From a055f4fa409f921f3882d1da575519d6c970e59c Mon Sep 17 00:00:00 2001 From: dadada Date: Thu, 4 Aug 2022 20:52:43 +0200 Subject: [PATCH] move admin config to top-level --- admins.nix | 8 ++++ keys/dadada.pub | 1 - nixos/configurations.nix | 28 +++++++++----- nixos/modules/admin.nix | 61 +++++++++++++++++++++++-------- nixos/modules/profiles/server.nix | 10 +---- nixos/pruflas/configuration.nix | 8 +--- nixos/surgat/configuration.nix | 7 ---- outputs.nix | 3 +- 8 files changed, 77 insertions(+), 49 deletions(-) create mode 100644 admins.nix delete mode 100644 keys/dadada.pub diff --git a/admins.nix b/admins.nix new file mode 100644 index 0000000..e83a69a --- /dev/null +++ b/admins.nix @@ -0,0 +1,8 @@ +{ + dadada = { + shell = "zsh"; + keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis" + ]; + }; +} diff --git a/keys/dadada.pub b/keys/dadada.pub deleted file mode 100644 index 6dfc30f..0000000 --- a/keys/dadada.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyTgdVPPxQeL5KZo9frZQlDIv2QkelJw3gNGoGtUMfw tim@metis diff --git a/nixos/configurations.nix b/nixos/configurations.nix index 8310fd9..cf5d829 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -1,4 +1,5 @@ { self +, admins , nixpkgs , nixosSystem , home-manager @@ -8,15 +9,20 @@ , scripts , recipemd }: -let adapterModule = system: { - nixpkgs.config.allowUnfreePredicate = (pkg: true); - nixpkgs.overlays = (nixpkgs.lib.attrValues self.overlays) ++ [ - (final: prev: { homePage = homePage.defaultPackage.${system}; }) - (final: prev: { s = scripts; }) - (final: prev: { n = nvd; }) - (final: prev: { recipemd = recipemd.defaultPackage.${system}; }) - ]; -}; +let + adapterModule = system: { + nixpkgs.config.allowUnfreePredicate = (pkg: true); + nixpkgs.overlays = (nixpkgs.lib.attrValues self.overlays) ++ [ + (final: prev: { homePage = homePage.defaultPackage.${system}; }) + (final: prev: { s = scripts; }) + (final: prev: { n = nvd; }) + (final: prev: { recipemd = recipemd.defaultPackage.${system}; }) + ]; + }; + lib = nixpkgs.lib; + adminConfig = users: { + dadada.admin.users = lib.getAttrs users admins; + }; in { gorgon = nixosSystem rec { @@ -40,6 +46,7 @@ in ifrit = nixosSystem rec { system = "x86_64-linux"; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ + (adminConfig [ "dadada" ]) (adapterModule system) ./modules/profiles/server.nix ./ifrit/configuration.nix @@ -49,6 +56,7 @@ in surgat = nixosSystem rec { system = "x86_64-linux"; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ + (adminConfig [ "dadada" ]) (adapterModule system) ./modules/profiles/server.nix ./surgat/configuration.nix @@ -57,6 +65,7 @@ in pruflas = nixosSystem rec { system = "x86_64-linux"; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ + (adminConfig [ "dadada" ]) (adapterModule system) ./modules/profiles/laptop.nix ./pruflas/configuration.nix @@ -66,6 +75,7 @@ in agares = nixosSystem rec { system = "x86_64-linux"; modules = (nixpkgs.lib.attrValues self.nixosModules) ++ [ + (adminConfig [ "dadada" ]) (adapterModule system) ./modules/profiles/server.nix ./agares/configuration.nix diff --git a/nixos/modules/admin.nix b/nixos/modules/admin.nix index 2c0bca6..56174b8 100644 --- a/nixos/modules/admin.nix +++ b/nixos/modules/admin.nix @@ -3,6 +3,38 @@ with lib; let cfg = config.dadada.admin; + extraGroups = [ "wheel" "libvirtd" ]; + + shells = { + "bash" = pkgs.bashInteractive; + "zsh" = pkgs.zsh; + "fish" = pkgs.fish; + }; + + shellNames = builtins.attrNames shells; + + adminOpts = { name, config, ... }: { + options = { + keys = mkOption { + type = types.listOf types.str; + default = [ ]; + apply = x: assert (builtins.length x > 0 || abort "Please specify at least one key to be able to log in"); x; + description = '' + The keys that should be able to access the account. + ''; + }; + shell = mkOption { + type = types.nullOr types.str; + apply = x: assert (builtins.elem x shellNames || abort "Please specify one of ${builtins.toString shellNames}"); x; + default = "zsh"; + defaultText = literalExpression "zsh"; + example = literalExpression "bash"; + description = '' + One of ${builtins.toString shellNames} + ''; + }; + }; + }; in { options = { @@ -10,12 +42,12 @@ in enable = mkEnableOption "Enable admin access"; users = mkOption { - type = with types; attrsOf (listOf path); - default = [ ]; + type = with types; attrsOf (submodule adminOpts); + default = { }; description = '' - List of admin users with root access to all the machine. + Admin users with root access machine. ''; - example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]"; + example = literalExample "\"user1\" = { shell = pkgs.bashInteractive; keys = [ 'ssh-rsa 123456789' ]; }"; }; rat = mkOption { @@ -29,28 +61,27 @@ in }; config = mkIf cfg.enable { + programs.zsh.enable = mkDefault true; + services.sshd.enable = true; services.openssh.passwordAuthentication = false; security.sudo.wheelNeedsPassword = false; + services.openssh.openFirewall = true; users.users = mapAttrs - (user: keys: ( - { - extraGroups = [ - "wheel" - "libvirtd" - ]; - isNormalUser = true; - openssh.authorizedKeys.keyFiles = keys; - })) + (user: keys: ( + { + shell = shells."${keys.shell}"; + extraGroups = extraGroups; + isNormalUser = true; + openssh.authorizedKeys.keys = keys.keys; + })) cfg.users; nix.trustedUsers = builtins.attrNames cfg.users; users.mutableUsers = mkDefault false; - networking.firewall.allowedTCPPorts = [ 22 ]; - environment.systemPackages = with pkgs; [ vim tmux diff --git a/nixos/modules/profiles/server.nix b/nixos/modules/profiles/server.nix index fe1bc31..b2e48dd 100644 --- a/nixos/modules/profiles/server.nix +++ b/nixos/modules/profiles/server.nix @@ -1,17 +1,11 @@ { config, pkgs, lib, ... }: with lib; -let - keys = [ ../../../keys/dadada.pub ]; -in { +{ networking.domain = mkDefault "dadada.li"; networking.tempAddresses = "disabled"; - dadada.admin.users = { - "dadada" = keys; - }; - + dadada.admin.enable = true; dadada.networking.localResolver.enable = true; - dadada.autoUpgrade.enable = mkDefault true; environment.noXlibs = mkDefault true; diff --git a/nixos/pruflas/configuration.nix b/nixos/pruflas/configuration.nix index 6aca8a7..d1c3c45 100644 --- a/nixos/pruflas/configuration.nix +++ b/nixos/pruflas/configuration.nix @@ -1,8 +1,6 @@ { config, pkgs, lib, ... }: with lib; -let - keys = [ ../../keys/dadada.pub ]; -in { +{ imports = [ ./hardware-configuration.nix ]; networking.hostName = "pruflas"; @@ -103,10 +101,6 @@ in { networking.domain = "dadada.li"; - dadada.admin.users = { - "dadada" = keys; - }; - users.mutableUsers = true; dadada.networking.localResolver.enable = true; diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index c1ed89e..d734ae8 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -35,13 +35,6 @@ in }; }; - dadada.admin = { - enable = true; - users = { - "dadada" = [ ../../keys/dadada.pub ]; - }; - }; - dadada.element.enable = true; dadada.gitea.enable = true; dadada.networking.vpnExtension = "4"; diff --git a/outputs.nix b/outputs.nix index e86d782..5a4c13e 100644 --- a/outputs.nix +++ b/outputs.nix @@ -58,12 +58,11 @@ hmModules = import ./home/modules inputs; nixosConfigurations = import ./nixos/configurations.nix { nixosSystem = nixpkgs.lib.nixosSystem; + admins = import ./admins.nix; inherit self nixpkgs home-manager nixos-hardware nvd scripts homePage recipemd; }; nixosModules = import ./nixos/modules inputs; overlays = import ./overlays; - keys = ./keys; - hydraJobs = ( nixpkgs.lib.mapAttrs' (name: config: nixpkgs.lib.nameValuePair name config.config.system.build.toplevel)