nixos-config/profiles/security/user.nix

{ config, pkgs, lib, ... }: {
  security.apparmor.enable = true;
  programs.firejail.enable = true;

  users.mutableUsers = false;
  users.users.${config.mainuser} = {
    isNormalUser = true;
    extraGroups = [
      "adbusers"
      "audio"
      "cdrom"
      "corectrl"
      "dialout"
      "disk"
      "docker"
      "input"
      "kvm"
      "libvirtd"
      "limits"
      "lp"
      "lxd"
      "networkmanager"
      "podman"
      "qemu-libvirtd"
      "render"
      "scanner"
      "systemd-journal"
      "smbuser"
      "video"
    ];
    description = "AtaraxiaDev";
    uid = 1000;
    hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";

    shell = pkgs.zsh;
  };
  users.users.deploy = {
    description = "The administrator account for deploy-rs.";
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys =
      config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
  };
  programs.zsh.enable = true;
  # Safe, because we are using doas
  users.allowNoPasswordLogin = true;

  systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };
  services.getty.autologinUser = config.mainuser;

  users.groups.limits = {};
  security.pam.loginLimits = [
    { domain = "@limits"; item = "memlock"; type = "soft"; value = "unlimited"; }
    { domain = "@limits"; item = "memlock"; type = "hard"; value = "unlimited"; }
  ];
}
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`{ config, pkgs, lib, ... }: {`
small fixes 2023-04-08 18:00:13 +03:00			`security.apparmor.enable = true;`
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`programs.firejail.enable = true;`

			`users.mutableUsers = false;`
			`users.users.${config.mainuser} = {`
			`isNormalUser = true;`
			`extraGroups = [`
			`"adbusers"`
			`"audio"`
			`"cdrom"`
			`"corectrl"`
			`"dialout"`
			`"disk"`
			`"docker"`
			`"input"`
			`"kvm"`
			`"libvirtd"`
game console emulators 2023-07-05 20:43:30 +03:00			`"limits"`
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`"lp"`
			`"lxd"`
			`"networkmanager"`
			`"podman"`
			`"qemu-libvirtd"`
			`"render"`
			`"scanner"`
			`"systemd-journal"`
			`"smbuser"`
			`"video"`
			`];`
			`description = "AtaraxiaDev";`
			`uid = 1000;`
			`hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";`

			`shell = pkgs.zsh;`
			`};`
add deploy user for hosts 2023-06-27 23:07:48 +03:00			`users.users.deploy = {`
			`description = "The administrator account for deploy-rs.";`
			`isNormalUser = true;`
			`extraGroups = [ "wheel" ];`
			`openssh.authorizedKeys.keys =`
			`config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;`
			`};`
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`programs.zsh.enable = true;`
game console emulators 2023-07-05 20:43:30 +03:00			`# Safe, because we are using doas`
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`users.allowNoPasswordLogin = true;`

			`systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };`
			`services.getty.autologinUser = config.mainuser;`
game console emulators 2023-07-05 20:43:30 +03:00
			`users.groups.limits = {};`
			`security.pam.loginLimits = [`
			`{ domain = "@limits"; item = "memlock"; type = "soft"; value = "unlimited"; }`
			`{ domain = "@limits"; item = "memlock"; type = "hard"; value = "unlimited"; }`
			`];`
move modules to flake.nix and split security 2023-03-27 15:48:23 +03:00			`}`