1
0
Fork 0
forked from pub-solar/infra

auth: add user for each administrator

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
This commit is contained in:
b12f 2024-11-12 20:22:25 +01:00 committed by teutat3s
parent 10f71b1959
commit 5366d07d44
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 39 additions and 50 deletions

View file

@ -6,18 +6,11 @@ in
{ {
flake = { flake = {
logins = { logins = {
admins = admins = admins;
wireguardDevices =
lib.lists.foldl lib.lists.foldl
(logins: adminConfig: { (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); [ ]
wireguardDevices =
logins.wireguardDevices
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
})
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins); (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };

View file

@ -11,18 +11,6 @@
inherit (lib) mkOption types; inherit (lib) mkOption types;
in in
{ {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption { root.initialHashedPassword = mkOption {
description = "Hashed password of the root account"; description = "Hashed password of the root account";
type = types.str; type = types.str;
@ -43,36 +31,44 @@
}; };
config = { config = {
users.users.${config.pub-solar-os.authentication.username} = { users.users = (lib.attrsets.foldlAttrs
name = config.pub-solar-os.authentication.username; (acc: name: value: acc // { ${name} = {
group = config.pub-solar-os.authentication.username; name = name;
extraGroups = [ group = name;
"wheel" extraGroups = [
"docker" "wheel"
]; "docker"
isNormalUser = true; ];
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; isNormalUser = true;
}; openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
users.groups.${config.pub-solar-os.authentication.username} = { }; };
})
{ }
flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
# TODO: Remove when we stop locking ourselves out. ${config.pub-solar-os.authentication.robot.username} = {
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
users.users.${config.pub-solar-os.authentication.robot.username} = { createHome = true;
description = "CI and automation user"; useDefaultShell = true;
home = "/home/${config.pub-solar-os.authentication.robot.username}"; uid = 998;
createHome = true; group = "${config.pub-solar-os.authentication.robot.username}";
useDefaultShell = true; isSystemUser = true;
uid = 998; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
group = "${config.pub-solar-os.authentication.robot.username}"; };
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
}; };
users.groups.${config.pub-solar-os.authentication.robot.username} = { }; users.groups = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { "${name}" = { }; })
users.users.root.initialHashedPassword = { }
config.pub-solar-os.authentication.root.initialHashedPassword; flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };