From eb63779bb68f14b07eb42b57d97acd993295da9c Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 21:04:44 +0100 Subject: [PATCH] auth: use all sshPubKeys for disk unlock, fix tests, fix hm config --- logins/default.nix | 5 +++ modules/core/default.nix | 4 --- modules/core/terminal-tooling.nix | 42 +++++++++++++++---------- modules/core/users.nix | 14 ++++++++- modules/unlock-luks-on-boot/default.nix | 2 +- modules/unlock-zfs-on-boot/default.nix | 2 +- tests/keycloak.nix | 2 +- tests/support/client.nix | 2 +- 8 files changed, 47 insertions(+), 26 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index dfd2775..0493ca8 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -11,6 +11,11 @@ in wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) ) [ ] (lib.attrsets.attrValues admins); + sshPubKeys = lib.lists.foldl ( + sshPubKeys: adminConfig: + sshPubKeys + ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ]) + ) [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; }; diff --git a/modules/core/default.nix b/modules/core/default.nix index 64d4c76..f0914fd 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -54,9 +54,5 @@ }; time.timeZone = "Etc/UTC"; - - home-manager.users.${config.pub-solar-os.authentication.username} = { - home.stateVersion = "23.05"; - }; }; } diff --git a/modules/core/terminal-tooling.nix b/modules/core/terminal-tooling.nix index 823898a..dd0a82f 100644 --- a/modules/core/terminal-tooling.nix +++ b/modules/core/terminal-tooling.nix @@ -1,19 +1,27 @@ -{ flake, config, ... }: +{ flake, lib, ... }: { - home-manager.users.${config.pub-solar-os.authentication.username} = { - programs.git.enable = true; - programs.starship.enable = true; - programs.bash.enable = true; - programs.neovim = { - enable = true; - vimAlias = true; - viAlias = true; - defaultEditor = true; - # configure = { - # packages.myVimPackages = with pkgs.vimPlugins; { - # start = [vim-nix vim-surrund rainbow]; - # }; - # }; - }; - }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + programs.git.enable = true; + programs.starship.enable = true; + programs.bash.enable = true; + programs.neovim = { + enable = true; + vimAlias = true; + viAlias = true; + defaultEditor = true; + # configure = { + # packages.myVimPackages = with pkgs.vimPlugins; { + # start = [vim-nix vim-surrund rainbow]; + # }; + # }; + }; + }; + } + ) { } flake.self.logins.admins + ); } diff --git a/modules/core/users.nix b/modules/core/users.nix index f296c85..d3a1cfc 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -50,7 +50,7 @@ ) { } flake.self.logins.admins) // { # TODO: Remove when we stop locking ourselves out. - root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys; root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; ${config.pub-solar-os.authentication.robot.username} = { @@ -65,6 +65,18 @@ }; }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + home.stateVersion = "23.05"; + }; + } + ) { } flake.self.logins.admins + ); + users.groups = (lib.attrsets.foldlAttrs ( acc: name: value: diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix index 0952188..fd8c547 100644 --- a/modules/unlock-luks-on-boot/default.nix +++ b/modules/unlock-luks-on-boot/default.nix @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; postCommands = '' # Automatically ask for the password on SSH login diff --git a/modules/unlock-zfs-on-boot/default.nix b/modules/unlock-zfs-on-boot/default.nix index 2e68b39..586f944 100644 --- a/modules/unlock-zfs-on-boot/default.nix +++ b/modules/unlock-zfs-on-boot/default.nix @@ -11,7 +11,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/tests/keycloak.nix b/tests/keycloak.nix index 5e735fd..59b085a 100644 --- a/tests/keycloak.nix +++ b/tests/keycloak.nix @@ -66,7 +66,7 @@ in testScript = { nodes, ... }: let - user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; + user = nodes.client.users.users.b12f; #uid = toString user.uid; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; gdbus = "${bus} gdbus"; diff --git a/tests/support/client.nix b/tests/support/client.nix index 41e97f0..c34c847 100644 --- a/tests/support/client.nix +++ b/tests/support/client.nix @@ -11,7 +11,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; services.xserver.displayManager.autoLogin.enable = true; - services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username; + services.xserver.displayManager.autoLogin.user = "b12f"; systemd.user.services = { "org.gnome.Shell@wayland" = {