{ pkgs, inputs, config, lib, ... }: let username = "media"; pubKeys = lib.filesystem.listFilesRecursive (../keys); hostname = config.networking.hostName; sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path; secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { users.users.${username} = { isNormalUser = true; shell = pkgs.zsh; # default shell hashedPasswordFile = sopsHashedPasswordFile; openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); extraGroups = [ "wheel" ]; packages = with pkgs; [ flatpak gnome.gnome-software ]; }; environment.persistence."/persist" = { hideMounts = true; users.${username} = { directories = [ "Sync" "Keep" ".ssh" ".config" ".mozilla" ".local" ".zotero" ]; files = [ ]; }; }; sops.secrets = { "passwords/${username}" = { sopsFile = "${secretsFile}"; neededForUsers = true; }; "ssh_keys/${username}/id_ed25519" = { path = "/home/${username}/.ssh/id_ed25519"; mode = "0600"; owner = "${username}"; }; "ssh_keys/${username}/id_ed25519.pub" = { path = "/home/${username}/.ssh/id_ed25519.pub"; mode = "0644"; owner = "${username}"; }; }; # The containing ssh folders are created as root and if this is the first ~/.ssh/ entry when writing keys, # the ownership is busted and home-manager can't target because it can't write into .ssh... # FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed system.activationScripts.sopsSetSshOwnwership = let sshFolder = "/home/${username}/.ssh"; user = config.users.users.${username}.name; group = config.users.users.${username}.group; in '' mkdir -p ${sshFolder} || true chown -R ${user}:${group} /home/${username}/.ssh ''; services.flatpak.enable = true; programs.zsh.enable = true; programs.fuse.userAllowOther = true; home-manager = { extraSpecialArgs = { inherit inputs; }; users = { ${username} = import ../../../../home/${hostname}.nix; }; }; }