nixos-config/modules/users.nix

{ config, pkgs, lib, ... }: {
  security.apparmor.enable = true;
  programs.firejail.enable = true;
  users.mutableUsers = false;
  users.users.balsoft = {
    isNormalUser = true;
    extraGroups = [
      "sudo"
      "wheel"
      "networkmanager"
      "disk"
      "dbus"
      "audio"
      "docker"
      "sound"
      "pulse"
      "adbusers"
      "input"
      "libvirtd"
      "vboxusers"
      "wireshark"
    ];
    description = "Александр Бантьев";
    uid = 1000;
    password = "";
  };

  systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };

  home-manager.users.balsoft.home.activation.yubi = {
    data =
      "[ -s /home/balsoft/.config/Yubico/u2f_keys ] || (pamu2fcfg > /home/balsoft/.config/Yubico/u2f_keys)";
    after = [ "linkGeneration" ];
    before = [ ];
  };
  home-manager.users.balsoft.home.sessionVariables.XDG_RUNTIME_DIR =
    "/run/user/1000";

  services.udev.extraRules = ''
    ACTION=="remove", ATTRS{idVendor}=="1050", RUN+="${
      pkgs.writeShellScript "lock-system"
      "/run/wrappers/bin/sudo -u balsoft XDG_RUNTIME_DIR=/run/user/1000/ ${pkgs.swaylock}/bin/swaylock -f -c ${
        builtins.substring 1 7 config.themes.colors.bg
      }"
    }"'';
  security.pam.u2f = {
    control = "sufficient";
    cue = true;
    enable = true;
  };

  security.pam.services.default = {
    unixAuth = false;
    text = lib.mkAfter ''
      auth     required pam_warn.so
      auth     required pam_deny.so
      account  required pam_warn.so
      account  required pam_deny.so
      password required pam_warn.so
      password required pam_deny.so
      session  required pam_warn.so
      session  required pam_deny.so
    '';
  };

  security.sudo = {
    enable = true;
    extraConfig = ''
      balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -A 5
      balsoft ALL = (root) NOPASSWD: ${pkgs.light}/bin/light -U 5
    '';
  };
  nix.requireSignedBinaryCaches = false;
  home-manager.useUserPackages = true;
}