old
 1{
 2  myvars,
 3  config,
 4  ...
 5}: {
 6  # Don't allow mutation of users outside the config.
 7  users.mutableUsers = false;
 8
 9  users.groups = {
10    "${myvars.username}" = {};
11    ssh-secrets-users = {};
12  };
13
14  users.users."${myvars.username}" = {
15    # generated by `mkpasswd -m scrypt`
16    # we have to use initialHashedPassword here when using tmpfs for /
17    inherit (myvars) initialHashedPassword;
18    home = "/home/${myvars.username}";
19    isNormalUser = true;
20    extraGroups = [
21      myvars.username
22      "users"
23      "networkmanager"
24      "wheel"
25      "aria2"
26      "ssh-secrets-users"
27    ];
28  };
29
30  # root's ssh key are mainly used for remote deployment
31  users.users.root = {
32    inherit (myvars) initialHashedPassword;
33    openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys;
34  };
35}