auth: add user for each administrator #261

Merged
teutat3s merged 7 commits from per-admin-user into main 2024-11-28 16:16:35 +00:00
Owner

After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

  • Better security analysis: who issued executed what command, who
    touched which file, who used sudo at which time.
  • Possibility of granular access, e.g. person X is only allowed to
    manage service Y
After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y
b12f added 1 commit 2024-11-12 19:27:24 +00:00
auth: add user for each administrator
Some checks failed
Flake checks / Check (pull_request) Failing after 25s
daf2a34274
After this has been tested successfully, root SSH login can be disabled.

The advantages of having a user for each adminstrator:

* Better security analysis: who issued executed what command, who
  touched which file, who used sudo at which time.
* Possibility of granular access, e.g. person X is only allowed to
  manage service Y
b12f added 1 commit 2024-11-12 19:30:16 +00:00
style: run nix fmt
Some checks failed
Flake checks / Check (pull_request) Failing after 38s
656211888b
b12f added 1 commit 2024-11-12 19:32:15 +00:00
hosts: use correct wireguardDevices option
Some checks failed
Flake checks / Check (pull_request) Failing after 36s
b5ed810f11
b12f added 1 commit 2024-11-12 20:05:11 +00:00
auth: use all sshPubKeys for disk unlock, fix tests, fix hm config
Some checks failed
Flake checks / Check (pull_request) Failing after 22s
c96644b6c5
b12f force-pushed per-admin-user from c96644b6c5 to 5103e40624 2024-11-12 20:06:40 +00:00 Compare
Owner

We can use underground for testing this branch.

We can use `underground` for testing this branch.
teutat3s reviewed 2024-11-13 09:27:28 +00:00
teutat3s left a comment
Owner

Thanks for getting this started. As part of this PR, I'd like to see docs updated, too.

Thanks for getting this started. As part of this PR, I'd like to see docs updated, too.
Owner

Tested on underground, new user accounts work fine. Last thing left to test:

  • WireGuard with OpenSSH Port open on public interface as a fallback
Tested on underground, new user accounts work fine. Last thing left to test: - WireGuard with OpenSSH Port open on public interface as a fallback
teutat3s requested review from teutat3s 2024-11-13 20:21:46 +00:00
Owner

One thing we're still missing here is handling the deploy-rs SSH username in flake.nix.

One thing we're still missing here is handling the `deploy-rs` SSH `username` in `flake.nix`.
teutat3s approved these changes 2024-11-14 09:28:17 +00:00
Dismissed
teutat3s left a comment
Owner

Tested wireguard still works with this change on one host, blue-shell I believe.

Tested `wireguard` still works with this change on one host, `blue-shell` I believe.
Owner

I'd still like to fix the docs, but that can be in a follow up PR.

I'd still like to fix the docs, but that can be in a follow up PR.
teutat3s requested review from hensoko 2024-11-14 09:29:20 +00:00
teutat3s requested review from axeman 2024-11-14 09:29:20 +00:00
teutat3s force-pushed per-admin-user from 5103e40624 to eb63779bb6 2024-11-20 15:50:27 +00:00 Compare
teutat3s added 3 commits 2024-11-26 16:59:21 +00:00
teutat3s dismissed teutat3s's review 2024-11-26 16:59:21 +00:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

axeman approved these changes 2024-11-28 05:55:25 +00:00
Owner

nix flake check passes locally, This is good to go 🚢

`nix flake check` passes locally, This is good to go 🚢
teutat3s merged commit 3e32bfe106 into main 2024-11-28 16:16:35 +00:00
teutat3s deleted branch per-admin-user 2024-11-28 16:16:35 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: pub-solar/infra#261
No description provided.