geir/home-lab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: create modular user configurations
Some checks are pending
🏠 Home Lab CI/CD Pipeline / 🔍 Validate Configuration (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🔨 Build Configurations (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔒 Security Audit (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📚 Documentation & Modules (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 🔄 Update Dependencies (push) Waiting to run
Details
🏠 Home Lab CI/CD Pipeline / 🚀 Deploy Configuration (push) Blocked by required conditions
Details
🏠 Home Lab CI/CD Pipeline / 📢 Notify Results (push) Blocked by required conditions
Details

Browse source 
∙
∙ User Accounts:
∙  geir - Primary user (development, desktop, multimedia)
∙  sma - Admin user (Diziet Sma, system administration)
∙  common.nix - Shared user settings and security
∙
∙ Key Features:
∙ 🔧 Culture character naming (sma = Diziet Sma, SC agent)
∙ 🔒 Security-focused admin account (SSH keys only, passwordless sudo)
∙ 🛠<fe0f> Development-focused primary user (containers, virtualization, creative tools)
∙ 📦 Modern CLI tools and shell enhancements
∙ 🎯 Role-based package selection and group memberships
∙
∙ Security Model:
∙ - SSH key authentication for admin users
∙ - Separate admin and daily-use accounts
∙ - Principle of least privilege
∙ - No root login allowed
∙
∙ Integration:
∙ - Container runtime access (podman, incus)
∙ - Virtualization management (libvirt, virt-manager)
∙ - Development workflow (git, editors, languages)
∙ - Desktop environments (GNOME, Cosmic, Sway)
∙
∙ Ready for machine-specific deployment across home lab infrastructure.
This commit is contained in:
Geir Okkenhaug Jerstad 2025-06-04 16:56:22 +02:00
parent 02fbaa761a
commit ec9efc5ca1
4 changed files with 380 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

114
modules/users/README.md
View file

@ -0,0 +1,114 @@
# User Configurations
This directory contains modular user configurations for the home lab infrastructure.
## Philosophy
Following the Culture ship naming convention and Emacs org-mode literate programming approach, user configurations are organized to be:
- **Modular**: Each user has their own configuration module
- **Shared**: Common settings are in `common.nix`
- **Character-driven**: User names follow Culture character names
- **Functional**: Focus on practical daily use and system administration
## User Accounts
### Primary Users
#### `geir` - Primary User Account
- **Role**: Development, desktop use, daily computing
- **Access**: Full desktop environments (GNOME, Cosmic, Sway)
- **Focus**: Development tools, creative applications, multimedia
- **Groups**: wheel, networkmanager, libvirt, incus-admin, podman, audio, video, render
#### `sma` - System Administrator
- **Full Name**: Named after Diziet Sma (Special Circumstances agent)
- **Role**: System administration, security oversight, maintenance
- **Access**: SSH-only, command-line focused
- **Focus**: Monitoring, containers, security, infrastructure management
- **Groups**: wheel, networkmanager, libvirt, incus-admin, podman
- **Security**: SSH key authentication only, passwordless sudo
### Service Accounts (Future)
- Consider adding service-specific users for:
- `forgejo-admin`: Forgejo administration
- `media-admin`: Jellyfin/media server management
- `backup-agent`: Automated backup operations
## File Structure
```
modules/users/
├── common.nix # Shared user settings and packages
├── geir.nix # Primary user configuration
├── sma.nix # Admin user configuration
└── README.md # This documentation
```
## Design Principles
### Security
- SSH key-based authentication for admin users
- Principle of least privilege
- Separate admin and daily-use accounts
- No root login allowed
### Convenience
- Modern CLI tools and aliases
- Development-focused package selection
- Shell enhancements (zsh, starship, syntax highlighting)
- Container and virtualization integration
### Consistency
- Common aliases and environment variables
- Shared shell configuration
- Standardized directory permissions
- Culture-inspired naming convention
## Integration Points
### With System Configuration
- Desktop environment modules automatically enable GUI applications
- Virtualization modules grant appropriate group memberships
- Network modules configure user network access
### With User Configs
- Literate configurations stored in `/home/geir/Home-lab/user_configs/`
- Emacs org-mode files for complex configurations
- Automatic tangling of configuration files
- Version control integration
### With Services
- User accounts automatically configured for enabled services
- Container runtime access for development users
- Monitoring and administration access for admin users
## Usage Examples
### Adding a New User
1. Create new module file: `modules/users/new-username.nix`
2. Choose appropriate Culture character name
3. Define role-specific packages and groups
4. Import in machine configuration
5. Document in this README
### Modifying User Access
- Edit `extraGroups` for service access
- Update `packages` for new tools
- Modify shell aliases for workflow improvements
- Adjust sudo rules for administrative access
### Security Considerations
- Regular audit of user accounts and permissions
- SSH key rotation schedule
- Monitor sudo usage and administrative actions
- Review group memberships quarterly
## Culture Character Reference
- **Diziet Sma**: Pragmatic SC agent, perfect for system administration
- **Cheradenine Zakalwe**: Complex SC agent, high-capability operations
- **Jernau Morat Gurgeh**: Strategic game player, systematic thinking
- **Perosteck Balveda**: Professional SC agent, reliable operations
Choose character names that reflect the user's role and personality within the home lab infrastructure.

126
modules/users/common.nix
View file

@ -0,0 +1,126 @@
# Common User Configuration
# Shared settings for all users in the home lab
{ config, pkgs, ... }:
{
# Common user settings
users = {
# Use mutable users for flexibility
mutableUsers = true;
# Default shell for all users
defaultUserShell = pkgs.zsh;
};
# Enable zsh system-wide
programs.zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
# Common aliases for all users
shellAliases = {
# Modern CLI tool replacements
"ls" = "eza --color=auto --group-directories-first";
"ll" = "eza -l --color=auto --group-directories-first";
"la" = "eza -la --color=auto --group-directories-first";
"tree" = "eza --tree";
# Git shortcuts
"gs" = "git status";
"ga" = "git add";
"gc" = "git commit";
"gp" = "git push";
"gl" = "git log --oneline -10";
# System shortcuts
"grep" = "rg";
"find" = "fd";
"cat" = "bat";
"top" = "btop";
# Network
"ping" = "ping -c 5";
"myip" = "curl -s ifconfig.me";
# Safety
"rm" = "rm -i";
"mv" = "mv -i";
"cp" = "cp -i";
};
# Common environment variables
sessionVariables = {
EDITOR = "emacs";
BROWSER = "firefox";
TERMINAL = "alacritty";
};
};
# Common packages for all users
environment.systemPackages = with pkgs; [
# Essential CLI tools (already configured in base.nix)
# Adding user-specific tools here
# Communication
firefox
thunderbird
# Productivity
libreoffice
# Development (basic)
git
curl
wget
# Media
vlc
# Utilities
file
unzip
zip
];
# Common security settings
security = {
# Require password for sudo (can be overridden per user)
sudo.wheelNeedsPassword = true;
# Polkit for desktop users
polkit.enable = true;
};
# Common services
services = {
# Enable SSH for remote management
openssh = {
enable = true;
settings = {
PasswordAuthentication = false; # Key-based auth only
PermitRootLogin = "no"; # No root login
X11Forwarding = true; # For GUI applications over SSH
};
};
# Enable CUPS for printing
printing.enable = true;
# Enable sound
pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
};
# XDG portal for desktop integration
xdg.portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
}

134
modules/users/sma.nix
View file

@ -0,0 +1,134 @@
# Admin User Configuration - sma
# Named after Diziet Sma, pragmatic Special Circumstances agent
# Role: System administration, security oversight, maintenance
{ config, pkgs, ... }:
{
users.users.sma = {
description = "Diziet Sma - System Administrator";
isNormalUser = true;
# Admin privileges
extraGroups = [
"wheel" # sudo access
"networkmanager" # network management
"libvirt" # virtualization management
"incus-admin" # container management
"podman" # container runtime
"docker" # docker compatibility (if needed)
];
# Security-focused shell setup
shell = pkgs.zsh;
# SSH key-based authentication only (no password login)
openssh.authorizedKeys.keys = [
# Add SSH public key here when ready
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5... sma@home-lab"
];
# Essential admin packages
packages = with pkgs; [
# System monitoring and diagnostics
htop
iotop
nethogs
lsof
strace
# Network tools
nmap
tcpdump
wireshark-cli
curl
wget
# File and disk utilities
tree
fd
ripgrep
fzf
ncdu
# Text processing
jq
yq
# Version control (for system configs)
git
# Container management
podman-compose
# Backup and sync
rsync
rclone
# Security tools
age
sops
# NixOS specific tools
nixos-rebuild
nix-tree
nix-diff
];
};
# Admin-specific shell configuration
programs.zsh = {
enable = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
# Admin-focused aliases
shellAliases = {
# System management
"rebuild" = "sudo nixos-rebuild switch --flake /home/geir/Home-lab";
"rebuild-test" = "sudo nixos-rebuild test --flake /home/geir/Home-lab";
"rebuild-boot" = "sudo nixos-rebuild boot --flake /home/geir/Home-lab";
# Container management
"pods" = "podman ps -a";
"images" = "podman images";
"logs" = "podman logs";
# System monitoring
"disk-usage" = "df -h";
"mem-usage" = "free -h";
"processes" = "ps aux | head -20";
# Network
"ports" = "ss -tulpn";
"connections" = "ss -tuln";
# Git for infrastructure
"lab" = "cd /home/geir/Home-lab";
"lab-status" = "cd /home/geir/Home-lab && git status";
"lab-pull" = "cd /home/geir/Home-lab && git pull";
# Security
"audit-users" = "cat /etc/passwd | grep -E '/bin/(bash|zsh|fish)'";
"audit-sudo" = "cat /etc/sudoers.d/*";
};
};
# Sudo configuration for admin user
security.sudo.extraRules = [
{
users = [ "sma" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ]; # Allow passwordless sudo for admin tasks
}
];
}
];
# Admin user home directory permissions
systemd.tmpfiles.rules = [
"d /home/sma 0755 sma users -"
"d /home/sma/.ssh 0700 sma users -"
];
}

21
user_configs/geir/emacs.org
View file

@ -6,6 +6,7 @@
* About
My attempt at a litterate configuration for Emacs.
to tangle this file.
keyboard shortcut `C-c C-v t` (org-babel-tangle) in Emacs.
@ -13,8 +14,6 @@ This will generate the `~/.emacs.d/init.el` file with the configuration.
* Prep
* Configuration
** Setup lexical binding
@ -57,7 +56,7 @@ Here we set up the UI to our liking. We disable the menu bar, tool bar, and scro
Set up package management
#+BEGIN_SRC
#+BEGIN_SRC emacs-lisp
;; Initialize package sources
(require 'package)
@ -71,6 +70,7 @@ Set up package management
(unless package-archive-contents
(package-refresh-contents))
#+END_SRC
Set up doom modeline, which is a nice status line for Emacs. We set it up to show the current buffer name and the current line number.
#+BEGIN_SRC emacs-lisp
@ -188,21 +188,12 @@ Copilot Chat
** Language support
Here we install and configure support for various programming languages. We use the `use-package` macro to ensure that the packages are installed and configured correctly.
** NixOS from Emacs
Editing Nix files and doing NixOS admin stuff like nixos-rebuild boot --upgrade
Run the commands with M-x shell-command
** NixOS from Emacs ?
maybe we want to make this useful
#+BEGIN_SRC emacs-lisp
;; NixOS commands
(defun nixos-upgrade ()
"Run 'nixos-rebuild boot --upgrade' in a shell."
(interactive)
(shell-command "nixos-rebuild boot --upgrade"))
(defun nixos-switch ()
"Run 'nixos-rebuild switch' in a shell."
(interactive)
(shell-command "nixos-rebuild switch"))
#+END_SRC