auth: use all sshPubKeys for disk unlock, fix tests, fix hm config

This commit is contained in:
b12f 2024-11-12 21:04:44 +01:00 committed by teutat3s
parent acc537decd
commit eb63779bb6
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
8 changed files with 47 additions and 26 deletions

View file

@ -11,6 +11,11 @@ in
wireguardDevices: adminConfig: wireguardDevices: adminConfig:
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
) [ ] (lib.attrsets.attrValues admins); ) [ ] (lib.attrsets.attrValues admins);
sshPubKeys = lib.lists.foldl (
sshPubKeys: adminConfig:
sshPubKeys
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
) [ ] (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };
}; };

View file

@ -54,9 +54,5 @@
}; };
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
home-manager.users.${config.pub-solar-os.authentication.username} = {
home.stateVersion = "23.05";
};
}; };
} }

View file

@ -1,6 +1,11 @@
{ flake, config, ... }: { flake, lib, ... }:
{ {
home-manager.users.${config.pub-solar-os.authentication.username} = { home-manager.users = (
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
programs.git.enable = true; programs.git.enable = true;
programs.starship.enable = true; programs.starship.enable = true;
programs.bash.enable = true; programs.bash.enable = true;
@ -16,4 +21,7 @@
# }; # };
}; };
}; };
}
) { } flake.self.logins.admins
);
} }

View file

@ -50,7 +50,7 @@
) { } flake.self.logins.admins) ) { } flake.self.logins.admins)
// { // {
# TODO: Remove when we stop locking ourselves out. # TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
${config.pub-solar-os.authentication.robot.username} = { ${config.pub-solar-os.authentication.robot.username} = {
@ -65,6 +65,18 @@
}; };
}; };
home-manager.users = (
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
home.stateVersion = "23.05";
};
}
) { } flake.self.logins.admins
);
users.groups = users.groups =
(lib.attrsets.foldlAttrs ( (lib.attrsets.foldlAttrs (
acc: name: value: acc: name: value:

View file

@ -10,7 +10,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; authorizedKeys = flake.self.logins.sshPubKeys;
}; };
postCommands = '' postCommands = ''
# Automatically ask for the password on SSH login # Automatically ask for the password on SSH login

View file

@ -11,7 +11,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; authorizedKeys = flake.self.logins.sshPubKeys;
}; };
# this will automatically load the zfs password prompt on login # this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue # and kill the other prompt so boot can continue

View file

@ -66,7 +66,7 @@ in
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let let
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; user = nodes.client.users.users.b12f;
#uid = toString user.uid; #uid = toString user.uid;
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
gdbus = "${bus} gdbus"; gdbus = "${bus} gdbus";

View file

@ -11,7 +11,7 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username; services.xserver.displayManager.autoLogin.user = "b12f";
systemd.user.services = { systemd.user.services = {
"org.gnome.Shell@wayland" = { "org.gnome.Shell@wayland" = {