machines/mermet/users.nix

   1 { flakes, pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) readFile;
   4   inherit (config.users) users;
   5 in
   6 {
   7 imports = [
   8   ../../members/julm.nix
   9 ];
  10
  11 nix.trustedUsers = [
  12   users."julm".name
  13 ];
  14
  15 networking.nftables.ruleset = ''
  16   add rule inet filter fw2net tcp dport {25,465} skuid ${users.julm.name} counter accept comment "SMTP"
  17   add rule inet filter fw2net tcp dport 43 skuid ${users.julm.name} counter accept comment "Whois"
  18   add rule inet filter fw2net tcp dport 563 skuid ${users.julm.name} counter accept comment "NNTPS"
  19   add rule inet filter fw2net tcp dport 6697 skuid ${users.julm.name} counter accept comment "IRCS"
  20   add rule inet filter fw2net tcp dport 11371 skuid ${users.julm.name} counter accept comment "HKP"
  21 '';
  22 system.activationScripts.backup = ''
  23   zfs allow -u ${users.backup.name} bookmark,hold,send rpool
  24 '';
  25 users = {
  26   mutableUsers = false;
  27   users = {
  28     root = {
  29       openssh.authorizedKeys.keys = [
  30         (readFile (flakes.secrets + "/machines/losurdo/ssh/root.ssh-ed25519.pub"))
  31       ] ++ users."julm".openssh.authorizedKeys.keys;
  32     };
  33     backup = {
  34       isSystemUser = true;
  35       shell = users.root.shell;
  36       openssh.authorizedKeys.keys = [
  37         (readFile (flakes.secrets + "/machines/losurdo/ssh/backup.ssh-ed25519.pub"))
  38       ] ++ users."julm".openssh.authorizedKeys.keys;
  39     };
  40   };
  41   groups = {
  42     wheel = {
  43       members = [
  44         users."julm".name
  45       ];
  46     };
  47   };
  48 };
  49 }