4 files changed, 63 insertions, 0 deletions

diff --git a/default.nix b/default.nix
index cf5673c..a28f7da 100644
--- a/default.nix
+++ b/default.nix
@@ -7,6 +7,9 @@ eval {
     ({ config, pkgs, self, ... }: {
       imports = [
         ./modules/asecret.nix
+        ./modules/contracts/declarativeUsers.nix
+        ./modules/hardcodedUsers.nix
+        ./modules/usersDeclarativeUsers.nix
         ./modules/userSecret.nix
         self.config.outputs.nixosModules.asecret
       ];
@@ -14,6 +17,15 @@ eval {
 
       asecret.rootPassword.secret.consumer = config.users.users.root.passwordSecret;
       users.users.root.passwordSecret.provider = config.asecret.rootPassword.secret;
+
+      hardcodedUsers.default.users = {
+        root = {};
+        aforemny = {};
+        kirchner = {};
+      };
+
+      users.declarativeUsers.provider = config.hardcodedUsers.default.declarativeUsers;
+      hardcodedUsers.declarativeUsers.default.consumer = config.users.declarativeUsers;
     })
   ];
   machines.alice = {
diff --git a/modules/contracts/declarativeUsers.nix b/modules/contracts/declarativeUsers.nix
new file mode 100644
index 0000000..79ba00f
--- /dev/null
+++ b/modules/contracts/declarativeUsers.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+{
+  contracts.declarativeUsers = {
+    meta = {
+      maintainers = [];
+      description = "";
+    };
+    input = {};
+    output.options.users = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {});
+      default = {};
+    };
+  };
+}
diff --git a/modules/hardcodedUsers.nix b/modules/hardcodedUsers.nix
new file mode 100644
index 0000000..344daf2
--- /dev/null
+++ b/modules/hardcodedUsers.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }: {
+  options.hardcodedUsers = lib.mkOption {
+    type = lib.types.attrsOf (lib.types.submodule (mod: {
+      options = {
+        users = lib.mkOption {
+          type = lib.types.attrsOf (lib.types.submodule {});
+          default = {};
+        };
+        declarativeUsers = lib.mkOption {
+          type = config.contracts.declarativeUsers.provider;
+          default = null;
+        };
+      };
+    }));
+    default = {};
+  };
+  config.hardcodedUsers.default.declarativeUsers.output = {
+    inherit (config.hardcodedUsers.default) users;
+  };
+}
diff --git a/modules/usersDeclarativeUsers.nix b/modules/usersDeclarativeUsers.nix
new file mode 100644
index 0000000..2b5e2fc
--- /dev/null
+++ b/modules/usersDeclarativeUsers.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+{
+  options.users.declarativeUsers  = lib.mkOption {
+    type = lib.types.nullOr config.contracts.declarativeUsers.consumer;
+    default = null;
+  };
+  config = lib.mkIf (config.users.declarativeUsers != null) {
+    users = {
+      users = lib.mapAttrs (name: _: {
+        isNormalUser = lib.mkIf (name != "root") (lib.mkDefault true);
+      })
+        config.users.declarativeUsers.output.users;
+      groups = lib.mapAttrs (_: _: {})
+        config.users.declarativeUsers.output.users;
+    };
+  };
+}