; + "ls" = "eza -al --color=always --group-directories-first --icons"; "micro" = "micro -colorscheme geany -autosu true -mkparents true"; "psmem" = "ps auxf | sort -nr -k 4"; "psmem10" = "ps auxf | sort -nr -k 4 | head -1"; @@ -79,7 +79,7 @@ "egrep" = "egrep --color=auto"; "fgrep" = "fgrep --color=auto"; "ip" = "ip --color=auto"; - "ls" = "exa -al --color=always --group-directories-first --icons"; + "ls" = "eza -al --color=always --group-directories-first --icons"; "micro" = "micro -colorscheme geany -autosu true -mkparents true"; "psmem" = "ps auxf | sort -nr -k 4"; "psmem10" = "ps auxf | sort -nr -k 4 | head -1"; @@ -140,7 +140,7 @@ systemPackages = with pkgs; [ btop cachix - exa + eza fancy-motd fishPlugins.autopair fishPlugins.puffer diff --git a/nixos/modules/users.nix b/nixos/modules/users.nix index 34bc4c7..7d4fe22 100644 --- a/nixos/modules/users.nix +++ b/nixos/modules/users.nix @@ -5,71 +5,82 @@ , pkgs , ... }: { - # All users are immuntable; if a password is required it needs to be set via passwordFile - users.mutableUsers = false; - - # Ansible user - generate password files with + # Generate password files with # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' > /path/to/passwordfile # and add them to infra-nix-secrets repo - users.users.ansible = { - extraGroups = [ "wheel" ]; - home = "/home/ansible"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ keys.nico keys.tne ]; - uid = lib.mkIf garuda-lib.unifiedUID 1000; - }; - # Garuda Admins - users.users.nico = { - extraGroups = [ "wheel" "docker" "chaotic_op" ]; - home = "/home/nico"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ keys.nico ]; - passwordFile = "/var/garuda/secrets/pass/nico"; - uid = lib.mkIf garuda-lib.unifiedUID 1001; - }; - users.users.sgs = { - extraGroups = [ "wheel" ]; - home = "/home/sgs"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxBY8TX0iEQkf3Bym+3XVlrk8OLOwHOrj7Uy+WxjncOkkutyZ1WsY9liF4j9yjptyQG7Lx8OM8q44NE6+Rk1OXJXMF7CZ4Jq/WvMVnh2zKyNnF8wHBcspsAdG90wCxo6OmNpnY/rRRlNwwnore7raF2PrERtSlsEvLsUgvspYQ8cnLwerJP43QeETlpE1oR0FrbXWQet0I63Ky6UDEp07x0yee21VHnAG74rjGeFGwJBmCPSxnfGVNhCaR0zyu9+hh222liBrlilYm8nqLlsYGZCXiVdOxXJbBy89EVpHds7Lutf+TAYwsPGZf7U4k+g2Jx8N0JHXyzVZa0zS+I48+tqBBflEOqU9oEfGuz4cU/qWys5soLcRX2p9td+RF3OEdBKlTW4UYsINJUri6QSEUrsGaXqQZy8Ds2FBdUpb4pmFVlo9+4qRouiI80a5xVa7a1E5eS5xK5BzWH4fNg5SqtT5L9i2i1ocZp7FA0oa+ixnXNiC1umPZaY/9s+5fh1s= sgs-linux@shell.sf.net" - ]; - passwordFile = "/var/garuda/secrets/pass/sgs"; - uid = lib.mkIf garuda-lib.unifiedUID 1002; - }; - users.users.tne = { - extraGroups = [ "wheel" "docker" "chaotic_op" ]; - home = "/home/tne"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = [ keys.tne ]; - passwordFile = "/var/garuda/secrets/pass/tne"; - uid = lib.mkIf garuda-lib.unifiedUID 1003; - }; + users = { + # All users are immuntable; if a password is required it needs to be set via passwordFile + mutableUsers = false; + # Define our users + users.ansible = { + extraGroups = [ "wheel" ]; + home = "/home/ansible"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ keys.nico keys.tne ]; + uid = lib.mkIf garuda-lib.unifiedUID 1000; + }; + # Garuda admins - god mode + users.nico = { + extraGroups = [ "wheel" "docker" "chaotic_op" ]; + home = "/home/nico"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ keys.nico ]; + passwordFile = "/var/garuda/secrets/pass/nico"; + uid = lib.mkIf garuda-lib.unifiedUID 1001; + }; + users.sgs = { + extraGroups = [ "wheel" ]; + home = "/home/sgs"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxBY8TX0iEQkf3Bym+3XVlrk8OLOwHOrj7Uy+WxjncOkkutyZ1WsY9liF4j9yjptyQG7Lx8OM8q44NE6+Rk1OXJXMF7CZ4Jq/WvMVnh2zKyNnF8wHBcspsAdG90wCxo6OmNpnY/rRRlNwwnore7raF2PrERtSlsEvLsUgvspYQ8cnLwerJP43QeETlpE1oR0FrbXWQet0I63Ky6UDEp07x0yee21VHnAG74rjGeFGwJBmCPSxnfGVNhCaR0zyu9+hh222liBrlilYm8nqLlsYGZCXiVdOxXJbBy89EVpHds7Lutf+TAYwsPGZf7U4k+g2Jx8N0JHXyzVZa0zS+I48+tqBBflEOqU9oEfGuz4cU/qWys5soLcRX2p9td+RF3OEdBKlTW4UYsINJUri6QSEUrsGaXqQZy8Ds2FBdUpb4pmFVlo9+4qRouiI80a5xVa7a1E5eS5xK5BzWH4fNg5SqtT5L9i2i1ocZp7FA0oa+ixnXNiC1umPZaY/9s+5fh1s= sgs-linux@shell.sf.net" + ]; + passwordFile = "/var/garuda/secrets/pass/sgs"; + uid = lib.mkIf garuda-lib.unifiedUID 1002; + }; + users.tne = { + extraGroups = [ "wheel" "docker" "chaotic_op" ]; + home = "/home/tne"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = [ keys.tne ]; + passwordFile = "/var/garuda/secrets/pass/tne"; + uid = lib.mkIf garuda-lib.unifiedUID 1003; + }; - # Chaotic-AUR maintainers - users.users.technetium = { - extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; - home = "/home/technetium"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.technetium1 ]; - shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; - uid = lib.mkIf garuda-lib.unifiedUID 1004; - }; - users.users.alexjp = { - extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; - home = "/home/alexjp"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.alexjp ]; - shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; - uid = lib.mkIf garuda-lib.unifiedUID 1005; - }; - users.users.xiota = { - extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; - home = "/home/xiota"; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.xiota ]; - shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; - uid = lib.mkIf garuda-lib.unifiedUID 1006; + # Garuda maintainers - limited access to buildiso + users.frank = { + home = "/home/frank"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = lib.mkIf config.services.garuda-iso.enable [ keys.frank ]; + shell = lib.mkIf (!config.services.garuda-iso.enable) "${pkgs.util-linux}/bin/nologin"; + uid = lib.mkIf garuda-lib.unifiedUID 1007; + }; + + # Chaotic-AUR maintainers - limited access to chaotic-aur builders + users.technetium = { + extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; + home = "/home/technetium"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.technetium1 ]; + shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; + uid = lib.mkIf garuda-lib.unifiedUID 1004; + }; + users.alexjp = { + extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; + home = "/home/alexjp"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.alexjp ]; + shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; + uid = lib.mkIf garuda-lib.unifiedUID 1005; + }; + users.xiota = { + extraGroups = lib.mkIf config.services.chaotic.enable [ "chaotic_op" ]; + home = "/home/xiota"; + isNormalUser = true; + openssh.authorizedKeys.keyFiles = lib.mkIf config.services.chaotic.enable [ keys.xiota ]; + shell = lib.mkIf (!config.services.chaotic.enable) "${pkgs.util-linux}/bin/nologin"; + uid = lib.mkIf garuda-lib.unifiedUID 1006; + }; }; # Sudo configuration