auth: use all sshPubKeys for disk unlock, fix tests, fix hm config

hosts: use correct wireguardDevices option
style: run nix fmt
2024-11-12 21:06:32 +01:00 · 2024-11-12 20:32:00 +01:00 · 2024-11-12 20:30:03 +01:00 · 2024-11-12 20:22:25 +01:00
14 changed files with 96 additions and 83 deletions
--- a/hosts/blue-shell/wireguard.nix
+++ b/hosts/blue-shell/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/delite/wireguard.nix
+++ b/hosts/delite/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/metronom/wireguard.nix
+++ b/hosts/metronom/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:3::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/nachtigall/wireguard.nix
+++ b/hosts/nachtigall/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:1::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # tankstelle.pub.solar
          endpoint = "80.244.242.5:51820";
--- a/hosts/tankstelle/wireguard.nix
+++ b/hosts/tankstelle/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:4::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/trinkgenossin/wireguard.nix
+++ b/hosts/trinkgenossin/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/logins/default.nix
+++ b/logins/default.nix
@ -6,19 +6,16 @@ in
 {
  flake = {
    logins = {
-      admins =
+      admins = admins;
-        lib.lists.foldl
+      wireguardDevices = lib.lists.foldl (
-          (logins: adminConfig: {
+        wireguardDevices: adminConfig:
-            sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
+        wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
-            wireguardDevices =
+      ) [ ] (lib.attrsets.attrValues admins);
-              logins.wireguardDevices
+      sshPubKeys = lib.lists.foldl (
-              ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
+        sshPubKeys: adminConfig:
-          })
+        sshPubKeys
-          {
+        ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
-            sshPubKeys = [ ];
+      ) [ ] (lib.attrsets.attrValues admins);
            wireguardDevices = [ ];
          }
          (lib.attrsets.attrValues admins);
      robots.sshPubKeys = lib.attrsets.attrValues robots;
    };
  };
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -54,9 +54,5 @@
    };
    time.timeZone = "Etc/UTC";
    home-manager.users.${config.pub-solar-os.authentication.username} = {
      home.stateVersion = "23.05";
    };
  };
 }
--- a/modules/core/terminal-tooling.nix
+++ b/modules/core/terminal-tooling.nix
@ -1,19 +1,27 @@
-{ flake, config, ... }:
+{ flake, lib, ... }:
 {
-  home-manager.users.${config.pub-solar-os.authentication.username} = {
+  home-manager.users = (
-    programs.git.enable = true;
+    lib.attrsets.foldlAttrs (
-    programs.starship.enable = true;
+      acc: name: value:
-    programs.bash.enable = true;
+      acc
-    programs.neovim = {
+      // {
-      enable = true;
+        ${name} = {
-      vimAlias = true;
+          programs.git.enable = true;
-      viAlias = true;
+          programs.starship.enable = true;
-      defaultEditor = true;
+          programs.bash.enable = true;
-      # configure = {
+          programs.neovim = {
-      #   packages.myVimPackages = with pkgs.vimPlugins; {
+            enable = true;
-      #     start = [vim-nix vim-surrund rainbow];
+            vimAlias = true;
-      #   };
+            viAlias = true;
-      # };
+            defaultEditor = true;
-    };
+            # configure = {
-  };
+            #   packages.myVimPackages = with pkgs.vimPlugins; {
            #     start = [vim-nix vim-surrund rainbow];
            #   };
            # };
          };
        };
      }
    ) { } flake.self.logins.admins
  );
 }
--- a/modules/core/users.nix
+++ b/modules/core/users.nix
@ -11,18 +11,6 @@
      inherit (lib) mkOption types;
    in
    {
      username = mkOption {
        description = "Username for the adminstrative user";
        type = types.str;
        default = flake.self.username;
      };
      sshPubKeys = mkOption {
        description = "SSH Keys that should have administrative root access";
        type = types.listOf types.str;
        default = flake.self.logins.admins.sshPubKeys;
      };
      root.initialHashedPassword = mkOption {
        description = "Hashed password of the root account";
        type = types.str;
@ -43,36 +31,60 @@
    };
  config = {
-    users.users.${config.pub-solar-os.authentication.username} = {
+    users.users =
-      name = config.pub-solar-os.authentication.username;
+      (lib.attrsets.foldlAttrs (
-      group = config.pub-solar-os.authentication.username;
+        acc: name: value:
-      extraGroups = [
+        acc
-        "wheel"
+        // {
-        "docker"
+          ${name} = {
-      ];
+            name = name;
-      isNormalUser = true;
+            group = name;
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+            extraGroups = [
-    };
+              "wheel"
-    users.groups.${config.pub-solar-os.authentication.username} = { };
+              "docker"
            ];
            isNormalUser = true;
            openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
          };
        }
      ) { } flake.self.logins.admins)
      // {
        # TODO: Remove when we stop locking ourselves out.
        root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
        root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
-    # TODO: Remove when we stop locking ourselves out.
+        ${config.pub-solar-os.authentication.robot.username} = {
-    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+          description = "CI and automation user";
          home = "/home/${config.pub-solar-os.authentication.robot.username}";
          createHome = true;
          useDefaultShell = true;
          uid = 998;
          group = "${config.pub-solar-os.authentication.robot.username}";
          isSystemUser = true;
          openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
        };
      };
-    users.users.${config.pub-solar-os.authentication.robot.username} = {
+    home-manager.users = (
-      description = "CI and automation user";
+      lib.attrsets.foldlAttrs (
-      home = "/home/${config.pub-solar-os.authentication.robot.username}";
+        acc: name: value:
-      createHome = true;
+        acc
-      useDefaultShell = true;
+        // {
-      uid = 998;
+          ${name} = {
-      group = "${config.pub-solar-os.authentication.robot.username}";
+            home.stateVersion = "23.05";
-      isSystemUser = true;
+          };
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
+        }
-    };
+      ) { } flake.self.logins.admins
    );
-    users.groups.${config.pub-solar-os.authentication.robot.username} = { };
+    users.groups =
-
+      (lib.attrsets.foldlAttrs (
-    users.users.root.initialHashedPassword =
+        acc: name: value:
-      config.pub-solar-os.authentication.root.initialHashedPassword;
+        acc // { "${name}" = { }; }
      ) { } flake.self.logins.admins)
      // {
        ${config.pub-solar-os.authentication.robot.username} = { };
      };
    security.sudo.wheelNeedsPassword = false;
  };
--- a/modules/unlock-luks-on-boot/default.nix
+++ b/modules/unlock-luks-on-boot/default.nix
@ -10,7 +10,7 @@
      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
    };
    postCommands = ''
      # Automatically ask for the password on SSH login
--- a/modules/unlock-zfs-on-boot/default.nix
+++ b/modules/unlock-zfs-on-boot/default.nix
@ -11,7 +11,7 @@
      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
    };
    # this will automatically load the zfs password prompt on login
    # and kill the other prompt so boot can continue
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@ -66,7 +66,7 @@ in
  testScript =
    { nodes, ... }:
    let
-      user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
+      user = nodes.client.users.users.b12f;
      #uid = toString user.uid;
      bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
      gdbus = "${bus} gdbus";
--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@ -11,7 +11,7 @@
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
+  services.xserver.displayManager.autoLogin.user = "b12f";
  systemd.user.services = {
    "org.gnome.Shell@wayland" = {
Author	SHA1	Message	Date
b12f	5103e40624	auth: use all sshPubKeys for disk unlock, fix tests, fix hm config All checks were successful Flake checks / Check (pull_request) Successful in 28m19s Details	2024-11-12 21:06:32 +01:00
b12f	b5ed810f11	hosts: use correct wireguardDevices option Some checks failed Flake checks / Check (pull_request) Failing after 36s Details	2024-11-12 20:32:00 +01:00
b12f	656211888b	style: run nix fmt Some checks failed Flake checks / Check (pull_request) Failing after 38s Details	2024-11-12 20:30:03 +01:00
b12f	daf2a34274	auth: add user for each administrator Some checks failed Flake checks / Check (pull_request) Failing after 25s Details After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y	2024-11-12 20:22:25 +01:00