no wheel for thy

base.nix

@@ -52,9 +52,9 @@
     "nix-command"
     "flakes"
   ];
-  nix.settings.allowed-users = [ "*" ]; # default
+  #nix.settings.allowed-users = [ "@builders" ]; # TODO: this
-  #nix.settings.allowed-users = [ "@nixbld" "@builders" ]; # TODO: this
+  nix.settings.allowed-users = [ "root" "pbsds" "@wheel" ]; # default is [ "*" ]
-  nix.settings.trusted-users = [ "root" "@wheel" ];
+  nix.settings.trusted-users = [ "root" "pbsds" "@wheel" ];
   nix.settings.keep-derivations = true; # great with nix-diff
   nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
   nix.settings.max-silent-time = 3600;

users/adrlau/default.nix

@@ -2,11 +2,14 @@
 {
   /* programs.zsh.enable = true; */
 
+  nix.settings.allowed-users = [ "adrlau" ];
+  nix.settings.trusted-users = [ "adrlau" ];
+
   users.users.adrlau = {
     isNormalUser = true;
     uid = 1007;
     description = "Adrian";
-    extraGroups = [ "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     /* shell = pkgs.zsh; */
 
     openssh.authorizedKeys.keys = [

users/bartvbl/default.nix

@@ -1,11 +1,14 @@
 { config, pkgs, lib, ... }:
 {
 
+  nix.settings.allowed-users = [ "bartvbl" ];
+  nix.settings.trusted-users = [ "bartvbl" ];
+
   users.users.bartvbl = {
     isNormalUser = true;
     uid = 1004;
     description = "Bart Iver van Blokland";
-    extraGroups = [ "networkmanager" "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     shell = pkgs.bashInteractive;
     packages = with pkgs; [
       rsync

users/daniel/default.nix

@@ -2,11 +2,14 @@
 {
   programs.zsh.enable = true;
 
+  nix.settings.allowed-users = [ "daniel" ];
+  nix.settings.trusted-users = [ "daniel" ];
+
   users.users.daniel = {
     isNormalUser = true;
     uid = 1003;
     description = "daniel";
-    extraGroups = [ "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     shell = pkgs.zsh;
     packages = with pkgs; [
       kitty.terminfo

users/eirikwit/default.nix

@@ -2,11 +2,14 @@
 {
   programs.zsh.enable = true;
 
+  nix.settings.allowed-users = [ "eirikwit" ];
+  nix.settings.trusted-users = [ "eirikwit" ];
+
   users.users.eirikwit = {
     isNormalUser = true;
     uid = 1005;
     description = "eirik";
-    extraGroups = [ "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     shell = pkgs.zsh;
 
     openssh.authorizedKeys.keys = [

users/h7x4/default.nix

@@ -2,11 +2,14 @@
 {
   programs.zsh.enable = true;
 
+  nix.settings.allowed-users = [ "h7x4" ];
+  nix.settings.trusted-users = [ "h7x4" ];
+
   users.users.h7x4 = {
     isNormalUser = true;
     uid = 1006;
     description = "Øystein";
-    extraGroups = [ "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     shell = pkgs.zsh;
 
     openssh.authorizedKeys.keys = [

users/jornane/default.nix

@@ -2,11 +2,14 @@
 {
   programs.zsh.enable = true;
 
+  nix.settings.allowed-users = [ "jornane" ];
+  nix.settings.trusted-users = [ "jornane" ];
+
   users.users.jornane = {
     isNormalUser = true;
     uid = 1002;
     description = "jornane";
-    extraGroups = [ "networkmanager" "wheel" ]; # TODO: NAS stuff
+    extraGroups = [ "users" ];
     shell = pkgs.zsh;
 
     openssh.authorizedKeys.keys = [

users/pbsds/default.nix

@@ -30,6 +30,10 @@
     then import ./home/gnome.nix
     else import ./home;
 
+
+  nix.settings.allowed-users = [ "pbsds" ];
+  nix.settings.trusted-users = [ "pbsds" ];
+
   users.groups.pbsds.gid = 1001; # TODO: remove this, add a uid map to NFS instead
   users.users.pbsds = {
     isNormalUser = true;
@@ -37,6 +41,7 @@
     description = "pbsds";
     extraGroups = [
       "pbsds"
+      "users" # backward compat
       "networkmanager"
       "audio"
       "sound"
@@ -44,7 +49,6 @@
       "input"
       "tty"
       "wheel"
-      "nixbld"
       # TODO: NAS stuff
     ] ++ lib.optionals config.virtualisation.docker.enable [
       "docker"