Split user access control to separate module

1 files changed, 56 insertions, 0 deletions

diff --git a/access.nix b/access.nix
new file mode 100644
index 0000000..adb1a83
--- /dev/null
+++ b/access.nix
@@ -0,0 +1,56 @@
+# Access configuration
+# Copyright (C) 2024  Nguyễn Gia Phong
+#
+# This file is part of loang configuration.
+#
+# Loang configuration is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Loang configuration is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
+
+{ config, ... }:
+let
+  admins = [ "cnx" "xarvos" ];
+  normalUser = user: {
+    name = user;
+    value = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keyFiles = [ "/etc/ssh/${user}.pub" ];
+    };
+  };
+  members = admins ++ [
+    "axl"
+    "ckie"
+    "epoch"
+    "int2k"
+    "mingnho"
+    "ooze"
+    "owocean"
+    "vnpower"
+  ];
+in {
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings.PasswordAuthentication = false;
+    ports = [ 2211 ];
+  };
+
+  users = {
+    groups.wheel.members = admins;
+    users = builtins.listToAttrs (map normalUser members);
+  };
+}