From 5366d07d44f7622d0188a74a9b745fa545e9d4b1 Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 20:22:25 +0100 Subject: [PATCH 1/4] auth: add user for each administrator After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y --- logins/default.nix | 15 +++------ modules/core/users.nix | 74 ++++++++++++++++++++---------------------- 2 files changed, 39 insertions(+), 50 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index cf81ff4..65de0a7 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -6,18 +6,11 @@ in { flake = { logins = { - admins = + admins = admins; + wireguardDevices = lib.lists.foldl - (logins: adminConfig: { - sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); - wireguardDevices = - logins.wireguardDevices - ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]); - }) - { - sshPubKeys = [ ]; - wireguardDevices = [ ]; - } + (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])) + [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; diff --git a/modules/core/users.nix b/modules/core/users.nix index 5ff7945..b0b4357 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -11,18 +11,6 @@ inherit (lib) mkOption types; in { - username = mkOption { - description = "Username for the adminstrative user"; - type = types.str; - default = flake.self.username; - }; - - sshPubKeys = mkOption { - description = "SSH Keys that should have administrative root access"; - type = types.listOf types.str; - default = flake.self.logins.admins.sshPubKeys; - }; - root.initialHashedPassword = mkOption { description = "Hashed password of the root account"; type = types.str; @@ -43,36 +31,44 @@ }; config = { - users.users.${config.pub-solar-os.authentication.username} = { - name = config.pub-solar-os.authentication.username; - group = config.pub-solar-os.authentication.username; - extraGroups = [ - "wheel" - "docker" - ]; - isNormalUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - }; - users.groups.${config.pub-solar-os.authentication.username} = { }; + users.users = (lib.attrsets.foldlAttrs + (acc: name: value: acc // { ${name} = { + name = name; + group = name; + extraGroups = [ + "wheel" + "docker" + ]; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; + }; + }) + { } + flake.self.logins.admins) + // { + # TODO: Remove when we stop locking ourselves out. + root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; - # TODO: Remove when we stop locking ourselves out. - users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - - users.users.${config.pub-solar-os.authentication.robot.username} = { - description = "CI and automation user"; - home = "/home/${config.pub-solar-os.authentication.robot.username}"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "${config.pub-solar-os.authentication.robot.username}"; - isSystemUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + ${config.pub-solar-os.authentication.robot.username} = { + description = "CI and automation user"; + home = "/home/${config.pub-solar-os.authentication.robot.username}"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "${config.pub-solar-os.authentication.robot.username}"; + isSystemUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; + }; }; - users.groups.${config.pub-solar-os.authentication.robot.username} = { }; - - users.users.root.initialHashedPassword = - config.pub-solar-os.authentication.root.initialHashedPassword; + users.groups = (lib.attrsets.foldlAttrs + (acc: name: value: acc // { "${name}" = { }; }) + { } + flake.self.logins.admins) + // { + ${config.pub-solar-os.authentication.robot.username} = { }; + }; security.sudo.wheelNeedsPassword = false; }; -- 2.44.2 From 2b72d9a5a8a3f716cfd485fe1f48f1c82a11ad3e Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 20:30:03 +0100 Subject: [PATCH 2/4] style: run nix fmt --- logins/default.nix | 9 +++--- modules/core/users.nix | 70 ++++++++++++++++++++++-------------------- 2 files changed, 41 insertions(+), 38 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index 65de0a7..dfd2775 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -7,11 +7,10 @@ in flake = { logins = { admins = admins; - wireguardDevices = - lib.lists.foldl - (wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])) - [ ] - (lib.attrsets.attrValues admins); + wireguardDevices = lib.lists.foldl ( + wireguardDevices: adminConfig: + wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) + ) [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; }; diff --git a/modules/core/users.nix b/modules/core/users.nix index b0b4357..f296c85 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -31,42 +31,46 @@ }; config = { - users.users = (lib.attrsets.foldlAttrs - (acc: name: value: acc // { ${name} = { - name = name; - group = name; - extraGroups = [ - "wheel" - "docker" - ]; - isNormalUser = true; - openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; + users.users = + (lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + name = name; + group = name; + extraGroups = [ + "wheel" + "docker" + ]; + isNormalUser = true; + openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; + }; + } + ) { } flake.self.logins.admins) + // { + # TODO: Remove when we stop locking ourselves out. + root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; + + ${config.pub-solar-os.authentication.robot.username} = { + description = "CI and automation user"; + home = "/home/${config.pub-solar-os.authentication.robot.username}"; + createHome = true; + useDefaultShell = true; + uid = 998; + group = "${config.pub-solar-os.authentication.robot.username}"; + isSystemUser = true; + openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; }; - }) - { } - flake.self.logins.admins) - // { - # TODO: Remove when we stop locking ourselves out. - root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; - root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; - - ${config.pub-solar-os.authentication.robot.username} = { - description = "CI and automation user"; - home = "/home/${config.pub-solar-os.authentication.robot.username}"; - createHome = true; - useDefaultShell = true; - uid = 998; - group = "${config.pub-solar-os.authentication.robot.username}"; - isSystemUser = true; - openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; }; - }; - users.groups = (lib.attrsets.foldlAttrs - (acc: name: value: acc // { "${name}" = { }; }) - { } - flake.self.logins.admins) - // { + users.groups = + (lib.attrsets.foldlAttrs ( + acc: name: value: + acc // { "${name}" = { }; } + ) { } flake.self.logins.admins) + // { ${config.pub-solar-os.authentication.robot.username} = { }; }; -- 2.44.2 From acc537decd054be041b601f85f198afff1c843d2 Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 20:32:00 +0100 Subject: [PATCH 3/4] hosts: use correct wireguardDevices option --- hosts/blue-shell/wireguard.nix | 2 +- hosts/delite/wireguard.nix | 2 +- hosts/metronom/wireguard.nix | 2 +- hosts/nachtigall/wireguard.nix | 2 +- hosts/tankstelle/wireguard.nix | 2 +- hosts/trinkgenossin/wireguard.nix | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts/blue-shell/wireguard.nix b/hosts/blue-shell/wireguard.nix index 34eff77..8da6c9d 100644 --- a/hosts/blue-shell/wireguard.nix +++ b/hosts/blue-shell/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # trinkgenossin.pub.solar publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; diff --git a/hosts/delite/wireguard.nix b/hosts/delite/wireguard.nix index 9756855..2c5e1a3 100644 --- a/hosts/delite/wireguard.nix +++ b/hosts/delite/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # trinkgenossin.pub.solar publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; diff --git a/hosts/metronom/wireguard.nix b/hosts/metronom/wireguard.nix index 5591d38..51362d2 100644 --- a/hosts/metronom/wireguard.nix +++ b/hosts/metronom/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:3::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; diff --git a/hosts/nachtigall/wireguard.nix b/hosts/nachtigall/wireguard.nix index 0d40a24..7e9961e 100644 --- a/hosts/nachtigall/wireguard.nix +++ b/hosts/nachtigall/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:1::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # tankstelle.pub.solar endpoint = "80.244.242.5:51820"; diff --git a/hosts/tankstelle/wireguard.nix b/hosts/tankstelle/wireguard.nix index f771ecd..0222a4b 100644 --- a/hosts/tankstelle/wireguard.nix +++ b/hosts/tankstelle/wireguard.nix @@ -18,7 +18,7 @@ "fd00:fae:fae:fae:fae:4::/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; diff --git a/hosts/trinkgenossin/wireguard.nix b/hosts/trinkgenossin/wireguard.nix index 2cf52af..e879c5b 100644 --- a/hosts/trinkgenossin/wireguard.nix +++ b/hosts/trinkgenossin/wireguard.nix @@ -22,7 +22,7 @@ in "${wireguardIPv6}/96" ]; privateKeyFile = config.age.secrets.wg-private-key.path; - peers = flake.self.logins.admins.wireguardDevices ++ [ + peers = flake.self.logins.wireguardDevices ++ [ { # nachtigall.pub.solar endpoint = "138.201.80.102:51820"; -- 2.44.2 From eb63779bb68f14b07eb42b57d97acd993295da9c Mon Sep 17 00:00:00 2001 From: b12f Date: Tue, 12 Nov 2024 21:04:44 +0100 Subject: [PATCH 4/4] auth: use all sshPubKeys for disk unlock, fix tests, fix hm config --- logins/default.nix | 5 +++ modules/core/default.nix | 4 --- modules/core/terminal-tooling.nix | 42 +++++++++++++++---------- modules/core/users.nix | 14 ++++++++- modules/unlock-luks-on-boot/default.nix | 2 +- modules/unlock-zfs-on-boot/default.nix | 2 +- tests/keycloak.nix | 2 +- tests/support/client.nix | 2 +- 8 files changed, 47 insertions(+), 26 deletions(-) diff --git a/logins/default.nix b/logins/default.nix index dfd2775..0493ca8 100644 --- a/logins/default.nix +++ b/logins/default.nix @@ -11,6 +11,11 @@ in wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) ) [ ] (lib.attrsets.attrValues admins); + sshPubKeys = lib.lists.foldl ( + sshPubKeys: adminConfig: + sshPubKeys + ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ]) + ) [ ] (lib.attrsets.attrValues admins); robots.sshPubKeys = lib.attrsets.attrValues robots; }; }; diff --git a/modules/core/default.nix b/modules/core/default.nix index 64d4c76..f0914fd 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -54,9 +54,5 @@ }; time.timeZone = "Etc/UTC"; - - home-manager.users.${config.pub-solar-os.authentication.username} = { - home.stateVersion = "23.05"; - }; }; } diff --git a/modules/core/terminal-tooling.nix b/modules/core/terminal-tooling.nix index 823898a..dd0a82f 100644 --- a/modules/core/terminal-tooling.nix +++ b/modules/core/terminal-tooling.nix @@ -1,19 +1,27 @@ -{ flake, config, ... }: +{ flake, lib, ... }: { - home-manager.users.${config.pub-solar-os.authentication.username} = { - programs.git.enable = true; - programs.starship.enable = true; - programs.bash.enable = true; - programs.neovim = { - enable = true; - vimAlias = true; - viAlias = true; - defaultEditor = true; - # configure = { - # packages.myVimPackages = with pkgs.vimPlugins; { - # start = [vim-nix vim-surrund rainbow]; - # }; - # }; - }; - }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + programs.git.enable = true; + programs.starship.enable = true; + programs.bash.enable = true; + programs.neovim = { + enable = true; + vimAlias = true; + viAlias = true; + defaultEditor = true; + # configure = { + # packages.myVimPackages = with pkgs.vimPlugins; { + # start = [vim-nix vim-surrund rainbow]; + # }; + # }; + }; + }; + } + ) { } flake.self.logins.admins + ); } diff --git a/modules/core/users.nix b/modules/core/users.nix index f296c85..d3a1cfc 100644 --- a/modules/core/users.nix +++ b/modules/core/users.nix @@ -50,7 +50,7 @@ ) { } flake.self.logins.admins) // { # TODO: Remove when we stop locking ourselves out. - root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; + root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys; root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; ${config.pub-solar-os.authentication.robot.username} = { @@ -65,6 +65,18 @@ }; }; + home-manager.users = ( + lib.attrsets.foldlAttrs ( + acc: name: value: + acc + // { + ${name} = { + home.stateVersion = "23.05"; + }; + } + ) { } flake.self.logins.admins + ); + users.groups = (lib.attrsets.foldlAttrs ( acc: name: value: diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix index 0952188..fd8c547 100644 --- a/modules/unlock-luks-on-boot/default.nix +++ b/modules/unlock-luks-on-boot/default.nix @@ -10,7 +10,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; postCommands = '' # Automatically ask for the password on SSH login diff --git a/modules/unlock-zfs-on-boot/default.nix b/modules/unlock-zfs-on-boot/default.nix index 2e68b39..586f944 100644 --- a/modules/unlock-zfs-on-boot/default.nix +++ b/modules/unlock-zfs-on-boot/default.nix @@ -11,7 +11,7 @@ # Please create this manually the first time. hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; - authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + authorizedKeys = flake.self.logins.sshPubKeys; }; # this will automatically load the zfs password prompt on login # and kill the other prompt so boot can continue diff --git a/tests/keycloak.nix b/tests/keycloak.nix index 5e735fd..59b085a 100644 --- a/tests/keycloak.nix +++ b/tests/keycloak.nix @@ -66,7 +66,7 @@ in testScript = { nodes, ... }: let - user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username}; + user = nodes.client.users.users.b12f; #uid = toString user.uid; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; gdbus = "${bus} gdbus"; diff --git a/tests/support/client.nix b/tests/support/client.nix index 41e97f0..c34c847 100644 --- a/tests/support/client.nix +++ b/tests/support/client.nix @@ -11,7 +11,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; services.xserver.displayManager.autoLogin.enable = true; - services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username; + services.xserver.displayManager.autoLogin.user = "b12f"; systemd.user.services = { "org.gnome.Shell@wayland" = { -- 2.44.2