From eb63779bb68f14b07eb42b57d97acd993295da9c Mon Sep 17 00:00:00 2001
From: b12f <git@benjaminbaedorf.eu>
Date: Tue, 12 Nov 2024 21:04:44 +0100
Subject: [PATCH] auth: use all sshPubKeys for disk unlock, fix tests, fix hm
config
---
logins/default.nix | 5 +++
modules/core/default.nix | 4 ---
modules/core/terminal-tooling.nix | 42 +++++++++++++++----------
modules/core/users.nix | 14 ++++++++-
modules/unlock-luks-on-boot/default.nix | 2 +-
modules/unlock-zfs-on-boot/default.nix | 2 +-
tests/keycloak.nix | 2 +-
tests/support/client.nix | 2 +-
8 files changed, 47 insertions(+), 26 deletions(-)
diff --git a/logins/default.nix b/logins/default.nix
index dfd2775..0493ca8 100644
--- a/logins/default.nix
+++ b/logins/default.nix
@@ -11,6 +11,11 @@ in
wireguardDevices: adminConfig:
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
) [ ] (lib.attrsets.attrValues admins);
+ sshPubKeys = lib.lists.foldl (
+ sshPubKeys: adminConfig:
+ sshPubKeys
+ ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
+ ) [ ] (lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};
};
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 64d4c76..f0914fd 100644
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -54,9 +54,5 @@
};
time.timeZone = "Etc/UTC";
-
- home-manager.users.${config.pub-solar-os.authentication.username} = {
- home.stateVersion = "23.05";
- };
};
}
diff --git a/modules/core/terminal-tooling.nix b/modules/core/terminal-tooling.nix
index 823898a..dd0a82f 100644
--- a/modules/core/terminal-tooling.nix
+++ b/modules/core/terminal-tooling.nix
@@ -1,19 +1,27 @@
-{ flake, config, ... }:
+{ flake, lib, ... }:
{
- home-manager.users.${config.pub-solar-os.authentication.username} = {
- programs.git.enable = true;
- programs.starship.enable = true;
- programs.bash.enable = true;
- programs.neovim = {
- enable = true;
- vimAlias = true;
- viAlias = true;
- defaultEditor = true;
- # configure = {
- # packages.myVimPackages = with pkgs.vimPlugins; {
- # start = [vim-nix vim-surrund rainbow];
- # };
- # };
- };
- };
+ home-manager.users = (
+ lib.attrsets.foldlAttrs (
+ acc: name: value:
+ acc
+ // {
+ ${name} = {
+ programs.git.enable = true;
+ programs.starship.enable = true;
+ programs.bash.enable = true;
+ programs.neovim = {
+ enable = true;
+ vimAlias = true;
+ viAlias = true;
+ defaultEditor = true;
+ # configure = {
+ # packages.myVimPackages = with pkgs.vimPlugins; {
+ # start = [vim-nix vim-surrund rainbow];
+ # };
+ # };
+ };
+ };
+ }
+ ) { } flake.self.logins.admins
+ );
}
diff --git a/modules/core/users.nix b/modules/core/users.nix
index f296c85..d3a1cfc 100644
--- a/modules/core/users.nix
+++ b/modules/core/users.nix
@@ -50,7 +50,7 @@
) { } flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
- root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+ root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
${config.pub-solar-os.authentication.robot.username} = {
@@ -65,6 +65,18 @@
};
};
+ home-manager.users = (
+ lib.attrsets.foldlAttrs (
+ acc: name: value:
+ acc
+ // {
+ ${name} = {
+ home.stateVersion = "23.05";
+ };
+ }
+ ) { } flake.self.logins.admins
+ );
+
users.groups =
(lib.attrsets.foldlAttrs (
acc: name: value:
diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix
index 0952188..fd8c547 100644
--- a/modules/unlock-luks-on-boot/default.nix
+++ b/modules/unlock-luks-on-boot/default.nix
@@ -10,7 +10,7 @@
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
- authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+ authorizedKeys = flake.self.logins.sshPubKeys;
};
postCommands = ''
# Automatically ask for the password on SSH login
diff --git a/modules/unlock-zfs-on-boot/default.nix b/modules/unlock-zfs-on-boot/default.nix
index 2e68b39..586f944 100644
--- a/modules/unlock-zfs-on-boot/default.nix
+++ b/modules/unlock-zfs-on-boot/default.nix
@@ -11,7 +11,7 @@
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
- authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+ authorizedKeys = flake.self.logins.sshPubKeys;
};
# this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue
diff --git a/tests/keycloak.nix b/tests/keycloak.nix
index 5e735fd..59b085a 100644
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@@ -66,7 +66,7 @@ in
testScript =
{ nodes, ... }:
let
- user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
+ user = nodes.client.users.users.b12f;
#uid = toString user.uid;
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
gdbus = "${bus} gdbus";
diff --git a/tests/support/client.nix b/tests/support/client.nix
index 41e97f0..c34c847 100644
--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@@ -11,7 +11,7 @@
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
- services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
+ services.xserver.displayManager.autoLogin.user = "b12f";
systemd.user.services = {
"org.gnome.Shell@wayland" = {