nix-infra/config/common/users.nix

# Common users.
# Sources for this configuration:
# - a generated NixOS 23.05 configuration
# - https://nixos.org/manual/nixos/stable/#sec-user-management
# - https://git.grzb.de/yuri/nix-infra/-/blob/aa38daeea59f2ca12b7e591de6f8b61565780c48/configuration/common/default.nix#L19
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings

{ config, pkgs, lib, ... }:

let
  authorizedKeysRepo = pkgs.fetchgit {
    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
  };
  authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in
{
  users.mutableUsers = false;

  users.users.chaos = {
    isNormalUser = true;
    description = "Chaos";
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = authorizedKeys;
  };

  users.users.colmena-deploy = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = authorizedKeys;
  };

  nix.settings.trusted-users = [ "colmena-deploy" ];

  # Since our user doesn't have a password, allow passwordless sudo for wheel.
  security.sudo.wheelNeedsPassword = false;
}