nixos-blueprint/modules/shared/nixos/users.nix

{
  inputs,
  config,
  pkgs,
  lib,
  ...
}: let
  inherit (config.networking) hostName;
  inherit (config.sops) secrets;
  inherit (inputs) mysecrets;
  sshKeys = f: "${mysecrets}/ssh/user/id_${f}_ed25519.pub";
in {
  users.groups.admin = {};

  # --------------------------------------
  nix.settings.trusted-users = ["user" "admin"];
  users.mutableUsers = false;
  users.users = {
    admin = {
      isNormalUser = true;
      description = "System administrator";
      extraGroups = ["wheel"]; # wheel = sudo
      # run `mkpasswd --method=yescrypt` and replace "changeme" w/ the result
      hashedPasswordFile = secrets."user-password-hashed".path;
      openssh.authorizedKeys.keyFiles = map sshKeys [
        "dunamis"
        "eldrid"
        "legion"
        "morphius"
        "sarien"
      ];
    };
    user = {
      extraGroups = ["video" "libvirtd" "dialout"];
      hashedPasswordFile = secrets."user-password-hashed".path;
      isNormalUser = true;
      shell = pkgs.fish;
      openssh.authorizedKeys.keyFiles = map sshKeys [
        "dunamis"
        "eldrid"
        "legion"
        "morphius"
        "sarien"
      ];
    };
  };
}