I’m in the process of moving all users of my family-domain from /etc/passwd created by configuration.nix (declarative) to a real IDM (kanidm), so each family member can update their own password, authorized devices, single-sign on, 2FA tokens, etc. which is currently all impossible with /etc/passwd. Another advantage is we can self-host services that need authentication via webbrowser.
I was wondering how others deal with the following:
Home-manager NixOS module
I like the home-manager NixOS module, so all user profiles can be upgraded with one command and use the same nix revision, saving some disk-space. But Home-manager seems to depend on
config.users.users.<name> so it only works with local users. Is this correct? Is there a way to get this advantage of the Home-manager NixOS module with users not defined in
Adding non-local users to system groups
Kanidm cannot create POSIX groups with GID <= 1000, so I was wondering what is the best practice in NixOS to declaratively define who is in which (system) group?
e.g. who can do sudo, who can configure network with networkmanager, etc? The users do not exist in
config.users.users. Do you simply add the relevant user names in
config.users.groups.<name>.members? Or is there a better way?