fix(app): isolate app user configuration

home/profile.nix

@@ -43,8 +43,13 @@ in {
       description = "home manager modules imported into every profile";
     };
 
-    home = let
-      persistOpts = {
+    home = {
+      size = mkOption {
+        type = with types; str;
+        default = "1G";
+        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
+      };
+      persist = {
         files = mkOption {
           type = with types; listOf (oneOf [ str (attrsOf str) ]);
           default = [ ];
@@ -54,14 +59,6 @@ in {
           default = [ ];
         };
       };
-    in {
-      size = mkOption {
-        type = with types; str;
-        default = "1G";
-        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
-      };
-      persist = persistOpts;
-      persistApp = persistOpts;
     };
   };
 
@@ -70,7 +67,7 @@ in {
       users = mapAttrs (name: opts: {
         inherit (opts) uid;
         description = with opts; mkIf (description != null) description;
-        extraGroups = mkIf opts.admin cfg.adminGroups;
+        extraGroups = [ "dialout" ] ++ optionals opts.admin cfg.adminGroups;
         openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable)
         config.global.auth.openssh.publicKeys;
         hashedPasswordFile = "/nix/persist/shadow/${name}";
@@ -82,7 +79,7 @@ in {
 
       # base groups
       adminGroups = [
-        "wheel" "dialout" "kvm"
+        "wheel" "kvm"
         "systemd-journal"
       ];
 
@@ -140,10 +137,8 @@ in {
         # cannot get it properly for the same reason
         # mentioned above in fileSystems
         home = mkIf (name == "root") "/root";
-      }) cfg.profiles) // {
-        # extra persistence specific to the app user
-        app = cfg.home.persistApp;
-      };
+      }) cfg.profiles);
+
       hideMounts = true;
     };