pub-solar/infra
6
1
Fork 3
Code Issues 16 Pull requests 7 Actions Packages Projects 1 Releases Wiki Activity
infra/modules/core/users.nix
Benjamin Yule Bädorf 93a116f044
All checks were successful
Flake checks / Check (pull_request) Successful in 6m7s
Details
refactor: Move all apps into modules
2024-04-28 17:38:55 +02:00

71 lines
2.2 KiB
Nix
Raw Blame History

{
flake,
pkgs,
lib,
config,
...
}: {
options.pub-solar-os.auth = with lib; {
username = mkOption {
description = "domain on which all services should run. This defaults to pub.solar";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption {
description = "Hashed password of the root account";
type = types.str;
default = "$y$j9T$bIN6GjQkmPMllOcQsq52K0$q0Z5B5.KW/uxXK9fItB8H6HO79RYAcI/ZZdB0Djke32";
};
robot.username = mkOption {
description = "username for the robot user";
type = types.str;
default = "hakkonaut";
};
robot.sshPubKeys = mkOption {
description = "SSH Keys to use for the robot user";
type = types.listOf types.str;
default = flake.self.logins.robots.sshPubKeys;
};
};
config = {
users.users.${config.pub-solar-os.auth.username} = {
name = config.pub-solar-os.auth.username;
group = config.pub-solar-os.auth.username;
extraGroups = [ "wheel" "docker" ];
isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.auth.sshPubKeys;
};
users.groups.${config.pub-solar-os.auth.username} = { };
# TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.auth.sshPubKeys;
users.users.${config.pub-solar-os.auth.robot.username} = {
description = "CI and automation user";
home = "/home/${config.pub-solar-os.auth.robot.username}";
createHome = true;
useDefaultShell = true;
uid = 998;
group = "${config.pub-solar-os.auth.robot.username}";
isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.auth.robot.sshPubKeys;
};
users.groups.${config.pub-solar-os.auth.robot.username} = { };
users.users.root.initialHashedPassword = config.pub-solar-os.auth.root.initialHashedPassword;
security.sudo.wheelNeedsPassword = false;
};
}
Reference in a new issue View git blame Copy permalink