auth: add user for each administrator #261
|
@ -22,7 +22,7 @@ in
|
||||||
"${wireguardIPv6}/96"
|
"${wireguardIPv6}/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# trinkgenossin.pub.solar
|
# trinkgenossin.pub.solar
|
||||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||||
|
|
|
@ -22,7 +22,7 @@ in
|
||||||
"${wireguardIPv6}/96"
|
"${wireguardIPv6}/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# trinkgenossin.pub.solar
|
# trinkgenossin.pub.solar
|
||||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
"fd00:fae:fae:fae:fae:3::/96"
|
"fd00:fae:fae:fae:fae:3::/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# nachtigall.pub.solar
|
# nachtigall.pub.solar
|
||||||
endpoint = "138.201.80.102:51820";
|
endpoint = "138.201.80.102:51820";
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
"fd00:fae:fae:fae:fae:1::/96"
|
"fd00:fae:fae:fae:fae:1::/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# tankstelle.pub.solar
|
# tankstelle.pub.solar
|
||||||
endpoint = "80.244.242.5:51820";
|
endpoint = "80.244.242.5:51820";
|
||||||
|
|
|
@ -18,7 +18,7 @@
|
||||||
"fd00:fae:fae:fae:fae:4::/96"
|
"fd00:fae:fae:fae:fae:4::/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# nachtigall.pub.solar
|
# nachtigall.pub.solar
|
||||||
endpoint = "138.201.80.102:51820";
|
endpoint = "138.201.80.102:51820";
|
||||||
|
|
|
@ -22,7 +22,7 @@ in
|
||||||
"${wireguardIPv6}/96"
|
"${wireguardIPv6}/96"
|
||||||
];
|
];
|
||||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
peers = flake.self.logins.wireguardDevices ++ [
|
||||||
{
|
{
|
||||||
# nachtigall.pub.solar
|
# nachtigall.pub.solar
|
||||||
endpoint = "138.201.80.102:51820";
|
endpoint = "138.201.80.102:51820";
|
||||||
|
|
|
@ -6,19 +6,16 @@ in
|
||||||
{
|
{
|
||||||
flake = {
|
flake = {
|
||||||
logins = {
|
logins = {
|
||||||
admins =
|
admins = admins;
|
||||||
lib.lists.foldl
|
wireguardDevices = lib.lists.foldl (
|
||||||
(logins: adminConfig: {
|
wireguardDevices: adminConfig:
|
||||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
|
||||||
wireguardDevices =
|
) [ ] (lib.attrsets.attrValues admins);
|
||||||
logins.wireguardDevices
|
sshPubKeys = lib.lists.foldl (
|
||||||
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
|
sshPubKeys: adminConfig:
|
||||||
})
|
sshPubKeys
|
||||||
{
|
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
|
||||||
sshPubKeys = [ ];
|
) [ ] (lib.attrsets.attrValues admins);
|
||||||
wireguardDevices = [ ];
|
|
||||||
}
|
|
||||||
(lib.attrsets.attrValues admins);
|
|
||||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -54,9 +54,5 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = "Etc/UTC";
|
time.timeZone = "Etc/UTC";
|
||||||
|
|
||||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
|
||||||
home.stateVersion = "23.05";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,11 @@
|
||||||
{ flake, config, ... }:
|
{ flake, lib, ... }:
|
||||||
{
|
{
|
||||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
home-manager.users = (
|
||||||
|
lib.attrsets.foldlAttrs (
|
||||||
|
acc: name: value:
|
||||||
|
acc
|
||||||
|
// {
|
||||||
|
${name} = {
|
||||||
programs.git.enable = true;
|
programs.git.enable = true;
|
||||||
programs.starship.enable = true;
|
programs.starship.enable = true;
|
||||||
programs.bash.enable = true;
|
programs.bash.enable = true;
|
||||||
|
@ -17,3 +22,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
) { } flake.self.logins.admins
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
|
@ -11,18 +11,6 @@
|
||||||
inherit (lib) mkOption types;
|
inherit (lib) mkOption types;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
username = mkOption {
|
|
||||||
description = "Username for the adminstrative user";
|
|
||||||
type = types.str;
|
|
||||||
default = flake.self.username;
|
|
||||||
};
|
|
||||||
|
|
||||||
sshPubKeys = mkOption {
|
|
||||||
description = "SSH Keys that should have administrative root access";
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = flake.self.logins.admins.sshPubKeys;
|
|
||||||
};
|
|
||||||
|
|
||||||
root.initialHashedPassword = mkOption {
|
root.initialHashedPassword = mkOption {
|
||||||
description = "Hashed password of the root account";
|
description = "Hashed password of the root account";
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -43,22 +31,29 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
users.users.${config.pub-solar-os.authentication.username} = {
|
users.users =
|
||||||
name = config.pub-solar-os.authentication.username;
|
(lib.attrsets.foldlAttrs (
|
||||||
group = config.pub-solar-os.authentication.username;
|
acc: name: value:
|
||||||
|
acc
|
||||||
|
// {
|
||||||
|
${name} = {
|
||||||
|
name = name;
|
||||||
|
group = name;
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"wheel"
|
"wheel"
|
||||||
"docker"
|
"docker"
|
||||||
];
|
];
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
|
||||||
};
|
};
|
||||||
users.groups.${config.pub-solar-os.authentication.username} = { };
|
}
|
||||||
|
) { } flake.self.logins.admins)
|
||||||
|
// {
|
||||||
# TODO: Remove when we stop locking ourselves out.
|
# TODO: Remove when we stop locking ourselves out.
|
||||||
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
|
||||||
|
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||||
|
|
||||||
users.users.${config.pub-solar-os.authentication.robot.username} = {
|
${config.pub-solar-os.authentication.robot.username} = {
|
||||||
description = "CI and automation user";
|
description = "CI and automation user";
|
||||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
@ -68,11 +63,28 @@
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
|
|
||||||
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
home-manager.users = (
|
||||||
|
lib.attrsets.foldlAttrs (
|
||||||
|
acc: name: value:
|
||||||
|
acc
|
||||||
|
// {
|
||||||
|
${name} = {
|
||||||
|
home.stateVersion = "23.05";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
) { } flake.self.logins.admins
|
||||||
|
);
|
||||||
|
|
||||||
users.users.root.initialHashedPassword =
|
users.groups =
|
||||||
config.pub-solar-os.authentication.root.initialHashedPassword;
|
(lib.attrsets.foldlAttrs (
|
||||||
|
acc: name: value:
|
||||||
|
acc // { "${name}" = { }; }
|
||||||
|
) { } flake.self.logins.admins)
|
||||||
|
// {
|
||||||
|
${config.pub-solar-os.authentication.robot.username} = { };
|
||||||
|
};
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
};
|
};
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
|
|
||||||
# Please create this manually the first time.
|
# Please create this manually the first time.
|
||||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||||
};
|
};
|
||||||
postCommands = ''
|
postCommands = ''
|
||||||
# Automatically ask for the password on SSH login
|
# Automatically ask for the password on SSH login
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
|
|
||||||
# Please create this manually the first time.
|
# Please create this manually the first time.
|
||||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||||
};
|
};
|
||||||
# this will automatically load the zfs password prompt on login
|
# this will automatically load the zfs password prompt on login
|
||||||
# and kill the other prompt so boot can continue
|
# and kill the other prompt so boot can continue
|
||||||
|
|
|
@ -66,7 +66,7 @@ in
|
||||||
testScript =
|
testScript =
|
||||||
{ nodes, ... }:
|
{ nodes, ... }:
|
||||||
let
|
let
|
||||||
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
|
user = nodes.client.users.users.b12f;
|
||||||
#uid = toString user.uid;
|
#uid = toString user.uid;
|
||||||
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
|
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
|
||||||
gdbus = "${bus} gdbus";
|
gdbus = "${bus} gdbus";
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
services.xserver.displayManager.gdm.enable = true;
|
services.xserver.displayManager.gdm.enable = true;
|
||||||
services.xserver.desktopManager.gnome.enable = true;
|
services.xserver.desktopManager.gnome.enable = true;
|
||||||
services.xserver.displayManager.autoLogin.enable = true;
|
services.xserver.displayManager.autoLogin.enable = true;
|
||||||
services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
|
services.xserver.displayManager.autoLogin.user = "b12f";
|
||||||
|
|
||||||
systemd.user.services = {
|
systemd.user.services = {
|
||||||
"org.gnome.Shell@wayland" = {
|
"org.gnome.Shell@wayland" = {
|
||||||
|
|
Loading…
Reference in a new issue