auth: add user for each administrator #261

Merged
teutat3s merged 7 commits from per-admin-user into main 2024-11-28 16:16:35 +00:00
2 changed files with 39 additions and 50 deletions
Showing only changes of commit 5366d07d44 - Show all commits

View file

@ -6,18 +6,11 @@ in
{
flake = {
logins = {
admins =
admins = admins;
wireguardDevices =
lib.lists.foldl
(logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices =
logins.wireguardDevices
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
})
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
(wireguardDevices: adminConfig: wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]))
[ ]
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};

View file

@ -11,18 +11,6 @@
inherit (lib) mkOption types;
in
{
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption {
description = "Hashed password of the root account";
type = types.str;
@ -43,36 +31,44 @@
};
config = {
users.users.${config.pub-solar-os.authentication.username} = {
name = config.pub-solar-os.authentication.username;
group = config.pub-solar-os.authentication.username;
extraGroups = [
"wheel"
"docker"
];
isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
};
users.groups.${config.pub-solar-os.authentication.username} = { };
users.users = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { ${name} = {
name = name;
group = name;
extraGroups = [
"wheel"
"docker"
];
isNormalUser = true;
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
};
})
{ }
flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
users.users.${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "${config.pub-solar-os.authentication.robot.username}";
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "${config.pub-solar-os.authentication.robot.username}";
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
};
};
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
users.users.root.initialHashedPassword =
config.pub-solar-os.authentication.root.initialHashedPassword;
users.groups = (lib.attrsets.foldlAttrs
(acc: name: value: acc // { "${name}" = { }; })
{ }
flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false;
};