37e48b712e
* keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality
35 lines
889 B
Nix
35 lines
889 B
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
userImports =
|
|
let
|
|
toUserPath = f: ../users/. + "/${f}";
|
|
onlyUserFiles = x:
|
|
lib.hasSuffix ".nix" x &&
|
|
x != "lib.nix"
|
|
;
|
|
userDirEntries = builtins.readDir ../users;
|
|
userFiles = builtins.filter onlyUserFiles (lib.attrNames userDirEntries);
|
|
in
|
|
builtins.map toUserPath userFiles;
|
|
in
|
|
{
|
|
imports = userImports;
|
|
|
|
# No mutable users
|
|
users.mutableUsers = false;
|
|
|
|
# Assign keys from all users in wheel group
|
|
# This is only done because nixops cant be deployed from any other account
|
|
users.extraUsers.root.openssh.authorizedKeys.keys = lib.unique (
|
|
lib.flatten (
|
|
builtins.map (u: u.openssh.authorizedKeys.keys)
|
|
(
|
|
lib.attrValues (
|
|
lib.filterAttrs (_: u: lib.elem "wheel" u.extraGroups)
|
|
config.users.extraUsers
|
|
)
|
|
)
|
|
)
|
|
);
|
|
}
|