Validate username once in flake

Co-authored-by: ragusa-it <196988693+ragusa-it@users.noreply.github.com>

flake.nix

@@ -40,9 +40,15 @@
     hostname = "atlas";
     username = "pinj";
     lib = nixpkgs.lib;
+    usernameValid =
+      builtins.match "^[a-z_][a-z0-9_]*$" username != null
+      && builtins.match "^_+$" username == null
+      && builtins.match "^nix" username == null
+      && username != "root";
     hostConfig = ./hosts + "/${hostname}/hardware-configuration.nix";
-    passwordHashPath = "/etc/nixos/secrets/${username}/password.hash";
+    passwordHashPath = assert usernameValid;
-    specialArgs = { inherit inputs system hostname username passwordHashPath; };
+      "/etc/nixos/secrets/${username}/password.hash";
+    specialArgs = { inherit inputs system hostname username usernameValid passwordHashPath; };
 
     # Verify mango flake exports the expected module
     mangoModule = assert lib.hasAttrByPath [ "nixosModules" "mango" ] mango;

modules/common.nix

@@ -1,10 +1,10 @@
-{ config, pkgs, inputs, system, hostname, username, passwordHashPath, ... }:
+{ config, pkgs, inputs, system, hostname, username, usernameValid, passwordHashPath, ... }:
 
 {
   assertions = [
     {
-      assertion = builtins.match "^[a-z_][a-z0-9_]*$" username != null;
+      assertion = usernameValid;
-      message = "username must be a simple system user name without path separators.";
+      message = "username must be a simple system user name and not reserved.";
     }
   ];
   # --------------------------------------------------------------------------