From 0062a9ee53d9560aac2012809c8663446a1996c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Wed, 13 Apr 2022 11:29:06 +0100 Subject: [PATCH] move to declarative user management --- config/default.nix | 2 ++ config/users/darkkirb.nix | 6 +++++- config/users/miifox.nix | 15 +++++++++------ config/users/root.nix | 11 +++++++++++ secrets/nixos-8gb-fsn1-1.yaml | 9 ++++++--- secrets/nutty-noon.yaml | 7 +++++-- secrets/thinkrac.yaml | 7 +++++-- 7 files changed, 43 insertions(+), 14 deletions(-) create mode 100644 config/users/root.nix diff --git a/config/default.nix b/config/default.nix index bb46f028..b52ca68f 100644 --- a/config/default.nix +++ b/config/default.nix @@ -2,6 +2,7 @@ imports = [ ./zfs.nix ./users/darkkirb.nix + ./users/root.nix ./nix.nix ./sops.nix ./wireguard.nix @@ -52,4 +53,5 @@ enableSSHSupport = true; pinentryFlavor = "curses"; }; + users.mutableUsers = false; } diff --git a/config/users/darkkirb.nix b/config/users/darkkirb.nix index 9c74770d..312a17b4 100644 --- a/config/users/darkkirb.nix +++ b/config/users/darkkirb.nix @@ -1,4 +1,4 @@ -{ ... }: { +{ config, ... }: { users.users.darkkirb = { createHome = true; description = "Charlotte 🦝 Delenk"; @@ -12,7 +12,11 @@ openssh.authorizedKeys.keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDXQlfvRUm/z6eP1EjsajIbMibkq9n+ymlbBi7NFiOuaAAAABHNzaDo= ssh:" ]; + passwordFile = config.sops.secrets."password/darkkirb".path; }; sops.secrets."email/lotte@chir.rs" = { owner = "darkkirb"; }; sops.secrets."email/mdelenk@hs-mittweida.de" = { owner = "darkkirb"; }; + sops.secrets."password/darkkirb" = { + neededForUsers = true; + }; } diff --git a/config/users/miifox.nix b/config/users/miifox.nix index 7e02e1c6..066f25d8 100644 --- a/config/users/miifox.nix +++ b/config/users/miifox.nix @@ -6,6 +6,9 @@ home = "/home/miifox"; isNormalUser = true; uid = 1001; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDIqSXWTE+zpq+DjgZbWI2i+9++SHCEorrfcNT7oDgeah1oGqg84X3f7hIov7FtNYExFj+kaYW7GOOOV9KwwB6W5adfORWvP6domwXdLutDOnkfAXCNAQBBXDRMrAHS9x089xdFJ0+FTVbB8a4QN9DG82uxGPSoMGwZfloYM0/SYahc5x3I2zpMi9PxJJzhrnmSXJx2gMYMkEoMZBxWdlXD/ge192ejMDQ/f4idW7humK9F6TG7j7u5pqUmN/WqZVg1f2mltjUFjRWn+gIDmEpgfqJ3LXQHu90vAWpXVYMsPqHc8A6+Y29YB9BuCflC4gSwKZqTHVp9oaMYJIBEw0xayK5TgsC0EliX7WQK7KacjGHhQPhP/igT+/wTC1I+gdyjOGloVVFOjWJLbpW+9C/Xp/Oy8zcH7YPj9vO8Sc5jZhuRxWgH7vUI9Nl+wjfcbKRx3ihS3HP7zenN9ATr0gO1Cj7yWKn0Mhr6an3hMDFbAA9ppiTr9JC4wvUIrurHiE= caroline the husky@Huskydev" + ]; }; home-manager.users.miifox = import ../home-manager/miifox.nix; systemd.slices."user-1001".sliceConfig = { @@ -23,11 +26,11 @@ sslCertificate = "/var/lib/acme/miifox.net/cert.pem"; sslCertificateKey = "/var/lib/acme/miifox.net/key.pem"; locations."/" = - let - miifox-website = pkgs.callPackage (import ../../packages/miifox.nix miifox-net) {}; - in - { - root = "${miifox-website}"; - }; + let + miifox-website = pkgs.callPackage (import ../../packages/miifox.nix miifox-net) { }; + in + { + root = "${miifox-website}"; + }; }; } diff --git a/config/users/root.nix b/config/users/root.nix new file mode 100644 index 00000000..bdf0b2df --- /dev/null +++ b/config/users/root.nix @@ -0,0 +1,11 @@ +{ config, ... }: { + users.users.root = { + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDXQlfvRUm/z6eP1EjsajIbMibkq9n+ymlbBi7NFiOuaAAAABHNzaDo= ssh:" + ]; + passwordFile = config.sops.secrets."password/root".path; + }; + sops.secrets."password/root" = { + neededForUsers = true; + }; +} diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index a9b136e2..67241a11 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -58,6 +58,9 @@ services: email: lotte@chir.rs: ENC[AES256_GCM,data:bkzYVXizG/inJ/MS57G2pEiUkA==,iv:jviAx1B83wPhc128msfSs7oYwRQH+j7PU0aAmNbwi88=,tag:ylYl5k9R5BdLGAXOXVeLZg==,type:str] mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:zFJjQcrBy9FdCLG8wyjPR84XnMpIS+hRnVro8oMyTqXbBLgbsqZxpD1f8DsYAfpQS1tFpfgHYfYBWw8EQWqXaQ==,iv:F5SDxQzgSuQIRfR6uZanfUPb66RuHsFEQqjpGmUVIsI=,tag:hS/HXYU/6StR7w7MCOlu4g==,type:str] +password: + root: ENC[AES256_GCM,data:AeImJlndPa/2QYVQeDkbgE8rpTg=,iv:Tuleh/WCwojDOwn1rWa0UlRDV1g8zx8bw03wGUw6QgI=,tag:iINfH4JnnryYAouEo7b6Ng==,type:str] + darkkirb: ENC[AES256_GCM,data:BeXNJl14lAeakJ8r0c/U5zZSBhs=,iv:svxv6ePnUBDIeA3Xe4YKZrWNOqBQjuNzqDDmEh+o5cM=,tag:e5bCoZrjG7hHF9lbgm0kFQ==,type:str] sops: kms: [] gcp_kms: [] @@ -73,8 +76,8 @@ sops: N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-03-12T12:41:15Z" - mac: ENC[AES256_GCM,data:NTpFb44rdj9vnKlGCECLpm4T8WX2fIKkpGCjdHlBaYbD2Mt5h6Mb4NKY3vmp/lYo8gb7m49V4RkC93ixL3/aBMKqcIPTJ8VAwr/76l7v5nDQwQgMtApk521b93dGzggYX0AYhqfcS4bTLcKa1G77Bgd+ITmZJO6W3aOUsh7fJZ4=,iv:Sa+xN8AvxZ0ned62pOVCD1cEuETtz1wtmC9KIw/ip4g=,tag:lxLEEWNCEYLqzQW8XqjGcw==,type:str] + lastmodified: "2022-04-13T10:22:01Z" + mac: ENC[AES256_GCM,data:H5vJtGy+rlElkQkhaKXxSfVjjICvmPxcLh+hsX1zb5mf+tPAOWUScePHuYMolfN6xcmlFdmpW3nq2B1m5ClPFfTWeYO7lcPP6Eotf1/NrGjRibEixabpQ7iswHBI8M4Zxv/vm45xdUJpOkJSTT3X/RRnDnyP3QflvNfn/u0AgXU=,iv:W33m2Uu8y5UH0cwDLd6B3NzKB66tlYLdQFjGPqyiwZ0=,tag:fSlhxS5/+KV3qJzmvCPIpA==,type:str] pgp: - created_at: "2022-02-02T17:50:42Z" enc: | @@ -88,4 +91,4 @@ sops: -----END PGP MESSAGE----- fp: 46C6A7E14BC7812E86C2700737FE303AAC2D06CD unencrypted_suffix: _unencrypted - version: 3.7.1 + version: 3.7.2 diff --git a/secrets/nutty-noon.yaml b/secrets/nutty-noon.yaml index a7d98356..5b9982bf 100644 --- a/secrets/nutty-noon.yaml +++ b/secrets/nutty-noon.yaml @@ -17,6 +17,9 @@ security: email: lotte@chir.rs: ENC[AES256_GCM,data:02v6qsTC30thvqQ4yDpYhfyNVg==,iv:rdz3HHlAyyt1TR7iUXpokIlBC8VEdS0GLoCkItBc3HY=,tag:/aNoPNoMeVGCWRT3j+F+ew==,type:str] mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:rXwwhdX2STqJjO2UMqW9YeXc8JtJ2DXLptZvVN9552ldRgZU7OoNiPxbYg/Kr7ZOkl/8HIg0yFa1uQIbvQxuoQ==,iv:ThZzE7m05FS1NPH/mvWF/vflxC4pmZCMX12iOUzKQfQ=,tag:qK0+ZA8486YgaW/I7BrfPQ==,type:str] +password: + root: ENC[AES256_GCM,data:ExRLZx3OigbCioFskLAqs2VQE5U=,iv:ZFryI9HtgG0vm8wOdGX/B3Tp/oed1Xe7rbVaf21Yzyo=,tag:n34Dt+a1Cp/Ncv5R67eNOQ==,type:str] + darkkirb: ENC[AES256_GCM,data:HyDaR0WoG4OB4oYcCqN1HjPktF0=,iv:oO/+iRyJg+PPwRpnF1W03dZ1vBCBJDL5Pgga8kdQzsw=,tag:8i73gNJcV9GleE5aiKYIFA==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +35,8 @@ sops: U0JxSTR3WEFvZjVoMjJsV3NYNVFpYTAKxCpvEDbEjh3sNR+2X7AsReYPxi9n3bpP g+IVnv+EX9CkqBNbpAHiwqzekVXNqM7SxMmgSasZ4IGRK1Wcf5NU0w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-04-12T09:32:14Z" - mac: ENC[AES256_GCM,data:02+JEAKVHfmWS70uUAelgudH0/0v7w1fEpHjqYPOpj9wsDIHGrVY3P/2/d+ajxuD0iMWse6/9OUPRAKApBg9dfSSIGw6aum1HpqNr2HRURUTfYGpF5hiii+6Xnkah6c3Ye5XwVbCx9UWnN4/LUG2AVbq5qwTmN92r7s/dSGE1Qc=,iv:tv8kPbGKTwBufGCe95GWM0H3oDXCp+OU3d8ZsqAiprQ=,tag:ntClxY2aKzTXa1ebGWJbJg==,type:str] + lastmodified: "2022-04-13T10:22:59Z" + mac: ENC[AES256_GCM,data:62jku4oJwoiHxZozF0imCGeyGQvfWmcmyv/ZbQPB+bjFlOeM9g26wYj9aKGZYileGyja4TMJNV/0UKKLiiOgsf/dqDgwYcJPjtacGa25057PGbpV3dkGzOQOnwiFhRdCCov0cYp3SWZNSeQRG7OB1b7aRur8tgvU+ykh3vVsurA=,iv:ikF6iHkDl3IYDo8fj/LBrv2+4Aj4Oej0QjspV1bB/As=,tag:ghXjkBADsyNrXvKZGq1hgg==,type:str] pgp: - created_at: "2022-04-02T06:17:40Z" enc: | diff --git a/secrets/thinkrac.yaml b/secrets/thinkrac.yaml index ac72d604..f12a2a35 100644 --- a/secrets/thinkrac.yaml +++ b/secrets/thinkrac.yaml @@ -7,6 +7,9 @@ security: email: lotte@chir.rs: ENC[AES256_GCM,data:MywN+Etfri4TQQ8M01+RS4sLCA==,iv:s4hW8oGPs7PwdtiBlkuRmAJPjHjBonHWdNTrtA+aJLQ=,tag:3Xp2kHMgtRDmItpa+fJ0Fw==,type:str] mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:iLQwJoW4sRF35M3dEIxKrqsAsJND0wVlfue9uGfZgr+filTkmfNsnzamg7eBfacURuJrHmGDXCMcjuH15GwONA==,iv:5zAeYL2YS4J38TXl0t1mLDxjAPdf4IpGogEuzYd+xJM=,tag:FMKvuq69uZrv1nUI/2erYg==,type:str] +password: + root: ENC[AES256_GCM,data:UvSHXEqTT8giRh+wISFG+KWqrdU=,iv:Dskk6qk3BU6lSmFC1Xj9xlj7ntkNOc1n71sRyK3oRG0=,tag:3twupt185QnAOSXwVr2vhQ==,type:str] + darkkirb: ENC[AES256_GCM,data:CgTyVjgvXJCDDfAUsQznnLABUlA=,iv:eKgIlaC1V92nrV8/0dBQVfcvSz165AGhb222weLsfLU=,tag:mWlV8FohRDIaFgX9mmdXKg==,type:str] sops: kms: [] gcp_kms: [] @@ -22,8 +25,8 @@ sops: aHAxNitXREU0ZkZNUmorSFY2c3JPU0UK2rnyV/tDnn8nWYodDe7sgVdjfg14slBO DV5oMPB91c5IZ0S1/Sv1oAUcri/dKHKDljxP7HU5yG5kxVeEzqx4Jw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-04-13T06:20:10Z" - mac: ENC[AES256_GCM,data:dBGn5AHOhr2E+cJIArFIl8qSmtXDzU/2g+05twszjVhvtc0Z+182LYshgm9jPbBY94n2b8V3W+T3OsBfpQo+SkIedqbe5xfG/eqN5ltHHb1Ypa5HeTdpdkYbtL39RicGOuQPsBuyZOga1+q+yYrburPIbuKFmq/mMxPI/qv/Lfw=,iv:mKXN0k3YgiayBe8GFwkrzF4gWPdOKHO7bFhVBsHDggc=,tag:HDb7P4e5eIvqzWbdrrhbgQ==,type:str] + lastmodified: "2022-04-13T10:22:30Z" + mac: ENC[AES256_GCM,data:63NspqeTxHEc746AArMHVoV48tj3hv5csv5OjaYE5DjChaZi2+VEMvzYZiASTUxRL1Gd9KBT4grPST8du9PcBYWg7r9tOs0tXVNcMxycGDGIePutIQpnG+AIq4FXnF4Muiwb88eCu+IpMDhBRvNXlW1/NiufCz5EXRCfbi/DYqc=,iv:FpCV4emMV1EyDyExTXdj4fc+X0ez0bh3A+GyZs9fQjk=,tag:94vn+jw4j2vZtLpc7HaD3w==,type:str] pgp: - created_at: "2022-04-13T06:20:10Z" enc: |