From 5366d07d44f7622d0188a74a9b745fa545e9d4b1 Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 20:22:25 +0100 Subject: [PATCH] auth: add user for each administrator After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y --- logins/default.nix | 15 +++------ modules/core/users.nix | 74 ++++++++++++++++++++---------------------- 2 files changed, 39 insertions(+), 50 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index cf81ff40..65de0a7e 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -6,18 +6,11 @@ in { flake = { logins = { - admins = + admins = admins; + wireguardDevices = lib.lists.foldl - (logins: adminConfig: { - sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); - wireguardDevices = - logins.wireguardDevices - ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]); - }) - { - sshPubKeys = [ ]; - wireguardDevices = [ ]; - } + (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])) + [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; diff --git a/modules/core/users.nix b/modules/core/users.nix index 5ff79454..b0b43574 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -11,18 +11,6 @@ inherit (lib) mkOption types; in { - username = mkOption { - description = "Username for the adminstrative user"; - type = types.str; - default = flake.self.username; - }; - - sshPubKeys = mkOption { - description = "SSH Keys that should have administrative root access"; - type = types.listOf types.str; - default = flake.self.logins.admins.sshPubKeys; - }; - root.initialHashedPassword = mkOption { description = "Hashed password of the root account"; type = types.str; @@ -43,36 +31,44 @@ }; config = { - users.users.${config.pub-solar-os.authentication.username} = { - name = config.pub-solar-os.authentication.username; - group = config.pub-solar-os.authentication.username; - extraGroups = [ - "wheel" - "docker" - ]; - isNormalUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - }; - users.groups.${config.pub-solar-os.authentication.username} = { }; + users.users = (lib.attrsets.foldlAttrs + (acc: name: value: acc // { ${name} = { + name = name; + group = name; + extraGroups = [ + "wheel" + "docker" + ]; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; + }; + }) + { } + flake.self.logins.admins) + // { + # TODO: Remove when we stop locking ourselves out. + root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; - # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - - users.users.${config.pub-solar-os.authentication.robot.username} = { - description = "CI and automation user"; - home = "/home/${config.pub-solar-os.authentication.robot.username}"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "${config.pub-solar-os.authentication.robot.username}"; - isSystemUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + ${config.pub-solar-os.authentication.robot.username} = { + description = "CI and automation user"; + home = "/home/${config.pub-solar-os.authentication.robot.username}"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "${config.pub-solar-os.authentication.robot.username}"; + isSystemUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + }; }; - users.groups.${config.pub-solar-os.authentication.robot.username} = { }; - - users.users.root.initialHashedPassword = - config.pub-solar-os.authentication.root.initialHashedPassword; + users.groups = (lib.attrsets.foldlAttrs + (acc: name: value: acc // { "${name}" = { }; }) + { } + flake.self.logins.admins) + // { + ${config.pub-solar-os.authentication.robot.username} = { }; + }; security.sudo.wheelNeedsPassword = false; };