{ config, pkgs, secrets, ... }: { users = { # Don't allow imperative modifications to users (incompatible with impermanence) mutableUsers = false; users = { root = { hashedPasswordFile = config.age.secrets.users-hashed-password-file.path; }; caspervk = { isNormalUser = true; description = "Casper V. Kristensen"; hashedPasswordFile = config.age.secrets.users-hashed-password-file.path; extraGroups = [ "wheel" # allows sudo "video" # allows controlling brightness # todo: systemd-journal, audio, input, power, nix ? ]; uid = 1000; packages = with pkgs; []; }; }; }; age.secrets.users-hashed-password-file = { file = "${secrets}/secrets/users-hashed-password-file.age"; mode = "400"; owner = "root"; group = "root"; }; }