auth: add user for each administrator #261
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# trinkgenossin.pub.solar
|
||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# trinkgenossin.pub.solar
|
||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:3::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:1::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# tankstelle.pub.solar
|
||||
endpoint = "80.244.242.5:51820";
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:4::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
|||
|
|
@ -6,19 +6,16 @@ in
|
|||
{
|
||||
flake = {
|
||||
logins = {
|
||||
admins =
|
||||
lib.lists.foldl
|
||||
(logins: adminConfig: {
|
||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||
wireguardDevices =
|
||||
logins.wireguardDevices
|
||||
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
|
||||
})
|
||||
{
|
||||
sshPubKeys = [ ];
|
||||
wireguardDevices = [ ];
|
||||
}
|
||||
(lib.attrsets.attrValues admins);
|
||||
admins = admins;
|
||||
wireguardDevices = lib.lists.foldl (
|
||||
wireguardDevices: adminConfig:
|
||||
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
|
||||
) [ ] (lib.attrsets.attrValues admins);
|
||||
sshPubKeys = lib.lists.foldl (
|
||||
sshPubKeys: adminConfig:
|
||||
sshPubKeys
|
||||
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
|
||||
) [ ] (lib.attrsets.attrValues admins);
|
||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -54,9 +54,5 @@
|
|||
};
|
||||
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,19 +1,27 @@
|
|||
{ flake, config, ... }:
|
||||
{ flake, lib, ... }:
|
||||
{
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
programs.git.enable = true;
|
||||
programs.starship.enable = true;
|
||||
programs.bash.enable = true;
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
vimAlias = true;
|
||||
viAlias = true;
|
||||
defaultEditor = true;
|
||||
# configure = {
|
||||
# packages.myVimPackages = with pkgs.vimPlugins; {
|
||||
# start = [vim-nix vim-surrund rainbow];
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
home-manager.users = (
|
||||
lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
programs.git.enable = true;
|
||||
programs.starship.enable = true;
|
||||
programs.bash.enable = true;
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
vimAlias = true;
|
||||
viAlias = true;
|
||||
defaultEditor = true;
|
||||
# configure = {
|
||||
# packages.myVimPackages = with pkgs.vimPlugins; {
|
||||
# start = [vim-nix vim-surrund rainbow];
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,18 +11,6 @@
|
|||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
username = mkOption {
|
||||
description = "Username for the adminstrative user";
|
||||
type = types.str;
|
||||
default = flake.self.username;
|
||||
};
|
||||
|
||||
sshPubKeys = mkOption {
|
||||
description = "SSH Keys that should have administrative root access";
|
||||
type = types.listOf types.str;
|
||||
default = flake.self.logins.admins.sshPubKeys;
|
||||
};
|
||||
|
||||
root.initialHashedPassword = mkOption {
|
||||
description = "Hashed password of the root account";
|
||||
type = types.str;
|
||||
|
|
@ -43,36 +31,60 @@
|
|||
};
|
||||
|
||||
config = {
|
||||
users.users.${config.pub-solar-os.authentication.username} = {
|
||||
name = config.pub-solar-os.authentication.username;
|
||||
group = config.pub-solar-os.authentication.username;
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
};
|
||||
users.groups.${config.pub-solar-os.authentication.username} = { };
|
||||
users.users =
|
||||
(lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
name = name;
|
||||
group = name;
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins)
|
||||
// {
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
|
||||
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
${config.pub-solar-os.authentication.robot.username} = {
|
||||
description = "CI and automation user";
|
||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
uid = 998;
|
||||
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${config.pub-solar-os.authentication.robot.username} = {
|
||||
description = "CI and automation user";
|
||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
uid = 998;
|
||||
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||
};
|
||||
home-manager.users = (
|
||||
lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins
|
||||
);
|
||||
|
||||
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
||||
|
||||
users.users.root.initialHashedPassword =
|
||||
config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
users.groups =
|
||||
(lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc // { "${name}" = { }; }
|
||||
) { } flake.self.logins.admins)
|
||||
// {
|
||||
${config.pub-solar-os.authentication.robot.username} = { };
|
||||
};
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
# Please create this manually the first time.
|
||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||
};
|
||||
postCommands = ''
|
||||
# Automatically ask for the password on SSH login
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
# Please create this manually the first time.
|
||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||
};
|
||||
# this will automatically load the zfs password prompt on login
|
||||
# and kill the other prompt so boot can continue
|
||||
|
|
|
|||
|
|
@ -66,7 +66,7 @@ in
|
|||
testScript =
|
||||
{ nodes, ... }:
|
||||
let
|
||||
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
|
||||
user = nodes.client.users.users.b12f;
|
||||
#uid = toString user.uid;
|
||||
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
|
||||
gdbus = "${bus} gdbus";
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
services.xserver.displayManager.gdm.enable = true;
|
||||
services.xserver.desktopManager.gnome.enable = true;
|
||||
services.xserver.displayManager.autoLogin.enable = true;
|
||||
services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
|
||||
services.xserver.displayManager.autoLogin.user = "b12f";
|
||||
|
||||
systemd.user.services = {
|
||||
"org.gnome.Shell@wayland" = {
|
||||
|
|
|
|||
Loading…
Reference in a new issue