Geir O. Jerstad
2069f289ff
- Remove incus-admin group from geir and sma users - Fixes deployment issue where cowsql was being built despite incus being disabled - Addresses congenital-optimist build failure
127 lines
3.2 KiB
Nix
127 lines
3.2 KiB
Nix
# Admin User Configuration - sma
|
|
# Named after Diziet Sma, pragmatic Special Circumstances agent
|
|
# Role: System administration, security oversight, maintenance
|
|
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: {
|
|
imports = [
|
|
./media-group.nix
|
|
];
|
|
|
|
users.users.sma = {
|
|
description = "Diziet Sma - System Administrator";
|
|
isNormalUser = true;
|
|
uid = 1001; # Fixed UID for consistency across machines
|
|
group = "sma"; # Primary group
|
|
|
|
# Admin privileges
|
|
extraGroups = [
|
|
"wheel" # sudo access
|
|
"networkmanager" # network management
|
|
"libvirt" # virtualization management
|
|
"podman" # container runtime
|
|
"docker" # docker compatibility (if needed)
|
|
"media" # shared media access for NFS shares
|
|
];
|
|
|
|
# Security-focused shell setup
|
|
shell = pkgs.zsh;
|
|
|
|
# SSH key-based authentication only (no password login)
|
|
openssh.authorizedKeys.keys = [
|
|
# Admin key for server administration
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgzKS1N7+7+N1/8U8++1pl4hapDm6TOy0QhrfrYA8mz geir@geokkjer.eu-admin"
|
|
];
|
|
|
|
# Essential admin packages
|
|
packages = with pkgs; [
|
|
# System monitoring and diagnostics (htop, lsof, strace moved to base.nix)
|
|
iotop
|
|
nethogs
|
|
|
|
# Network tools (nmap moved to base.nix)
|
|
tcpdump
|
|
wireshark-cli
|
|
|
|
# File and disk utilities (tree, fd, ripgrep, fzf, ncdu moved to base.nix)
|
|
|
|
# Text processing (jq, yq moved to base.nix)
|
|
|
|
# Version control (git moved to base.nix)
|
|
|
|
# Container management
|
|
podman-compose
|
|
|
|
# Backup and sync
|
|
rsync
|
|
rclone
|
|
|
|
# Security tools
|
|
age
|
|
sops
|
|
|
|
# NixOS specific tools
|
|
nixos-rebuild
|
|
nix-tree
|
|
nix-diff
|
|
];
|
|
};
|
|
|
|
# Admin-specific shell configuration
|
|
programs.zsh = {
|
|
enable = true;
|
|
autosuggestions.enable = true;
|
|
syntaxHighlighting.enable = true;
|
|
|
|
# Admin-specific aliases (common ones in shell-aliases.nix)
|
|
shellAliases = {
|
|
# Flake management from remote deployments (sma uses temp directory)
|
|
"rebuild-remote" = "cd /tmp/home-lab-config && sudo nixos-rebuild switch --flake .";
|
|
"rebuild-remote-test" = "cd /tmp/home-lab-config && sudo nixos-rebuild test --flake .";
|
|
"rebuild-remote-boot" = "cd /tmp/home-lab-config && sudo nixos-rebuild boot --flake .";
|
|
};
|
|
interactiveShellInit = ''
|
|
# Emacs-style keybindings
|
|
bindkey -e
|
|
|
|
# Disable annoying shell options
|
|
unsetopt beep nomatch
|
|
|
|
# Completion configuration
|
|
zstyle ':completion:*' completer _expand _complete _ignored
|
|
zstyle ':completion:*' matcher-list ""
|
|
autoload -Uz compinit
|
|
compinit
|
|
|
|
# Initialize shell enhancements
|
|
eval "$(starship init zsh)"
|
|
eval "$(direnv hook zsh)"
|
|
'';
|
|
};
|
|
|
|
# Sudo configuration for admin user
|
|
security.sudo.extraRules = [
|
|
{
|
|
users = ["sma"];
|
|
commands = [
|
|
{
|
|
command = "ALL";
|
|
options = ["NOPASSWD"]; # Allow passwordless sudo for admin tasks
|
|
}
|
|
];
|
|
}
|
|
];
|
|
|
|
# Admin user home directory permissions
|
|
systemd.tmpfiles.rules = [
|
|
"d /home/sma 0755 sma sma -"
|
|
"d /home/sma/.ssh 0700 sma sma -"
|
|
];
|
|
|
|
# Create the sma group
|
|
users.groups.sma = {
|
|
gid = 992; # Fixed GID for consistency across machines
|
|
};
|
|
}
|