auth: add user for each administrator
Some checks failed
Flake checks / Check (pull_request) Failing after 25s

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
This commit is contained in:
b12f 2024-11-12 20:22:25 +01:00
parent da529b023e
commit daf2a34274
Signed by: b12f
GPG key ID: 729956E1124F8F26
2 changed files with 39 additions and 50 deletions

View file

@ -6,18 +6,11 @@ in
{ {
flake = { flake = {
logins = { logins = {
admins = admins = admins;
lib.lists.foldl
(logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices = wireguardDevices =
logins.wireguardDevices lib.lists.foldl
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]); (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
}) [ ]
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins); (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };

View file

@ -11,18 +11,6 @@
inherit (lib) mkOption types; inherit (lib) mkOption types;
in in
{ {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption { root.initialHashedPassword = mkOption {
description = "Hashed password of the root account"; description = "Hashed password of the root account";
type = types.str; type = types.str;
@ -43,22 +31,26 @@
}; };
config = { config = {
users.users.${config.pub-solar-os.authentication.username} = { users.users = (lib.attrsets.foldlAttrs
name = config.pub-solar-os.authentication.username; (acc: name: value: acc // { ${name} = {
group = config.pub-solar-os.authentication.username; name = name;
group = name;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker" "docker"
]; ];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
}; };
users.groups.${config.pub-solar-os.authentication.username} = { }; })
{ }
flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out. # TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
users.users.${config.pub-solar-os.authentication.robot.username} = { ${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user"; description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}"; home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true; createHome = true;
@ -68,11 +60,15 @@
isSystemUser = true; isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
}; };
};
users.groups.${config.pub-solar-os.authentication.robot.username} = { }; users.groups = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { "${name}" = { }; })
users.users.root.initialHashedPassword = { }
config.pub-solar-os.authentication.root.initialHashedPassword; flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };