NixOS/config/jawz.nix

{
  config,
  lib,
  inputs,
  ...
}:
let
  inherit (config.networking) hostName;
in
{
  sops.secrets = lib.mkIf config.my.secureHost (
    let
      baseDir = ".ssh/ed25519";
      keyConfig = file: {
        sopsFile = ../secrets/keys.yaml;
        owner = config.users.users.jawz.name;
        inherit (config.users.users.jawz) group;
        path = "/home/jawz/${file}";
      };
    in
    {
      jawz-password.neededForUsers = true;
      "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}";
      "git_private_keys/${hostName}" = keyConfig "${baseDir}_git";
    }
  );
  users.users.jawz = {
    uid = 1000;
    linger = true;
    isNormalUser = true;
    hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.jawz-password.path;
    hashedPassword =
      lib.mkIf (!config.my.secureHost)
        "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1";
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "ai"
      "piracy"
      "core"
      "glue"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
      "plugdev"
      "bluetooth"
    ];
    openssh.authorizedKeys.keyFiles = inputs.self.lib.getSshKeys [
      "deacero"
      "mac"
      "workstation"
      "server"
      "miniserver"
      "galaxy"
      "phone"
      "vps"
    ];
  };
}