plumjam/nixos - Change BAHAE6MCRPVFMSXFJOS2LOYDD4VQ6XLW5SDNINV2JV6RQRV4N4EAC

hosts: Move users config to modules.

Created by PlumJam on January 8, 2026

BAHAE6MCRPVFMSXFJOS2LOYDD4VQ6XLW5SDNINV2JV6RQRV4N4EAC

Dependencies

In channels

main

Change contents

File addition: users.nix (----------)

[4.2]

{ pkgs, keys, config, lib, ... }: let
  inherit (lib) mkIf types;
in {
  # "customUsers" to avoid conflicts with "users".
  options.customUsers = {
    enable = lib.mkEnableOption "users";
    passwordFile = lib.mkOption {
      type = types.path;
      example = "/run/agenix/password";
      description = "Path to the password secret file";
    };
    primaryUserExtraGroups = lib.mkOption {
      type = with types; listOf str;
      default = [ "wheel" ];
      example = [ "wheel" "networkmanager" "docker" ];
      description = "Extra groups for jam";
    };
    buildUser = lib.mkEnableOption "build user (for CI/CD)";
    forgejoUser = lib.mkEnableOption "forgejo user for forgejo host";
  };
  config = mkIf config.customUsers.enable {
    age.secrets.password.rekeyFile = config.customUsers.passwordFile;
    users.users = {
      root = {
        shell                       = pkgs.nushell;
        hashedPasswordFile          = config.age.secrets.password.path;
        openssh.authorizedKeys.keys = keys.admins;
      };
      jam = {
        description                 = "Jam";
        isNormalUser                = true;
        shell                       = pkgs.nushell;
        hashedPasswordFile          = config.age.secrets.password.path;
        openssh.authorizedKeys.keys = keys.admins;
        extraGroups                 = config.customUsers.primaryUserExtraGroups;
      };
      build = mkIf config.customUsers.buildUser {
        description                 = "Build";
        isNormalUser                = true;
        createHome                  = false;
        openssh.authorizedKeys.keys = keys.all;
        extraGroups                 = [ "build" ];
      };
      forgejo = mkIf config.customUsers.forgejoUser {
        description                 = "Forgejo";
        createHome                  = false;
        openssh.authorizedKeys.keys = keys.admins;
      };
    };
    home-manager.users = {
      root = {};
      jam  = {};
    };
  };
}

Insertion in hosts/yuzu.nix at line 17 [5.18645]
[3.1609]
[5.18978]
```
          (self + /modules/users.nix)
```

Replacement in hosts/yuzu.nix at line 47 [5.18645]

B:BD[5.19832] → [6.1611:1687]

∅:D[6.1687] → [7.5160:5203]

B:BD[7.5160] → [7.5160:5203]

∅:D[7.5203] → [5.19922:20444]

B:BD[5.19922] → [5.19922:20444]

B:BD[5.20444] → [2.336:417]

∅:D[2.417] → [5.20805:20903]

B:BD[5.20805] → [5.20805:20903]

        age.secrets.password.rekeyFile = self + /secrets/yuzu-password.age;
        users.users                    = {
          root = {
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
          };
          jam = {
            description                 = "Jam";
            isNormalUser                = true;
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
            extraGroups                 = [ "wheel" "networkmanager" "docker" ];
          };
        };
        home-manager.users = {
          root = {};
          jam  = {};

[5.19832]

[5.20903]

        customUsers = enabled {
          passwordFile = self + /secrets/yuzu-password.age;
          primaryUserExtraGroups = [ "wheel" "networkmanager" "docker" ];

Insertion in hosts/plum.nix at line 31 [9.987]
[3.1721]
[8.3615]
```
          (self + /modules/users.nix)
```

Deletion in hosts/plum.nix at line 55 [9.987]

B:BD[10.238] → [10.238:250]

B:BD[10.250] → [6.2208:2284]

∅:D[6.2284] → [7.12516:12559]

B:BD[7.12516] → [7.12516:12559]

∅:D[7.12559] → [11.504:723]

B:BD[11.504] → [11.504:723]

∅:D[11.723] → [8.4809:4810]

B:BD[8.4809] → [8.4809:4810]

B:BD[8.4810] → [11.724:1094]

∅:D[11.1094] → [12.951:952]

B:BD[12.951] → [12.951:952]

B:BD[12.952] → [11.1095:1383]

B:BD[11.1383] → [13.3632:3812]

B:BD[13.3812] → [14.2430:2443]

        };
        age.secrets.password.rekeyFile = self + /secrets/plum-password.age;
        users.users                    = {
          root = {
            shell                       = pkgs.nushell;
            openssh.authorizedKeys.keys = keys.admins;
            hashedPasswordFile          = config.age.secrets.password.path;
          };
          jam = {
            description                 = "Jam";
            isNormalUser                = true;
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
            extraGroups                 = [ "wheel" ];
          };
          build = {
            description                 = "Build";
            isNormalUser                = true;
            createHome                  = false;
            openssh.authorizedKeys.keys = keys.all;
            extraGroups                 = [ "build" ];
          };
          forgejo = {
            description                 = "Forgejo";
            createHome                  = false;
            openssh.authorizedKeys.keys = keys.admins;
          };

Replacement in hosts/plum.nix at line 57 [9.987]

B:BD[15.198] → [15.198:229]

B:BD[15.229] → [11.1384:1426]

        home-manager.users = {
          root = {};
          jam  = {};

[15.198]

[12.1260]

        customUsers = enabled {
          passwordFile = self + /secrets/plum-password.age;
          buildUser = true;
          forgejoUser = true;

Insertion in hosts/pear.nix at line 18 [9.1239]
[3.1904]
[8.5750]
```
          (self + /modules/users.nix)
```

Replacement in hosts/pear.nix at line 66 [9.1239]

B:BD[8.7521] → [6.2500:2576]

∅:D[6.2576] → [7.16934:16977]

B:BD[7.16934] → [7.16934:16977]

∅:D[7.16977] → [11.2326:2545]

B:BD[11.2326] → [11.2326:2545]

∅:D[16.870] → [8.7592:7593]

∅:D[17.1049] → [8.7592:7593]

∅:D[11.2545] → [8.7592:7593]

B:BD[8.7592] → [8.7592:7593]

B:BD[8.7593] → [11.2546:2971]

B:BD[11.3260] → [11.3260:3273]

∅:D[18.810] → [15.427:470]

∅:D[11.3273] → [15.427:470]

B:BD[12.1772] → [15.427:470]

B:BD[15.470] → [11.3274:3316]

        age.secrets.password.rekeyFile = self + /secrets/pear-password.age;
        users.users                    = {
          root = {
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
          };
          jam = {
            description                 = "Jam";
            isNormalUser                = true;
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
            extraGroups                 = [ "wheel" "docker" "dialout" ]; # Dialout for serial, Docker for docker-desktop.
          };
        };
        home-manager.users = {
          root = {};
          jam  = {};

[8.7521]

[8.8120]

        customUsers = enabled {
          passwordFile = self + /secrets/pear-password.age;
          primaryUserExtraGroups = [ "wheel" "dialout" "docker" ];

Insertion in hosts/kiwi.nix at line 25 [9.1791]
[3.2019]
[8.11356]
```
          (self + /modules/users.nix)
```

Deletion in hosts/kiwi.nix at line 49 [9.1791]

B:BD[10.384] → [10.384:396]

B:BD[10.396] → [6.3221:3297]

∅:D[6.3297] → [7.23288:23331]

B:BD[7.23288] → [7.23288:23331]

∅:D[7.23331] → [11.5798:6017]

B:BD[11.5798] → [11.5798:6017]

∅:D[11.6017] → [8.12297:12298]

B:BD[8.12297] → [8.12297:12298]

B:BD[8.12298] → [11.6018:6388]

∅:D[12.2084] → [8.12379:12380]

∅:D[11.6388] → [8.12379:12380]

B:BD[8.12379] → [8.12379:12380]

B:BD[8.12380] → [11.6389:6664]

∅:D[14.4139] → [11.7015:7028]

B:BD[11.7015] → [11.7015:7028]

        };
        age.secrets.password.rekeyFile = self + /secrets/kiwi-password.age;
        users.users                    = {
          root = {
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
          };
          jam = {
            description                 = "Jam";
            isNormalUser                = true;
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
            extraGroups                 = [ "wheel" ];
          };
          build = {
            description                 = "Build";
            isNormalUser                = true;
            createHome                  = false;
            openssh.authorizedKeys.keys = keys.all;
            extraGroups                 = [ "build" ];
          };

Replacement in hosts/kiwi.nix at line 51 [9.1791]

∅:D[19.282] → [15.685:716]

B:BD[15.685] → [15.685:716]

B:BD[15.716] → [11.7029:7071]

        home-manager.users = {
          root = {};
          jam  = {};

[19.282]

[7.23332]

        customUsers = enabled {
          passwordFile = self + /secrets/kiwi-password.age;
          buildUser = true;

Insertion in hosts/date.nix at line 17 [5.33086]
[3.2203]
[5.33419]
```
          (self + /modules/users.nix)
```

Replacement in hosts/date.nix at line 42 [5.33086]

B:BD[5.34113] → [6.3686:3762]

∅:D[6.3762] → [7.27002:27045]

B:BD[7.27002] → [7.27002:27045]

∅:D[7.27045] → [5.34203:34725]

B:BD[5.34203] → [5.34203:34725]

B:BD[5.34725] → [2.498:579]

∅:D[2.579] → [5.35086:35184]

B:BD[5.35086] → [5.35086:35184]

        age.secrets.password.rekeyFile = self + /secrets/date-password.age;
        users.users                    = {
          root = {
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
          };
          jam = {
            description                 = "Jam";
            isNormalUser                = true;
            shell                       = pkgs.nushell;
            hashedPasswordFile          = config.age.secrets.password.path;
            openssh.authorizedKeys.keys = keys.admins;
            extraGroups                 = [ "wheel" "networkmanager" "docker" ];
          };
        };
        home-manager.users = {
          root = {};
          jam  = {};

[5.34113]

[5.35184]

        customUsers = enabled {
          passwordFile = self + /secrets/date-password.age;
          primaryUserExtraGroups = [ "wheel" "networkmanager" "docker" ];