From 5ec13b17b7d5fb21bc10abd87c3a584c6bb2e924 Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Fri, 11 Aug 2023 18:50:10 +0200
Subject: [PATCH] feat(common/users): init module and add customization options

---
 nix/os/profiles/common/user.nix | 75 +++++++++++++++++++++------------
 1 file changed, 49 insertions(+), 26 deletions(-)

diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix
index a2447f9..b21cd4e 100644
--- a/nix/os/profiles/common/user.nix
+++ b/nix/os/profiles/common/user.nix
@@ -1,6 +1,7 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: let
   keys = import ../../../variables/keys.nix;
@@ -11,39 +12,61 @@
     })
     mkUser
     ;
+
+  inherit (lib) types;
+
+  cfg = config.users.commonUsers;
 in {
-  sops.secrets.sharedUsers-root = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    neededForUsers = true;
-    format = "yaml";
+  options.users.commonUsers = {
+    enable = lib.mkOption {
+      default = true;
+      type = types.bool;
+    };
+
+    enableNonRoot = lib.mkOption {
+      default = true;
+      type = types.bool;
+    };
+
+    rootPasswordFile = lib.mkOption {
+      default = config.sops.secrets.sharedUsers-root.path;
+      type = types.path;
+    };
   };
+  config = lib.mkIf cfg.enable {
+    sops.secrets.sharedUsers-root = {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      neededForUsers = true;
+      format = "yaml";
+    };
 
-  sops.secrets.sharedUsers-steveej = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    neededForUsers = true;
-    format = "yaml";
-  };
+    sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      neededForUsers = true;
+      format = "yaml";
+    };
 
-  sops.secrets.sharedSshKeys-steveej = {
-    sopsFile = ../../../../secrets/shared-users.yaml;
-    # neededForUsers = true;
-    format = "yaml";
-  };
+    sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot {
+      sopsFile = ../../../../secrets/shared-users.yaml;
+      # neededForUsers = true;
+      format = "yaml";
+    };
 
-  users.mutableUsers = false;
+    users.mutableUsers = lib.mkForce false;
 
-  users.extraUsers.root = {
-    passwordFile = config.sops.secrets.sharedUsers-root.path;
-    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
+    users.extraUsers.root = {
+      passwordFile = cfg.rootPasswordFile;
+      openssh.authorizedKeys.keys = keys.users.steveej.openssh;
 
-    # TODO: investigate why this secret cannot be found
-    # openssh.authorizedKeys.keyFiles = [
-    #   config.sops.secrets.sharedSshKeys-steveej.path
-    # ];
-  };
+      # TODO: investigate why this secret cannot be found
+      # openssh.authorizedKeys.keyFiles = [
+      #   config.sops.secrets.sharedSshKeys-steveej.path
+      # ];
+    };
 
-  users.extraUsers.steveej = mkUser {
-    uid = 1000;
-    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
+    users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser {
+      uid = 1000;
+      passwordFile = config.sops.secrets.sharedUsers-steveej.path;
+    });
   };
 }