Compare commits

...

4 commits

Author SHA1 Message Date
b12f 5103e40624
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
All checks were successful
Flake checks / Check (pull_request) Successful in 28m19s
2024-11-12 21:06:32 +01:00
b12f b5ed810f11
hosts: use correct wireguardDevices option
Some checks failed
Flake checks / Check (pull_request) Failing after 36s
2024-11-12 20:32:00 +01:00
b12f 656211888b
style: run nix fmt
Some checks failed
Flake checks / Check (pull_request) Failing after 38s
2024-11-12 20:30:03 +01:00
b12f daf2a34274
auth: add user for each administrator
Some checks failed
Flake checks / Check (pull_request) Failing after 25s
After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
2024-11-12 20:22:25 +01:00
14 changed files with 96 additions and 83 deletions

View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# trinkgenossin.pub.solar # trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# trinkgenossin.pub.solar # trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:3::/96" "fd00:fae:fae:fae:fae:3::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:1::/96" "fd00:fae:fae:fae:fae:1::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# tankstelle.pub.solar # tankstelle.pub.solar
endpoint = "80.244.242.5:51820"; endpoint = "80.244.242.5:51820";

View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:4::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

View file

@ -6,19 +6,16 @@ in
{ {
flake = { flake = {
logins = { logins = {
admins = admins = admins;
lib.lists.foldl wireguardDevices = lib.lists.foldl (
(logins: adminConfig: { wireguardDevices: adminConfig:
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
wireguardDevices = ) [ ] (lib.attrsets.attrValues admins);
logins.wireguardDevices sshPubKeys = lib.lists.foldl (
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]); sshPubKeys: adminConfig:
}) sshPubKeys
{ ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
sshPubKeys = [ ]; ) [ ] (lib.attrsets.attrValues admins);
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };
}; };

View file

@ -54,9 +54,5 @@
}; };
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
home-manager.users.${config.pub-solar-os.authentication.username} = {
home.stateVersion = "23.05";
};
}; };
} }

View file

@ -1,6 +1,11 @@
{ flake, config, ... }: { flake, lib, ... }:
{ {
home-manager.users.${config.pub-solar-os.authentication.username} = { home-manager.users = (
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
programs.git.enable = true; programs.git.enable = true;
programs.starship.enable = true; programs.starship.enable = true;
programs.bash.enable = true; programs.bash.enable = true;
@ -16,4 +21,7 @@
# }; # };
}; };
}; };
}
) { } flake.self.logins.admins
);
} }

View file

@ -11,18 +11,6 @@
inherit (lib) mkOption types; inherit (lib) mkOption types;
in in
{ {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption { root.initialHashedPassword = mkOption {
description = "Hashed password of the root account"; description = "Hashed password of the root account";
type = types.str; type = types.str;
@ -43,22 +31,29 @@
}; };
config = { config = {
users.users.${config.pub-solar-os.authentication.username} = { users.users =
name = config.pub-solar-os.authentication.username; (lib.attrsets.foldlAttrs (
group = config.pub-solar-os.authentication.username; acc: name: value:
acc
// {
${name} = {
name = name;
group = name;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker" "docker"
]; ];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
}; };
users.groups.${config.pub-solar-os.authentication.username} = { }; }
) { } flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out. # TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
users.users.${config.pub-solar-os.authentication.robot.username} = { ${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user"; description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}"; home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true; createHome = true;
@ -68,11 +63,28 @@
isSystemUser = true; isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
}; };
};
users.groups.${config.pub-solar-os.authentication.robot.username} = { }; home-manager.users = (
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
home.stateVersion = "23.05";
};
}
) { } flake.self.logins.admins
);
users.users.root.initialHashedPassword = users.groups =
config.pub-solar-os.authentication.root.initialHashedPassword; (lib.attrsets.foldlAttrs (
acc: name: value:
acc // { "${name}" = { }; }
) { } flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };

View file

@ -10,7 +10,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; authorizedKeys = flake.self.logins.sshPubKeys;
}; };
postCommands = '' postCommands = ''
# Automatically ask for the password on SSH login # Automatically ask for the password on SSH login

View file

@ -11,7 +11,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; authorizedKeys = flake.self.logins.sshPubKeys;
}; };
# this will automatically load the zfs password prompt on login # this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue # and kill the other prompt so boot can continue

View file

@ -66,7 +66,7 @@ in
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let let
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; user = nodes.client.users.users.b12f;
#uid = toString user.uid; #uid = toString user.uid;
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
gdbus = "${bus} gdbus"; gdbus = "${bus} gdbus";

View file

@ -11,7 +11,7 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username; services.xserver.displayManager.autoLogin.user = "b12f";
systemd.user.services = { systemd.user.services = {
"org.gnome.Shell@wayland" = { "org.gnome.Shell@wayland" = {