auth: add user for each administrator #261

Open

b12f wants to merge 4 commits from per-admin-user into main

pull from: per-admin-user

merge into: pub-solar:main

pub-solar:main

pub-solar:element-call

pub-solar:matrix-rendezvous-server

pub-solar:ssl-cert-warning

pub-solar:feat/automated-account-deletion

pub-solar:feat/matrix-moderation-draupnir

pub-solar:nginx-maintenance

pub-solar:feat/matrix-moderation

pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect

pub-solar:feat/loomio

pub-solar:feat/matrix-hookshot

pub-solar:feat/libreddit

pub-solar:feat/invidious

Conversation 4 Commits 4 Files changed 14 +96 -83

b12f commented 2024-11-12 19:27:24 +00:00

Owner

Copy link

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

• Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
• Possibility of granular access, e.g. person X is only allowed to
  manage service Y

After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y

❤️ 1

b12f added 1 commit 2024-11-12 19:27:24 +00:00

auth: add user for each administrator ... daf2a34274

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y

b12f added 1 commit 2024-11-12 19:30:16 +00:00

style: run nix fmt 656211888b

b12f added 1 commit 2024-11-12 19:32:15 +00:00

hosts: use correct wireguardDevices option b5ed810f11

b12f added 1 commit 2024-11-12 20:05:11 +00:00

auth: use all sshPubKeys for disk unlock, fix tests, fix hm config c96644b6c5

b12f force-pushed per-admin-user from c96644b6c5 to 5103e40624 2024-11-12 20:06:40 +00:00 Compare

teutat3s commented 2024-11-13 09:26:49 +00:00

Owner

Copy link

We can use underground for testing this branch.

We can use `underground` for testing this branch.

teutat3s reviewed 2024-11-13 09:27:28 +00:00

teutat3s left a comment

Owner

Copy link

Thanks for getting this started. As part of this PR, I'd like to see docs updated, too.

Thanks for getting this started. As part of this PR, I'd like to see docs updated, too.

teutat3s commented 2024-11-13 19:42:55 +00:00

Owner

Copy link

Tested on underground, new user accounts work fine. Last thing left to test:

• WireGuard with OpenSSH Port open on public interface as a fallback

Tested on underground, new user accounts work fine. Last thing left to test: - WireGuard with OpenSSH Port open on public interface as a fallback

teutat3s requested review from teutat3s 2024-11-13 20:21:46 +00:00

teutat3s commented 2024-11-13 20:44:45 +00:00

Owner

Copy link

One thing we're still missing here is handling the deploy-rs SSH username in flake.nix.

One thing we're still missing here is handling the `deploy-rs` SSH `username` in `flake.nix`.

teutat3s approved these changes 2024-11-14 09:28:17 +00:00

teutat3s left a comment

Owner

Copy link

Tested wireguard still works with this change on one host, blue-shell I believe.

Tested `wireguard` still works with this change on one host, `blue-shell` I believe.

teutat3s commented 2024-11-14 09:29:07 +00:00

Owner

Copy link

I'd still like to fix the docs, but that can be in a follow up PR.

I'd still like to fix the docs, but that can be in a follow up PR.

teutat3s requested review from hensoko 2024-11-14 09:29:20 +00:00

teutat3s requested review from axeman 2024-11-14 09:29:20 +00:00

teutat3s force-pushed per-admin-user from 5103e40624 to eb63779bb6 2024-11-20 15:50:27 +00:00 Compare

All checks were successful

Hide all checks

Flake checks / Check (pull_request) Successful in 28m11s

Required

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin per-admin-user:per-admin-user

git checkout per-admin-user

Sign in to join this conversation.

Reviewers

No reviewers

teutat3s

hensoko

axeman

Labels

Clear labels   

Bug

  

Docs

  

Feature request

  

Good for newcomers

  

Infra

  

Privacy

  

Refactoring or migration

  

Security

No labels

Bug

Docs

Feature request

Good for newcomers

Infra

Privacy

Refactoring or migration

Security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: pub-solar/infra#261

No description provided.