add first community builder user

build01/configuration.nix

@@ -18,6 +18,7 @@
     ../roles/common.nix
     ../roles/hetzner-network.nix
     ../roles/raid.nix
+    ../roles/users.nix
   ];
 
   # /boot is a mirror raid

roles/builder/default.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  imports = [ ./users.nix ];
+}

roles/builder/keys/0x4A6F

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuUdiPdq7neZjTSRoc4PuRg8a6M/JBaJ8fjQxPH6uUT 0x4A6F@aarch64-build-box

roles/builder/keys/jtojnar

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBNvEK+/zeAOuFQiSMSCaY3uSMBy0Fu9IIE16bFgww/o jtojnar+aarch64box@kaiser

roles/builder/users.nix

@@ -0,0 +1,57 @@
+let
+  pkgs = import <nixpkgs> {};
+  inherit (pkgs) lib;
+
+  users = {
+    # 1. Generate an SSH key for your root account and add the public
+    #    key to a file matching your name in ./keys/
+    #
+    # 2. Copy / paste this in order, alphabetically:
+    #
+    #    youruser = {
+    #      trusted = true;
+    #      keys = ./keys/youruser;
+    #    };
+
+    "0x4A6F" = {
+      trusted = true;
+      keys = ./keys/0x4A6F;
+    };
+
+    jtojnar = {
+      trusted = true;
+      keys = ./keys/jtojnar;
+    };
+  };
+
+  ifAttr = key: default: result: opts:
+    if (opts ? "${key}") && opts."${key}"
+      then result
+      else default;
+
+  maybeTrusted = ifAttr "trusted" [] [ "trusted" ];
+  maybeWheel = ifAttr "sudo" [] [ "wheel" ];
+
+  userGroups = opts:
+    (maybeTrusted opts) ++
+    (maybeWheel opts);
+
+  descToUser = name: opts:
+    {
+      isNormalUser = true;
+      extraGroups = userGroups opts;
+      createHome = true;
+      home = "/home/${name}";
+      hashedPassword = opts.password or null;
+      openssh.authorizedKeys.keyFiles = [
+        opts.keys
+      ];
+    };
+in {
+  users = {
+    groups.trusted = {};
+
+    mutableUsers = false;
+    users = lib.mapAttrs descToUser users;
+  };
+}