don't use rootless docker on 'andromache', but keep it as an option

hosts/andromache/default.nix

@@ -41,6 +41,7 @@ in
   ];
 
   secrets.username = username;
+  docker.user = username;
 
   disko.devices = {
     disk.data = {

modules/docker.nix

@@ -1,9 +1,44 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.docker;
+in
 {
-  virtualisation.docker = {
+  options.docker = {
-    enable = false;
+    rootless = lib.mkOption {
-    rootless = {
+      type = lib.types.bool;
-      enable = true;
+      default = false;
-      setSocketVariable = true;
+    };
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
     };
   };
+  config = lib.mkMerge [
+    {
+      warnings = lib.flatten [
+        (lib.optional (
+          cfg.rootless && cfg.user != null
+        ) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
+        (lib.optional (
+          !cfg.rootless && cfg.user == null
+        ) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
+      ];
+    }
+    (lib.mkIf cfg.rootless {
+      virtualisation.docker = {
+        enable = false;
+        rootless = {
+          enable = true;
+          setSocketVariable = true;
+        };
+      };
+    })
+    (lib.mkIf (!cfg.rootless && cfg.user != null) {
+      virtualisation.docker = {
+        enable = true;
+      };
+      users.users.${cfg.user}.extraGroups = [ "docker" ];
+    })
+  ];
 }