Dealing with non-local users and system groups, home-manager

Hello,

Introduction

I’m in the process of moving all users of my family-domain from /etc/passwd created by configuration.nix (declarative) to a real IDM (kanidm), so each family member can update their own password, authorized devices, single-sign on, 2FA tokens, etc. which is currently all impossible with /etc/passwd. Another advantage is we can self-host services that need authentication via webbrowser.

I was wondering how others deal with the following:

Home-manager NixOS module

I like the home-manager NixOS module, so all user profiles can be upgraded with one command and use the same nix revision, saving some disk-space. But Home-manager seems to depend on config.users.users.<name> so it only works with local users. Is this correct? Is there a way to get this advantage of the Home-manager NixOS module with users not defined in config.users.users?

Adding non-local users to system groups

Kanidm cannot create POSIX groups with GID <= 1000, so I was wondering what is the best practice in NixOS to declaratively define who is in which (system) group?
e.g. who can do sudo, who can configure network with networkmanager, etc? The users do not exist in config.users.users. Do you simply add the relevant user names in config.users.groups.<name>.members? Or is there a better way?

1 Like

Sounds interesting.
Did you figure any of this out?