forked from pub-solar/infra
auth: add user for each administrator
After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y
This commit is contained in:
parent
10f71b1959
commit
5366d07d44
|
@ -6,18 +6,11 @@ in
|
||||||
{
|
{
|
||||||
flake = {
|
flake = {
|
||||||
logins = {
|
logins = {
|
||||||
admins =
|
admins = admins;
|
||||||
|
wireguardDevices =
|
||||||
lib.lists.foldl
|
lib.lists.foldl
|
||||||
(logins: adminConfig: {
|
(wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
|
||||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
[ ]
|
||||||
wireguardDevices =
|
|
||||||
logins.wireguardDevices
|
|
||||||
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
|
|
||||||
})
|
|
||||||
{
|
|
||||||
sshPubKeys = [ ];
|
|
||||||
wireguardDevices = [ ];
|
|
||||||
}
|
|
||||||
(lib.attrsets.attrValues admins);
|
(lib.attrsets.attrValues admins);
|
||||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,18 +11,6 @@
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
username = mkOption {
|
|
||||||
description = "Username for the adminstrative user";
|
|
||||||
type = types.str;
|
|
||||||
default = flake.self.username;
|
|
||||||
};
|
|
||||||
|
|
||||||
sshPubKeys = mkOption {
|
|
||||||
description = "SSH Keys that should have administrative root access";
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = flake.self.logins.admins.sshPubKeys;
|
|
||||||
};
|
|
||||||
|
|
||||||
root.initialHashedPassword = mkOption {
|
root.initialHashedPassword = mkOption {
|
||||||
description = "Hashed password of the root account";
|
description = "Hashed password of the root account";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -43,36 +31,44 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
users.users.${config.pub-solar-os.authentication.username} = {
|
users.users = (lib.attrsets.foldlAttrs
|
||||||
name = config.pub-solar-os.authentication.username;
|
(acc: name: value: acc // { ${name} = {
|
||||||
group = config.pub-solar-os.authentication.username;
|
name = name;
|
||||||
extraGroups = [
|
group = name;
|
||||||
"wheel"
|
extraGroups = [
|
||||||
"docker"
|
"wheel"
|
||||||
];
|
"docker"
|
||||||
isNormalUser = true;
|
];
|
||||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
isNormalUser = true;
|
||||||
};
|
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
|
||||||
users.groups.${config.pub-solar-os.authentication.username} = { };
|
};
|
||||||
|
})
|
||||||
|
{ }
|
||||||
|
flake.self.logins.admins)
|
||||||
|
// {
|
||||||
|
# TODO: Remove when we stop locking ourselves out.
|
||||||
|
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||||
|
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||||
|
|
||||||
# TODO: Remove when we stop locking ourselves out.
|
${config.pub-solar-os.authentication.robot.username} = {
|
||||||
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
description = "CI and automation user";
|
||||||
|
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||||
users.users.${config.pub-solar-os.authentication.robot.username} = {
|
createHome = true;
|
||||||
description = "CI and automation user";
|
useDefaultShell = true;
|
||||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
uid = 998;
|
||||||
createHome = true;
|
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||||
useDefaultShell = true;
|
isSystemUser = true;
|
||||||
uid = 998;
|
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||||
group = "${config.pub-solar-os.authentication.robot.username}";
|
};
|
||||||
isSystemUser = true;
|
|
||||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
users.groups = (lib.attrsets.foldlAttrs
|
||||||
|
(acc: name: value: acc // { "${name}" = { }; })
|
||||||
users.users.root.initialHashedPassword =
|
{ }
|
||||||
config.pub-solar-os.authentication.root.initialHashedPassword;
|
flake.self.logins.admins)
|
||||||
|
// {
|
||||||
|
${config.pub-solar-os.authentication.robot.username} = { };
|
||||||
|
};
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue