fix(app): isolate app user configuration

2024-01-09 14:10:05 +08:00 · 2024-01-09 14:10:05 +08:00 · adee5903cc
parent 4d31fbbe2a
commit adee5903cc
3 changed files with 38 additions and 21 deletions
--- a/home/app/nixos.nix
+++ b/home/app/nixos.nix
@ -0,0 +1,27 @@
+{ pkgs
+, lib
+, config
+, ... }: with lib; let
+  cfg = config.users;
+in {
+  options.users.home.persistApp = {
+    files = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+    directories = mkOption {
+      type = with types; listOf (oneOf [ str (attrsOf str) ]);
+      default = [ ];
+    };
+  };
+
+  config = {
+    users.profiles.app = {
+      uid = 5800;
+      description = "Insecure Applications";
+    };
+
+    # extra persistence specific to the app user
+    environment.persistence."/nix/persist".users.app = cfg.home.persistApp;
+  };
+}
--- a/home/profile.nix
+++ b/home/profile.nix
@ -43,8 +43,13 @@ in {
      description = "home manager modules imported into every profile";
    };

-    home = let
-      persistOpts = {
+    home = {
+      size = mkOption {
+        type = with types; str;
+        default = "1G";
+        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
+      };
+      persist = {
        files = mkOption {
          type = with types; listOf (oneOf [ str (attrsOf str) ]);
          default = [ ];
@ -54,14 +59,6 @@ in {
          default = [ ];
        };
      };
-    in {
-      size = mkOption {
-        type = with types; str;
-        default = "1G";
-        description = "default home tmpfs size, mounted to prevent accidentally filling up root";
-      };
-      persist = persistOpts;
-      persistApp = persistOpts;
    };
  };

@ -70,7 +67,7 @@ in {
      users = mapAttrs (name: opts: {
        inherit (opts) uid;
        description = with opts; mkIf (description != null) description;
-        extraGroups = mkIf opts.admin cfg.adminGroups;
+        extraGroups = [ "dialout" ] ++ optionals opts.admin cfg.adminGroups;
        openssh.authorizedKeys.keys = mkIf (opts.sshLogin && config.services.openssh.enable)
        config.global.auth.openssh.publicKeys;
        hashedPasswordFile = "/nix/persist/shadow/${name}";
@ -82,7 +79,7 @@ in {

      # base groups
      adminGroups = [
-        "wheel" "dialout" "kvm"
+        "wheel" "kvm"
        "systemd-journal"
      ];

@ -140,10 +137,8 @@ in {
        # cannot get it properly for the same reason
        # mentioned above in fileSystems
        home = mkIf (name == "root") "/root";
-      }) cfg.profiles) // {
-        # extra persistence specific to the app user
-        app = cfg.home.persistApp;
-      };
+      }) cfg.profiles);
+
      hideMounts = true;
    };

--- a/home/user.nix
+++ b/home/user.nix
@ -12,11 +12,6 @@
      description = "Staging Environment";
    };

-    app = {
-      uid = 5800;
-      description = "Insecure Applications";
-    };
-
    root.uid = 0;
  };
 }