diff --git a/hosts/blue-shell/wireguard.nix b/hosts/blue-shell/wireguard.nix index 34eff77..8da6c9d 100644 --- a/hosts/blue-shell/wireguard.nix +++ b/hosts/blue-shell/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # trinkgenossin.pub.solar publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; diff --git a/hosts/delite/wireguard.nix b/hosts/delite/wireguard.nix index 9756855..2c5e1a3 100644 --- a/hosts/delite/wireguard.nix +++ b/hosts/delite/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # trinkgenossin.pub.solar publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; diff --git a/hosts/metronom/wireguard.nix b/hosts/metronom/wireguard.nix index 5591d38..51362d2 100644 --- a/hosts/metronom/wireguard.nix +++ b/hosts/metronom/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:3::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; diff --git a/hosts/nachtigall/wireguard.nix b/hosts/nachtigall/wireguard.nix index 0d40a24..7e9961e 100644 --- a/hosts/nachtigall/wireguard.nix +++ b/hosts/nachtigall/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:1::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # tankstelle.pub.solar endpoint = "80.244.242.5:51820"; diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index f771ecd..0222a4b 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:4::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; diff --git a/hosts/trinkgenossin/wireguard.nix b/hosts/trinkgenossin/wireguard.nix index 2cf52af..e879c5b 100644 --- a/hosts/trinkgenossin/wireguard.nix +++ b/hosts/trinkgenossin/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; diff --git a/logins/default.nix b/logins/default.nix index cf81ff4..0493ca8 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -6,19 +6,16 @@ in { flake = { logins = { - admins = - lib.lists.foldl - (logins: adminConfig: { - sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); - wireguardDevices = - logins.wireguardDevices - ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]); - }) - { - sshPubKeys = [ ]; - wireguardDevices = [ ]; - } - (lib.attrsets.attrValues admins); + admins = admins; + wireguardDevices = lib.lists.foldl ( + wireguardDevices: adminConfig: + wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) + ) [ ] (lib.attrsets.attrValues admins); + sshPubKeys = lib.lists.foldl ( + sshPubKeys: adminConfig: + sshPubKeys + ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ]) + ) [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; }; diff --git a/modules/core/default.nix b/modules/core/default.nix index 64d4c76..f0914fd 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -54,9 +54,5 @@ }; time.timeZone = "Etc/UTC"; - - home-manager.users.${config.pub-solar-os.authentication.username} = { - home.stateVersion = "23.05"; - }; }; } diff --git a/modules/core/terminal-tooling.nix b/modules/core/terminal-tooling.nix index 823898a..dd0a82f 100644 --- a/modules/core/terminal-tooling.nix +++ b/modules/core/terminal-tooling.nix @@ -1,19 +1,27 @@ -{ flake, config, ... }: +{ flake, lib, ... }: { - home-manager.users.${config.pub-solar-os.authentication.username} = { - programs.git.enable = true; - programs.starship.enable = true; - programs.bash.enable = true; - programs.neovim = { - enable = true; - vimAlias = true; - viAlias = true; - defaultEditor = true; - # configure = { - # packages.myVimPackages = with pkgs.vimPlugins; { - # start = [vim-nix vim-surrund rainbow]; - # }; - # }; - }; - }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + programs.git.enable = true; + programs.starship.enable = true; + programs.bash.enable = true; + programs.neovim = { + enable = true; + vimAlias = true; + viAlias = true; + defaultEditor = true; + # configure = { + # packages.myVimPackages = with pkgs.vimPlugins; { + # start = [vim-nix vim-surrund rainbow]; + # }; + # }; + }; + }; + } + ) { } flake.self.logins.admins + ); } diff --git a/modules/core/users.nix b/modules/core/users.nix index 5ff7945..d3a1cfc 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -11,18 +11,6 @@ inherit (lib) mkOption types; in { - username = mkOption { - description = "Username for the adminstrative user"; - type = types.str; - default = flake.self.username; - }; - - sshPubKeys = mkOption { - description = "SSH Keys that should have administrative root access"; - type = types.listOf types.str; - default = flake.self.logins.admins.sshPubKeys; - }; - root.initialHashedPassword = mkOption { description = "Hashed password of the root account"; type = types.str; @@ -43,36 +31,60 @@ }; config = { - users.users.${config.pub-solar-os.authentication.username} = { - name = config.pub-solar-os.authentication.username; - group = config.pub-solar-os.authentication.username; - extraGroups = [ - "wheel" - "docker" - ]; - isNormalUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - }; - users.groups.${config.pub-solar-os.authentication.username} = { }; + users.users = + (lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + name = name; + group = name; + extraGroups = [ + "wheel" + "docker" + ]; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; + }; + } + ) { } flake.self.logins.admins) + // { + # TODO: Remove when we stop locking ourselves out. + root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys; + root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; - # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + ${config.pub-solar-os.authentication.robot.username} = { + description = "CI and automation user"; + home = "/home/${config.pub-solar-os.authentication.robot.username}"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "${config.pub-solar-os.authentication.robot.username}"; + isSystemUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + }; + }; - users.users.${config.pub-solar-os.authentication.robot.username} = { - description = "CI and automation user"; - home = "/home/${config.pub-solar-os.authentication.robot.username}"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "${config.pub-solar-os.authentication.robot.username}"; - isSystemUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; - }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + home.stateVersion = "23.05"; + }; + } + ) { } flake.self.logins.admins + ); - users.groups.${config.pub-solar-os.authentication.robot.username} = { }; - - users.users.root.initialHashedPassword = - config.pub-solar-os.authentication.root.initialHashedPassword; + users.groups = + (lib.attrsets.foldlAttrs ( + acc: name: value: + acc // { "${name}" = { }; } + ) { } flake.self.logins.admins) + // { + ${config.pub-solar-os.authentication.robot.username} = { }; + }; security.sudo.wheelNeedsPassword = false; }; diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix index 0952188..fd8c547 100644 --- a/modules/unlock-luks-on-boot/default.nix +++ b/modules/unlock-luks-on-boot/default.nix @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; postCommands = '' # Automatically ask for the password on SSH login diff --git a/modules/unlock-zfs-on-boot/default.nix b/modules/unlock-zfs-on-boot/default.nix index 2e68b39..586f944 100644 --- a/modules/unlock-zfs-on-boot/default.nix +++ b/modules/unlock-zfs-on-boot/default.nix @@ -11,7 +11,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/tests/keycloak.nix b/tests/keycloak.nix index 5e735fd..59b085a 100644 --- a/tests/keycloak.nix +++ b/tests/keycloak.nix @@ -66,7 +66,7 @@ in testScript = { nodes, ... }: let - user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; + user = nodes.client.users.users.b12f; #uid = toString user.uid; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; gdbus = "${bus} gdbus"; diff --git a/tests/support/client.nix b/tests/support/client.nix index 41e97f0..c34c847 100644 --- a/tests/support/client.nix +++ b/tests/support/client.nix @@ -11,7 +11,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; services.xserver.displayManager.autoLogin.enable = true; - services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username; + services.xserver.displayManager.autoLogin.user = "b12f"; systemd.user.services = { "org.gnome.Shell@wayland" = {