From 91581ebb1574d505d27fcff98e2649e1ceac63be Mon Sep 17 00:00:00 2001
From: Stefan Ellmauthaler <stefan.ellmauthaler@tu-dresden.de>
Date: Wed, 11 May 2022 10:14:42 +0200
Subject: [PATCH] Add user file options and the actual file

---
 common/users.nix  |  23 ++++++++++
 modules/users.nix | 113 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 common/users.nix
 create mode 100644 modules/users.nix

diff --git a/common/users.nix b/common/users.nix
new file mode 100644
index 0000000..c2e57ae
--- /dev/null
+++ b/common/users.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+with lib; {
+  config = {
+    elss = {
+      users = {
+        enable = true;
+        admiins = [ "ellmau" ];
+        users = [ ];
+        meta = {
+          ellmau = {
+            description = "Stefan Ellmauthaler";
+            mailAddress = "stefan.ellmauthaler@tu-dresden.de";
+            hashedPassword = "$6$8TtAMwO3cf6EK0uH$k6MVV.H/DDNdb3yMWwv/z4Bo9TT9WYxCKqILh50t8YBR67SGbA1wRoho6FLTSRJmu.YGDUJARR3nXE27h.ve0/";
+            publicKeys = [
+              "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII0XgjNGsqo8gbtPTpH8pHCdGQyGNWdKcSAmyhiLBLM3 stefan.ellmauthaler@tu-dresden.de"
+              "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyL/ynqq4pMhALzbLky9b/+Oledo8X21bWOKWUyBUlXp9u35WkU5BnSbHZ79TxuKl+Lw28hXItW/xtyDdVEPAKx6uopA9alMMbRr0ghpkEyc76Pdh3TcXDNj613i2Rwx9nHMJpcuWcl8rKtoorH4z3GzftJoWMQbvmYhy0kctLXsf81Ud9eKOELzftLILDYa7/L9C08x3b/vfK90vK0AdiQU0nZf+XmbPT5wosAjTzFrigSpSaoqdJhEhq9V3dRTPVM6DT7gEVCzgcFDJJKRGx944ivMubtzKffirF/RgDaLkD6WHlV3Ymg1gSpKAswY2QwcnV0mkRofWh8y1/eGckNJ0CJ7vv2GKZUI7AVjUyEZq1GxDMEhLN12SHoOby/hP3BeCTEcZeDqPj28ZlS8e+oF0dTJnwsD6nHPV5xlPdQeyD17QF7HUoNd/wV+SzRGzaVz6AEh2vodSt2t9eaugMK3L/xiOSrguhkyJEI95cJgBOC+i4BF+poOikACzZPIpQ8bx0HKEynDsM4QlNvKmjS6uBQuLaUjaQIHjEt24MiAJdhxHZIsSliMzmRycs9jRMBj4WiSolee6j+YDm7e/l1vSE3mRO23atPOWvIF+1+r1LGFWLQp2j8iQJJ6DyX4+5Nkk0VrM0JCinNWTj+1C4hxvqwzrZ5i5mMYgSTJYx0w== nucturne"
+            ];
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/users.nix b/modules/users.nix
new file mode 100644
index 0000000..7fbe541
--- /dev/null
+++ b/modules/users.nix
@@ -0,0 +1,113 @@
+{ config, pkgs, lib, ... }:
+
+with lib; {
+  options.elss.users = {
+    enable = mkEnableOption "elss specific user configuration";
+
+    commonUserFile = mkOption {
+      type = types.attrsOf
+        (types.submodule{
+          options = {
+            enable = mkEnableOption "use a common file of users";
+            fileLoc = mkOption {
+              description = "path to the file of users";
+              type = types.path;
+              default = ../common/users.nix;
+            };
+          };
+        });
+    };
+
+    users = mkOption {
+      description = "logins of non-admin users to configure";
+      type = types.listOf types.str;
+    };
+    admins = mkOption {
+      description = "logins of admin users to configure";
+      type = types.listOf types.str;
+    };
+    meta = mkOption {
+      type = types.attrsOf
+        (types.submodule {
+          options = {
+            description = mkOption {
+              type = types.str;
+              description = "full name of the user";
+            };
+            hashedPassword = mkOption
+              {
+                type = types.str;
+                default = null;
+                description = "hashed password, only required for admins";
+              };
+            publicKeys = mkOption {
+              type = types.listOf types.str;
+              description = "SSH public keys for the user";
+            };
+            mailAddress = mkOption {
+              type = types.str;
+              description = "Email address of the user";
+            };
+          };
+        });
+    };
+  };
+
+  config =
+    let
+      cfg = config.elss.users;
+      inherit (elss.withConfig config) mapAdmins mapUsers mapAllUsersAndRoot;
+
+      getMeta = login:
+        builtins.getAttr login cfg.meta;
+      mkAdmin = login:
+        mkMerge [
+          (mkUser login)
+          {
+            extraGroups = [ "wheel" ];
+            inherit (getMeta login) hashedPassword;
+          }
+        ];
+      mkUser = login:
+        let meta = getMeta login;
+        in
+          {
+            inherit (meta) description;
+            isNormalUser = true;
+            home = "/home/${login}";
+            extraGroups = [ ];
+            openssh.authorizedKeys.keys = meta.publicKeys;
+          };
+    in
+      mkIf (cfg.enable)
+        {
+          assertions =
+            let
+              cfg = config.elss.users;
+            in
+              [
+                {
+                  assertion = mutuallyExclusive cfg.users cfg.admins;
+                  message = "kbs.users.users and kbs.users.admins are mutually exclusive";
+                }
+                {
+                  assertion = all (hash: hash != "")
+                    (catAttrs "hashedPassword" (attrVals cfg.admins cfg.meta));
+                  message = "No admin without password";
+                }
+                {
+                  assertion = length (cfg.admins) > 0;
+                  message = "One admin needed at least";
+                }
+              ];
+
+          users = {
+            mutableUsers = false;
+            users =
+              mkMerge [
+                (mapAdmins mkAdmin)
+                (mapUsers mkUser)
+              ];
+          };
+        };
+}