Split user access control to separate module

2 files changed, 57 insertions, 67 deletions

diff --git a/access.nix b/access.nix
new file mode 100644
index 0000000..adb1a83
--- /dev/null
+++ b/access.nix
@@ -0,0 +1,56 @@
+# Access configuration
+# Copyright (C) 2024  Nguyễn Gia Phong
+#
+# This file is part of loang configuration.
+#
+# Loang configuration is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Loang configuration is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
+
+{ config, ... }:
+let
+  admins = [ "cnx" "xarvos" ];
+  normalUser = user: {
+    name = user;
+    value = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/${user}.pub" ];
+    };
+  };
+  members = admins ++ [
+    "axl"
+    "ckie"
+    "epoch"
+    "int2k"
+    "mingnho"
+    "ooze"
+    "owocean"
+    "vnpower"
+  ];
+in {
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings.PasswordAuthentication = false;
+    ports = [ 2211 ];
+  };
+
+  users = {
+    groups.wheel.members = admins;
+    users = builtins.listToAttrs (map normalUser members);
+  };
+}
diff --git a/configuration.nix b/configuration.nix
index 0972cad..3e6ad48 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -30,6 +30,7 @@
   };
 
   imports = [
+    ./access.nix
     ./automation.nix
     ./dbms.nix
     ./dns.nix
@@ -86,18 +87,6 @@
     };
   };
 
-  security.sudo = {
-    enable = true;
-    wheelNeedsPassword = false;
-  };
-
-  services.openssh = {
-    enable = true;
-    openFirewall = true;
-    settings.PasswordAuthentication = false;
-    ports = [ 2211 ];
-  };
-
   system.stateVersion = "22.05";
 
   systemd.extraConfig = ''
@@ -105,59 +94,4 @@
   '';
 
   time.timeZone = "UTC";
-
-  users.users = {
-    axl = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/axl.pub" ];
-    };
-
-    ckie = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ckie.pub" ];
-    };
-
-    cnx = {
-      extraGroups = [ "wheel" ];
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/cnx.pub" ];
-      packages = with pkgs; [ stow ];
-    };
-
-    epoch = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/epoch.pub" ];
-    };
-
-    int2k = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/int2k.pub" ];
-    };
-
-    mingnho = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/mingnho.pub" ];
-    };
-
-    ooze = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/ooze.pub" ];
-    };
-
-    owocean = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/owocean.pub" ];
-    };
-
-    vnpower = {
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/vnpower.pub" ];
-    };
-
-    xarvos = {
-      extraGroups = [ "wheel" ];
-      isNormalUser = true;
-      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/xarvos.pub" ];
-    };
-  };
 }