auth: add user for each administrator

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
This commit is contained in:
b12f 2024-11-12 20:22:25 +01:00 committed by teutat3s
parent 10f71b1959
commit 5366d07d44
Signed by untrusted user: teutat3s
GPG key ID: 4FA1D3FA524F22C1
2 changed files with 39 additions and 50 deletions

View file

@ -6,18 +6,11 @@ in
{
flake = {
logins = {
admins =
lib.lists.foldl
(logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
admins = admins;
wireguardDevices =
logins.wireguardDevices
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
})
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
lib.lists.foldl
(wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
[ ]
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};

View file

@ -11,18 +11,6 @@
inherit (lib) mkOption types;
in
{
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption {
description = "Hashed password of the root account";
type = types.str;
@ -43,22 +31,26 @@
};
config = {
users.users.${config.pub-solar-os.authentication.username} = {
name = config.pub-solar-os.authentication.username;
group = config.pub-solar-os.authentication.username;
users.users = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { ${name} = {
name = name;
group = name;
extraGroups = [
"wheel"
"docker"
];
isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
};
users.groups.${config.pub-solar-os.authentication.username} = { };
})
{ }
flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
users.users.${config.pub-solar-os.authentication.robot.username} = {
${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true;
@ -68,11 +60,15 @@
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
};
};
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
users.users.root.initialHashedPassword =
config.pub-solar-os.authentication.root.initialHashedPassword;
users.groups = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { "${name}" = { }; })
{ }
flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false;
};